Event Recording

How to successfully rob a bank (and almost get away with it)

Log in and watch the full video!

The majority of crimes in our industry are initiated with cyber-attacks on people - however, our people can also be our most valuable assets. This presentation start with a walkthrough of multiple "bank robbery" scenarios to focus on a real event from 2016, when in one of the largest cyber heist ever, $1 billion were at stake being stolen from a bank. And how human vigilance (as well as human mistakes by the criminals) finally prevented the worst.

Kashif Husain, CISO, Vice President, Nomura

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good morning. Thank you for taking the time to attend a session and giving me the chance to speak something about, well, an interesting topic. So at this conference, you will hear a number of informative talks from very experienced security experts. My talk is let's call it a slightly bit different as you can probably can tell from the title. So I would like to present a scenario how you can become a very successful bank robber if you wanted to. Of course. So, first of, first of all, of course, please note that no criminal activities condoned by me this conference organizers or my employer. So in this context, I would like to introduce myself briefly before I start the presentation. My name is Cashen. I worked for one of the big four audit firms for more than 10 years. And then for the largest German bank for another 10 years, I currently work as the information security officer at the U headquarters of Nura, a large Japanese bank in Frankfurt.
So before we start, we obviously need to first choose our method, how we are actually going to Rob the bank. So you can go the traditional route. So you can go into the bank, act like you have a gun under your jacket, and then place a note on the bank teller counter saying, this is robbery. Give me some money. The advantage of, of course, is that you don't need much preparation, especially as you may already be wearing in a mask in current times. Unfortunately. So this is, but this is probably not worth the risk considering the few hundred dollars you could make actually.
So the second option is let's call it a bit more explosive. So here, my suggestion is that you steal a car and get a canister of, for point gas from your local hardware store. Then in the middle of the night, drive to a bank with an ATM, then carefully fill the ATM cash slot with gas and try to break open the machine. So, and if you are lucky and survived the explosion without burning up the money, you could get away with 10,000 up to a hundred thousand euros in your getaway car. Just a quick side note in Germany, the, the gang coming from Netherlands specialized on this was called Audi bundle. As they used stolen cars from Audi for the getaway. And unfortunately the cost of the property damage is of much higher than the amount of stolen money. So it's not a good cost to benefit ratio, at least for the bank.
Why not use another, let's say less violent option. So ransom space in the basement of a building beside of bank, then in the middle of the night, dig a tunnel and drill a large hole into the basement and vault of the bank. The risk and profit ratio are not bad, but that's a whole lot of physical work required for digging the hole. So I personally would skip it, but if you want to, you could get your hands up to 10 millions with this, but actually what if even 10 million is not good enough for us? What if you wanted to Rob a bank for a billion us dollars? That's the one with nine zeros with as, as little risk as possible. Are you in? So our goal is a billion dollar bank robbery, but who has that kind of money actually lying around to grab a billion dollars, obviously a lot of money.
So your average consumer bank from commerce bank to Barclays will not have that much money, probably not even their bank headquarters. So a typical bank is out. Therefore, if you have to aim a slightly bit higher, something like a federal reserve bank, a national bank, basically a country's reserve bank. My suggestion let's try the central bank of Bangladesh, the Bangladesh bank as the central bank of a country that doesn't actually feature in Hollywood movies. It's it may sound like an interesting new location to see now that we have the message and target. We have to get the team together. If we are talking of well known crew experience with a large highest, my first thought would be the guys from oceans 11. But if remember our message selection earlier breaking into a bank with glazing is probably a very dumb idea. So maybe we won't be using Georgey Brad pit and the rest of the oceans 11 team to do the job.
We may actually not even need any physical skills or good looks. So maybe a computer, maybe computer hacking skills would be a better option. So we will go with the cyber heist, obviously considering the team of the event. So probably not surpri, probably not surprising. So if we want to get the billion using cyber criminality from the bank, we should rather use a few guys sitting at home in a dark basement. That's probably much cheaper than getting Hollywood stars to do the job anyway. So if you, and if you guys are able to work from home, you also don't have to worry about social distancing, two G or 3d 3g and wearing masks or having any tests done.
So now we have the method, the target and the crew next, we need to find a way to get into the bank. So, so what's the best way to somehow get into the bank for cyberized. I mean, trying firewalls zero day security holes, admin passwords can be dangerous and could be detected and stopped, especially if you use any of the products shown here in this event, online banking has a too low transfer limit and PST two has only made things more complicated for criminals, but we could use a method which has been one of the biggest problems for every company in the last, in the last 10 years, fishing a side note, obviously all, all the participants say I know, but fishing is an example of social engineering where criminals first try to appear to be trusted parties and trick their potential targets with emails or similar to do things they wouldn't otherwise do in this case transfer money from, from bank accounts.
