North Korean hackers said to have identified banks’ vulnerabilities

For years, North Korean-led hackers allegedly slipped into the computers of banks around the world, looking for weak spots to exploit in cyber heists, finding millions of dollars, pounds, yen and euros in loot.

Cyber-enabled heists from banks in Bangladesh and Malta, for which the alleged hackers and money launderers have been charged by the US, show how lax practices allowed millions to be stolen.

Further, the destination banks, such as those in the Philippines and Sri Lanka, to which stolen money was allegedly transferred, also showed discrepancies in anti-money laundering practices that meant the difference between an immediate return of stolen money and the loss of it to the thieves.

Bangladesh heist

The US Justice Department last week unsealed an indictment against three agents of North Korea's Reconnaissance General Bureau intelligence agency, accusing them of penetrating bank computer systems around the world and fraudulently using a global financial telecommunications platform to steal $1.2 billion.

In February 2016, the North Koreans attempted to steal $951 million that the Central Bank of Bangladesh had on deposit at the US Federal Reserve Bank in New York, only partially succeeding, according to the indictment.

The hackers' malware allegedly overrode security checks in the Bangladesh computer system to send bogus transfer requests via the Society for Worldwide Interbank Financial Telecommunications wire service.

Hackers were able to bypass an important security check in the SWIFT software run by the Bangladesh bank by changing two bytes in its code, Sergei Shevchenko, an investigator at the time for BAE, wrote in a threat research report.

The hackers also allegedly caused malfunctions in the bank's printers, preventing them from producing hard copies of transfer requests. A subsequent investigation by police said the bank's printer network used cheap, outdated switches rather than modern ones with security features.

The Federal Reserve spotted most of the transfers as highly suspicious and froze them. But $101 million went through. The Bangladesh bank was able to recover $20 million from a destination bank in Sri Lanka; the Fed had noticed a misspelling in the name of the account holder. But $81 million was transferred to a bank in the Philippines and was laundered there.

SWIFT remediation

Bangladesh has beefed up its bank cyber security efforts. But at the time of the February 2016 hack, the government's Computer Incident Response Team was still in the planning stages; it only went operational a month after the theft.

CIRT later dubbed the cyber heist a "wake-up call," but one that has yet to fully rouse stakeholders.

"The progress of implementation depends on and differs between ministries, is very reactive and has not reached all levels and arms of key institutions," said a 2018 CIRT report.

After the Bangladesh cyber heist, SWIFT established a "Customer Security Programme." It called on banks to increase the use of anti-virus software and bolster staffing of incident response teams.

SWIFT said that banks have been stopping more illicit transfers since the program began, but that smaller banks, especially in countries that are rated as high-risk on the Basel Governance Institute's AML Index, are most frequently victimized.

Malta

Canadian Ghaleb Alaumary has pleaded guilty to money laundering charges related to the alleged North Korea cyber theft from Malta's Bank of Valletta.

Alaumary's charging document demonstrates his awareness of the differences in banks' vigilance. In one exchange, court documents quote Alaumary as discussing the monitoring capabilities of the Maltese bank from which the money would be stolen in February 2019, and Romanian banks, to which the money would be transferred.

Alaumary, who acknowledged responsibility for finding accounts to which North Korean hackers could transfer money, advised a Nigerian co-conspirator to launder the money as soon as it appeared in the Romanian bank to avoid a recall of the money in the event of discovery.

"If they don't notice, we keep pumping," Alaumary said, according to the charging document.

Alaumary hoped the Maltese bank would remain an easy target and e-mailed “we still have access and they didn’t realize, we gonna shoot again tomoro am [sic].”

However, the Maltese bank cut off that access soon after he sent the e-mail. Alaumary, whose scheme looted only a fraction of what he had tried to steal, lamented "[too] bad they caught on or it would [have] been a nice payout.”

Alaumary's alleged co-conspirator was Ramon Abbas, a Nigerian who was living in the United Arab Emirates at the time. Abbas has been charged by the US Justice Department with money laundering related to this and other schemes. His trial is set to begin in May in the Central District of California.

Abbas was active on Instagram under the handle "Ray Hushpuppi" and posted images of himself beside his luxury cars and other expensive possessions.

Investigator's view

Shevchenko, the investigator who identified the means of the Bangladesh hack, told MLex that banks must consider all vulnerabilities to maintain security.

"It's a combination of multiple factors: technological developments, qualified regular maintenance and support, good training, discipline, lack of corruption, the strength of the regulatory system, laws, standards, etc.," said Shevchenko, now a co-founder of Sydney-based cyber security firm Prevasio.

"Take a bank that starts cutting corners, taking a loose view with the standards/policies/regulations/compliance/law, employing staff that has to live in a country with a high level of unemployment, corruption, poverty," Shevchenko said. "Then you'll realize that the breach becomes almost inevitable.

"Personally, I don't think anything has changed dramatically," he said.

"A complete overhaul of the security protocols requires big investments and a huge commitment — if that part had problems from the start," Shevchenko said. "It's a systematic or even a cultural problem — same as corruption — it just doesn't have a quick fix."