Planet Money - A SWIFT getaway
Episode Date: February 10, 2022In 2016, thieves tried to steal nearly a billion dollars from the Bank of Bangladesh's reserves without ever entering the building. And six years later, justice hasn't been so SWIFT. | Subscribe to ou...r weekly newsletter here.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy
Transcript
Discussion (0)
This is Planet Money from NPR.
Rakesh Asthana is a cyber security expert.
He worked at the World Bank for many years.
So he was used to getting urgent calls.
And in February of 2016, Rakesh and his wife are driving home.
I got this very curious phone call from the Central Bank of Bangladesh.
home. I got this very curious phone call from the Central Bank of Bangladesh, and they basically said, we would like you to try and help us with a sensitive matter. He wasn't surprised to be
hearing from an official from the bank, but he was surprised at how anxious the official sounded.
I probed a little bit deeper. What is it about? What do you need help in? They said, we can't share any
information on the phone or the email, and we would like you to come immediately to Dhaka.
But Rakesh said, I can't immediately go to Bangladesh. I need time to buy a plane ticket,
get a visa. Don't worry, the bank official said. We've taken care of everything.
Just go to the Bangladesh embassy. They have your pizza ready for you.
Rakesh said, I'll get back to you, and hung up the phone.
I turned to my wife and I said, you know, this sounds serious. I think I have to respond to this.
I could sense that there was something big is going down, and I didn't know what it was.
What it was, was one of the biggest bank heists in history.
Hello and welcome to Planet Money. I'm Jim O'Grady. And I'm Kenny Malone. The heist that
Rakesh was summoned to investigate was not your gun-toting, safe-cracking kind of robbery. It was,
in many ways, far more dramatic. Thieves had found a clever way to exploit an incredibly important part of our global financial system.
Today on the show, we follow the twists and turns of the heist of the Bank of Bangladesh.
And what we learn is not always comforting.
It's the winter of 2016.
Rakesh Sastana lands in Dhaka, and the Bank of Bangladesh puts him up at the Sanorjan Hotel.
Gorgeous, five stars, palm trees, and a pool.
Not that he had time to enjoy any of those amenities.
He had to go straight to a meeting with the Bank of Bangladesh officials. They tell Rakesh that shortly before he'd arrived,
on a Thursday at 8.36 p.m., their bank was robbed.
And that was when some of these staggering details of the high started to become clear to me.
When he mentioned the numbers of a billion dollars, that really blew my mind.
A billion dollars, that really blew my mind. A billion dollars. Rakesh was going to need to see
how all that money went missing. So bank officials take him to the scene of the crime,
a small room on the building's 10th floor. It had darker windows so people don't look into it too
much. So it's a little bit darker inside. And it had stripes on the... Rakesh learns that this room is physically fortified with locks, security codes on the door.
It's not a large room. I mean, barely three, four people or five people can sit in it.
And inside the room are a handful of computers. But not just any computers. They're computers
that if you have the keys, can unlock massive sums of money.
They're called SWIFT terminals, and they are crucial to understanding this heist.
SWIFT is the name of the system that helps move money all around the world.
SWIFT doesn't hold or move any money itself.
It's an encrypted messaging system that lets banks talk to each other and initiate money transfers. This
is how 11,000 banks in more than 200 countries move money around between each other. So this
is a massive, massive system that is the glue that binds this whole international trade and
operations and money movement together. The system moves $94 trillion every six business days.
And what appeared to have happened at the Bank of Bangladesh is somebody used one of the bank's Swift computers to transfer a billion dollars over the course of 35 transactions out of the Bank of Bangladesh and then into some random bank accounts in the Philippines.
The bank manager
tells Rakesh there is a suspect. The system showed that one particular employee had logged onto the
Swift computer and initiated all these transfers. Rakesh says, okay, let's check the evidence
against this guy. Let's look at the tapes from the security camera. We had checked the CCTV footage of that time and the Swift room,
and I looked at those tapes for eight hours and there was nobody in the room.
Nobody in the room.
This heist was a hack.