So what we should in this case do is let's write an email to more than 2000 employees of the Bangladesh bank. Have the email look like it's in job application and insert a link to the malware into the email, by the way, the text and the sender of the email you see in the slides is real. This is taken from the evidence gathered by computer forensic investigators after, after what happened. So anyway, we just need one, any one of the recipients in the bank to click on the email on the link in the email, open the zip file and get infected with this Trojan will be triggered and be able to get into the bank systems and hop around from one PC to the next, analyze the network and find suitable targets. So our objective is with this day, we will be establishing a persistence, spend some time to understand the network and try to learn how to transfer money around the first thing you may find out that it's, that not all money sits in DACA.
The capital of Bangladesh, the Bangladesh bank has a foreign currency reserve account in New York with the federal reserve bank. The New York fed in this case, a billion dollar is sitting there in New York. Now we have to understand how do banks actually transfer money? So the answer is in the pile of card. You see, you see here, don't worry. I'm not going to open the door using a credit card like in the movies, but I would like to highlight this particular card it's from swift. So swift is the international bank transfer system used by over 11,000 members, financial institutions. So banks in over 200 countries. So whenever Bangladesh bank wants to pay someone in us dollars, they send an instruction via Smith to, to the New York fed and then ask them to pay out from their account in New York. So that's a critical thing to know from, for our highest.
So the thing about swift network is it's pretty secure. It's practically impossible to hack, but instead of hacking into this swift network, you, you should try to find another weakness. In this case, the hackers identify a mistaken Bangladesh bank, swift authentication implementation. That's actually a simple check. If people have entered the right passport before being able to use the swift network set up in the Bangladesh bank. So it was just a few lines of code. And by changing just eight characters in the code, the authentications were skipped. So instead of breaking or forcing the passport, you just removed the password check functionality and completely completely in urine from swift and New York fed perspective. The hackers are certainly authorized to act on behalf of the Bangladesh bank because it's formerly Bangladesh banks shop to ensure their users are properly authenticated.
By the way, before we forget, we of course need to prepare the receiving bank accounts. So we don't want to transfer the money directly to our own personal accounts. This would be too obvious. So why not set up a few months ahead of time, multiple bank accounts at the RCBC bank in Manila, Philippines, and at least one account at the pan Asia bank in Sri Lanka. Of course these countries should be selected based on weak know your client's regulations so that we can stay more or less anonymous and hide our true intentions. There's actually an even more important reason for choosing Manila in Philippines. This could be a topic of a whole new presentation about being successful in money laundering. Just to quick spoilers has something to do with the casinos in Manila, but that's for another day anyway, executing our plan. So we have of course to learn something about this fifth network before misusing it.
So we need to know how to blend in. We need to start the bank's high dollar value transfers, and then use this to plan our theft so that we don't raise, raise any suspicions. So important aspect here is we need, we should break up of theft. So making one giant transaction may raise a flag somewhere and if one single 1 billion transaction phase, then everything fails. So again, remember our plan. We have to swift net terminal in Bangladesh under control. We want to send an instruction to New York to transfer money to the Philippines. So next we should look for ideal timeframe to execute our plan. For example, use time zones to our benefit. Remember there is a 10 hour difference between Bangladeshian Eastern us to New York and from New York, there's another 12, 12 hour time difference to the Philippines. And then there may be differences in work days as many Muslim countries as Bangladesh have Friday, Saturday as weekend versus Saturday, Sunday elsewhere.
And maybe we should plan around a time when Monday is a bank holiday. So if you have the time, if you time everything perfectly and start, start the transaction on a Thursday evening in Bangladesh, it'll be early Thursday morning in New York where they have two days to transfer the money to Philippines. Since Friday is a weekend in Bangladesh, this will be known. This will be not noticed in the bank. And in case Bangladesh notices this on Sunday, New York will be offline as on, as on the weekend in, in us. And then there's also the bank holiday day on Chinese new year on a Monday, which is observed in Philippines. They can't be warned even if Bangladesh New York noticed anything on Monday.
So you have to timing, right? And the idea is to break up the theft in 36 transactions, totaling 951 million us dollars, but, but small issue, there is a printer in Bangladesh bank, which prints out all the records in, in swift transfers. This would obviously be a debt giveaway. So of course we have learned about this as we had to observe the Bangladesh bank network. And since we can't physically pluck the pull, the printer plug onsite, we should just hack the printer and change the printer settings. If you can stop the printer completely, just make it print out blank pages. That's it. So, you know, in he movies, there's always the moment where the carefully plant thing always goes wrong. This is exactly what, what also happened there. So we behalf lined up 36 transactions to transfer 951 million out of the Bangladesh bank account in New York.
