What is the method of the North Korean hacker group who stole about 100 billion yen from the bank?



In 2016, a total of $ 951 million (about 114.1 billion yen) was illegally remitted by someone from Bangladesh Bank, the central bank of Bangladesh. Later investigations speculate that there is a North Korean hacker group behind the case. Details of what happened at Bangladesh Bank at the time and how hacker groups achieved large-scale robbery are revealed.

When North Korean hackers almost pulled off a billion-dollar heist from Bangladesh Bank | The Daily Star

https://www.thedailystar.net/toggle/news/when-north-korean-hackers-almost-pulled-billion-dollar-heist-bangladesh-bank-2115317

How North Korea came within a million dollars of a billion dollar hack --Security News
https://www.bollyinside.com/news/how-north-korea-came-within-a-million-dollars-of-a-billion-dollar-hack

Around 20:30 on February 5, 2016 (Friday), the printer broke down on the 10th floor of Bangladesh Bank. The staff immediately noticed the printer failure, but he said that the printer failure itself was not uncommon, so he did not consider it a problem. However, later it turns out that this failure was the first sign of a robbery plan of about 100 billion yen.



A group of hackers known as the Lazarus Group had already invaded Bangladesh Bank's computer systems since 2015, a year before the attack took place. The Lazarus Group has created a fictional character called 'Rasel Ahlam' to apply for a bank job, and it is believed that the system was infected with the virus when bank staff downloaded the document from an incoming email. This is what happened in January 2015.

Then in May, the Lazarus Group opened four accounts at the 'Jupiter Street' branch of RCBC, the largest bank in the Philippines. The driver's license used to open the account was fake, and although all the founders had the same job title and salary, the company names were different, and there were many unnatural points. Was not seen as a problem. And with the initial deposit of 500 dollars (about 55,000 yen), the four accounts continued to be held.

There's a reason hackers have been hiding for a year after hacking the system. The Bangladesh Bank used a backup method of printing all remittances made from the account on paper, which was done with a printer on the 10th floor. For this reason, hackers hid themselves for a year until the hacking into the software that controls the printer was completed, saying that the fact of hacking could be revealed at the moment when printing was done on the printer. It is.

Then, around 20:00 on February 4, 2016 (Thursday), when the control of the printer was finished, the hackers started to act. A total of $ 951 million, equivalent to almost all of the Federal Reserve Bank of New York's accounts at Bangladesh Bank, has been transferred to the RCBC Banking Account in Manila. In Bangladesh, the following day, 5th (Fri) to 7th (Sun), was a holiday, and in Manila, February 8th (Mon) was a Chinese New Year holiday. For this reason, when the remittance was made, it was the morning of the 4th (Thursday) in New York, but the situation was discovered on the 9th (Tuesday). By taking advantage of the time difference between New York, Bangladesh and Manila, hackers have succeeded in creating a real five-day gap.



When the Bangladesh Bank printer was restarted and the remittance record was printed, it was discovered that almost all of the money deposited in the Federal Reserve Bank of New York account had been remitted. However, the Bank of Bangladesh did not know what had happened and initially thought that the money sent could be recovered and did not disclose the situation. However, when we asked Rakesh Asthana, a cyber security expert, for his opinion, it turned out that the banking system 'Swift' was being accessed during the remittance and the transmission could not be canceled. The hacker did not hack Swift, but imitated a legitimate bank clerk to access it. The Bangladesh Bank filed a proceeding in late February because some money had already arrived in the Philippines and a court order was needed to get it back. This makes things public.

The Federal Reserve Bank of New York has set up a banking system to alert the word 'Jupiter' at the RCBC Bank branch in Manila. Payments for all alerted transactions have been reviewed and many remittances have been suspended. However, some transactions will go through.

Meanwhile, a little back in time, on February 5, four accounts opened at RCBC Bank suddenly started to move. The money was transferred between accounts, transferred to a foreign currency exchange company, exchanged for local currency and re-deposited into a bank. Hackers then withdrew some of it as cash and started money laundering at a casino facility called 'Solea Resort and Casino' in the Philippines. At the casino, cash is exchanged for casino chips, gambling, and then exchanged for cash again, so tracking can be cut off. Later, $ 50 million was discovered in a casino account called 'Midas', which was different from Solaire, and slipped through the alert of the Federal Reserve Bank of New York, and $ 31 million (about 3.72 billion yen) was the casino. It has been discovered that he passed to a person named Xu Weikang who departed from the private jet.

According to the Bangladesh Bank's pursuit, it was possible to recover most of the stolen $ 951 million, but the future of about $ 65 million (about 7.8 billion yen) is still unknown.

The hacking group that caused the above incident is considered to be the same as the ransomware 'WannaCry' incident that infected computers with malware and demanded a ransom all over the world and the hacking incident that brought down the entire Sony Pictures system. Has been done.

in Security, Posted by darkhorse_log