But troublingly, it was a hack that exploited the network
that supports the entire global financial system.
This investigation just got a whole lot bigger.
A few days later, out of the blue, Rakesh gets a call from the United States Embassy
in Bangladesh saying, we need you to come over.
Rakesh remembers the moment he walked in.
There was a room full of FBI people sitting there.
So they obviously knew and they were tracking it.
And were they all wearing black
suits and serious expressions? No, actually they were, you know, some of them were like computer
geeks, I suppose. Normal people like that. One of the reasons the United States was so interested
was because one of the banks caught up in this heist was none other than the Federal Reserve
Bank of New York. Yeah, Bangladesh was keeping roughly a billion dollars at the New York Fed.
And so with this heist, the hackers had technically moved,
like, all of Bangladesh's money out of the New York Fed
and into the thieves' bank accounts in the Philippines.
And now the FBI wanted to know what Rakesh knew.
So we told them the whole story, just like I'm telling you now.
And then they obviously, you know, FBI, of course, you have to know is a one-way street.
You give them information, you never get anything back.
To be fair, Rakesh did eventually get one very important detail back from the FBI.
This hack, this heist, appeared to be the work of North Korea.
North Korea. The FBI had been tracking their hacking activities for years.
And just two years before this Bank of Bangladesh heist, North Korea had managed to hack Sony
Pictures. You might remember this. They appeared to target Sony because of a Seth Rogen movie.
Which is still one of the strangest sentences ever said out loud.
But this hack, this heist in Bangladesh, where North Korea appeared to hack into the SWIFT system and just take another country's money, that was a level of audacity no one had seen and no one expected.
After the break, we untangle how this impossible heist went down,
and it is more like Ocean's Eleven than at least I would have imagined.
Rakesh was part of this huge international posse that eventually got pulled in to investigate the Bank of Bangladesh heist. There were, of course, authorities from Bangladesh.
There was the FBI.
There were police in the Philippines, since that is ultimately where the thieves transferred all of the money.
And then there were all these cybersecurity specialists brought in to help, including Eric Chen.
And recording, testing, hit the lock button.
Eric leads what is called the threat hunting team at Symantec, a cybersecurity company.
His team was brought in to dig into the code and piece together exactly how North Korea pulled off this hack.
We were able to gain access to their tools.
And we ended up reverse
engineering them, ripping them apart to understand exactly how they work. And we should say that
North Korea denies involvement in this heist, but investigators like Eric say all the signs
point to a specific North Korean hacking team known as the Lazarus Group. For a nation state to attack these sort of private
banks or these even other nation state banks was completely unheard of. Now, Eric and other
investigators we spoke to for this story had to concede an almost grudging admiration for
the cleverness of this crime. It was innovative. It was creative. And yes, it was a very digital,
innovative, it was creative, and yes, it was a very digital, modern heist. But we did notice that it still has all of the beats of an old-fashioned heist movie, all of the tropes. And that is a
useful reference to help us walk through, step by step, how the Lazarus Group pulled this off.
And so, cue the heist movie music. Okay, heist movie trope number one.
You always see the break-in.
The thief crawls up the building with suction cup gloves or sneaks in through the sewer.
In the case of the North Korean hackers, the Lazarus Group, they broke into the Bank of Bangladesh with a resume.
This story with the hackers really starts a year before.
They sent emails to 26 bank employees with a resume.
You know, my name is Razal Alam, and I'm looking for a job.
Three of those 26 employees who received that email opened it, unfortunately.
And that document wasn't just a normal Word document with a resume, but also included some malicious code.
Classic phishing.
And here's your reminder not to open strange emails.
But they did at the Bank of Bangladesh,
and the Lazarus Group had infiltrated the bank.
And now heist movie trope number two.
Case the joint.
Normally when the thieves get inside,
they dress up as a janitor, a bank teller, whatever.
Not to steal anything yet, but to plan, map the building, figure out a way around the security system.
In the case of the Lazarus heist, this recon was carried out using their malicious phishing code.
They get onto those computers and get those usernames and passwords and use them on other computers and jump across and hop from one computer to another, to another, to another. They
spent a year doing that until essentially they got lucky. They found a computer that was connected
to the Swift terminals and had the usernames and passwords for those Swift terminals and were able
to log into those Swift terminals as if they were sitting in front of them. And so after a year of virtually casing the bank, it was time for the
next stage of the operation. Lazarus was able to digitally impersonate a particular Bank of
Bangladesh employee, that poor employee that drew all of the suspicion at the beginning of the
investigation. And then to the SWIFT system, it looked like that real employee was sitting down at the SWIFT terminal and entering their
real SWIFT authorization. And of course, once they're on the SWIFT terminal, they can move
the bank's money to any one of the 11,000 other banks on its network. And this is very bad, but, but, the SWIFT system has extra safeguards in place that should still be able to stop the heist at this point.
So here's what should have happened.
Once Lazarus was at the SWIFT terminal and transferring money, that should have created digital and print records.
Like actual paper records get printed.
And so you imagine a printer goes off.
Someone at the Bank of Bangladesh should hear this, look at these records and say, no, no, no, no.
We're not transferring this money. Stop these transfers.
Yeah, stop these transfers.
But that's not what happened.
And that brings us to heist movie trope number three.
Disable the alarms.
Lazarus had created a tool to erase any digital and physical records.
What their tool did was basically hijack those print jobs
and simply zero out the files so nothing would get printed.
Wow. And the main point of all of this covering of tracks
was to buy them time, right?
Absolutely.
It's just like as a bank robber goes into a real bank
and they put up that fake picture of the bank in front of the camera
to look like that they're not really inside the bank vault.
This is what this artifact, this sample, was doing.
So there's been the infiltration, there's been casing the joint,
there's been disabling the alarm systems.
But even with all of this work, it still should not necessarily have been enough for Lazarus to get away with this heist.
And that brings us to the final heist movie trope, The Getaway.
In the movie, the thieves have been spying on the bank's security guards, monitoring their schedules, looking for the perfect moment to pull off the heist.
The Lazarus Group did their own version of this.
When we talk about time, they were very clever.
They had ended up attacking the Bank of Bangladesh on February 4th, 2016, a Thursday.
The end of the business day, around 8 p.m.
Thursday at the end of the business day.
The end of the business day, around 8 p.m.
Thursday at the end of the business day.
Now, the hackers knew that Friday is in fact the start of the weekend in Bangladesh.
So by attacking at 8 p.m. on a Thursday, they had attacked when everyone at the bank had left for the weekend. So there's no Bangladesh employees around to see anything weird going on on these swift terminals.
Bangladesh employees around to see anything weird going on on these swift terminals. But at the same time, this is the morning in New York where the actual real money is being held at the New York
Federal Reserve, right? So they got in at the right time. Bangladesh employees are gone. Federal
Reserve is there to make the transactions happen. And it gets even savvier than this. So the Bank
of Bangladesh is off having its weekend.
Its money is getting sent away.
And then the new work week in Bangladesh starts on a Sunday.
So it's now Sunday when somebody goes into the bank office and realizes,
what? A billion dollars sent where?
Of course, their first impulse is to call the New York Fed to help straighten this out.
Except it's Sunday and the Fed is closed. By the time they're able to contact the Fed,
the Fed realizes what happens. They said, look, we needed to stop the transactions,
make sure that money doesn't get withdrawn. And that's on Monday. Bangladesh has to wait another
day. And so on Monday, they can finally call the bank in the Philippines where all the
money has been transferred to say something criminal is happening. Please freeze those
accounts. Except there's a new problem because this is not just any old Monday. It is Lunar
Week in most of Asia, including the Philippines. And so in the Philippines, while they normally
would be open on that Monday, we're closed. And so it bought them that extra time. The hackers bought extra time
by manipulating time zone differences, weekends, and the Lunar New Year. They managed to buy
themselves a full five days, enough time to get their money and get away. And that is where things stand today. The hackers have not been arrested.
But they also did not get away with as much money as they'd hoped for.
Not the entire $1 billion because of an incredible twist.
because of an incredible twist.
So remember, the Bank of Bangladesh money being stolen was actually held at the New York Fed.
So to steal it, the Lazarus Group was literally telling the New York Fed
to transfer money out of the Bank of Bangladesh's account.
And they do this over the course of 35 swift transactions.
The Fed puts through the first transaction.
Boom.
Bank of Bangladesh's money is transferred to the Philippines.
The Fed puts through the next transaction and the next and the next.
But on the sixth transaction, a red flag goes up.
Not because the Fed has somehow identified a heist,
but because the Filipino bank where all this money was going happened to be located on Jupiter Street.
And Jupiter, that word, is on the sanctions list for the U.S. related to actually a shipping
company related to Iran. Nothing to do with the Philippines, just by accident.
And because of that, those transactions got held by the New York Federal Reserve,
a little bit by chance, because the bank is on Jupiter Street in the Philippines.
And when the Fed goes reviewing the transactions, then they realize,
wait a second, this doesn't look right.
Why is the Bank of Bangladesh trying to transfer out a billion dollars suddenly?
Because, of course, the Bank of Bangladesh was in fact being robbed.
The Fed stopped the heist after five transactions. And so even though the hackers had ordered the
transfer of a billion dollars, only 81 million made it to their accounts on Jupiter Street
in the Philippines. The rest of the money stayed safely
in the Bank of Bangladesh's accounts at the Fed.
So that is the heist of the Bank of Bangladesh.
And it is worth asking at this point,
what lessons did this all teach us about SWIFT,
the whole network underpinning the global financial system
that was central to the hacker's plan.
Well, for starters, it reinforced what some people already think, which is that the world shouldn't use Swift, that we need a whole new system, maybe even blockchain based.
But the reality is, for now, the world is still using Swift.
And if Swift is the system, Eric Shen says the heist revealed
that it had a basic flaw.
The flaw is that you're only as strong
as your weakest point.
And in the SWIFT design,
the weakest point are the banks themselves.
And in this case, you have banks,
for example, in Southeast Asia,
that are small.
They do not have the funds
to adequately protect themselves
from someone like North Korea.
When SWIFT officials comment on the Bangladesh heist,
the first thing they say is, hey, SWIFT was not directly hacked.
And that's technically correct.
The Bank of Bangladesh was hacked.
Still, the heist showed that the SWIFT system is not secure
unless every bank within it is secure.
And in the case of the Bank of Bangladesh, unfortunately,
they did not have what's called segregation.
You don't need the person who works at the reception desk
and has a computer that is used to check people in and out of the bank
to have network access from that computer to the SWIFT terminals.
Eric says that SWIFT now requires its member banks to keep their SWIFT terminals separate from the normal computer network. And this somewhat obvious precaution has been one of
the main responses to the heist. And it now requires banks to follow 30 additional security
measures. Though SWIFT is a bit secretive about what those measures are.
It is reasonable to think that the 2016 heist couldn't happen again, at least not the same way that it happened.
It is also true that there hasn't been a Swift heist of this size since it happened in 2016.
Now, have they done enough?
It's always hard to say.
This is the hard part about being a
defender. The attackers can try a thousand times. And if they get through once, they succeed. But
as a defender, you've got to be perfect. You've got to protect every one of those a thousand times.
And so it's very difficult. So Swift will constantly be playing this cat and mouse game.
Because, you know,
it's just the entire global economy at stake.
If you're looking for an even more in-depth dive into this story,
check out the Lazarus Heist podcast from the BBC. And if you know about a heist that you'd like to hear about on Planet Money,
maybe one that involves an important system
that underpins the entire global financial system,
let us know.
We are planetmoneyatnpr.org.
We're also on social media,
at Planet Money.
This episode was produced by Dave Blanchard,
with help from Nick Fountain.
It was engineered by Isaac Rodriguez.
It was edited by Jess Jang. Planet Money's executive producer is Alex Goldmark. Thank you.