An important fact you need to know is that you just can transfer money directly from the us federal reserve to a personal bank account somewhere, but you have to specify an intermediary bank. So it has to go through a private bank like HSBC Santander or Deutche bank, and only then the money is put into your personal bank account in the Philippines on, in Sri Lanka. So what happened is that in 35 of 36 transactions, the hackers forgot to specify the intermediary bank and only specified their own personal account. So therefore the New York fed declined 35 of their transactions. Then the hackers had to redo these 35 transactions very, very quickly. And there happened another mistake. So the show stopper. So the money transfer continues after small misstep of forgetting the intermediary bank, but the other small mistake, which happened due to the quick correction with a major impact, one of the transactions is for the, is for 20 million to the hackers bank account in Sri Lanka, the New York fed approves the request. The 20 million are on its way to the intermediary bank, which happens to be in Germany, but the transfer stops there. The transfer was supposed to be for the Shikha foundation in Sri Lanka, but the transfer is misspelled as Shikha foundation. So when a person at Deutscher looks at the transfer, it rings some alarm bells. So DB flags it to the bank in Sri Lanka, they confirm back to Germany that something is wrong and Deutscher informs New York of their suspicion.
So the New York fed has all alarms raised as they check all recent Bangladesh bank transaction, and try to figure out what is going on. They call the Bangladesh bank, but there it is Friday and nobody is on, is in on the weekend in Bangladesh. In the meantime, the hackers are done after 36 transactions, they log off from the Bangladesh swift network on Friday morning, 3:59 AM, local time. So before logging off, they also trigger their malware in the Bangladesh bank network to start deleting all evidence of tech Rams. When the Bangladesh bank employees log into this fifth terminal on Sunday, they see a message from the New York fed alerting them of the large quantity of payment instructions be total, almost 1 billion. So understandably panicked, Bangladesh bank tries to call fax and email the New York fed to stop and reverse all transactions. But of course, nobody answers on the Sunday in New York.
So the happy ending, even with the potential fraud detected by Deutche by Deutche bank in New York fact, by the time the remaining transactions has been stopped, 85 million had already been successfully transferred to five R CBC bank accounts in the Philippines due to the Chinese new year R CBC bank was closed on the Monday where Bangladesh bank and the New York fed tried to call up and have their accounts frozen. What happened next? Well, there are some allegations of a potential insider at the RCBC bank in, in Philippines, although R CBC ceases to stop payment messages on this fifth network on Tuesday, the hackers are able to empty their bank accounts on the same day and get away with the large portion of the 85 million in this case, 81 million. And then the money disappears after some clever money laundering method. So it could not be traced back to cyber heist.
Bangladesh bank was only able to recover a few million of the, of the completed transactions on the bright side. It could have been much worse with the loss of a billion dollars. So, but still Bangladesh bank was not all all smile in this case, as you can obviously believe. So, you know, there is often an after credit sequence in movies where something surprising happens or the sequence setup or the final mystery is resolved. So who exactly were these hackers? It has been confirmed that the hacking group is called lasers group or a PT 38. They seem to be tied to all recents fifth attacks on banks in Ecuador, Poland, Vietnam, India, Cayman, islands, Taiwan, and Russia all have been hacked. And this can be attributed back to this group. And then there's evidence that they were involved in the Warner crime scene, which also costed loss of more than 4 billion worldwide in the early 2017.
But that's a story for another time. Now, the best part, the Eros group also did the Sony pictures hack in 2014, where they wanted to prevent the publication of a certain iCal movie about the SSE assassin nation of the north Korean leader. Kimon which makes sense if you know that another name for the lasers group is reckoning since general bureau, which operates on behalf of North Korea. So meaning allegedly North Korea did the Bangladesh bank swift tag, but don't take my vote for it. The us department of justice investigated this actually a lot. The FBI wanted to know more and spent more than two years tracking down who hacked the Bangladesh bank and came to the conclusion that this has been done on behalf of North Korea. The criminal complaint described in detail on 172 pages shown shows how the FBI was able to link North Korea to the sec. If you're interested, there's a link to the us justice document in the presentation before we end, maybe an important thing for us to know, swift is also used by most, most banks, but the swift environment should always be segregated from production environments and also be fully compliant to the current security framework and security programs as mandated by this by swift, including controls to prevent such local authentication issues to happen again.
So what have we learned the problem started because an employee clicked on a link in phishing email resulting in the loss of 81 million. This chose the importance of ensuring that our users are well trained against such threats, especially fishing, but on the other hand, 900 million was safe by someone else attention. So one person discovered errors in these transactions and was able to take action that protected almost that protected most of the 1 billion from the hackers. And in the end, the hackers also just only had people at the work who made the actual clerical error, the typing error out of time constraints that led to the discovery. So my conclusion would be that at least as long as, as the criminals still use people, we still have a chance.
And, and we don't have to worry that, that we won't be able to prevent something like this in the future. Finally, there's a timeline of the events and they involve banks. So the most interesting part is how the timing actually worked perfectly for the cyber criminals, if not for the mistake, which then actually raised the alarms. So speaking of time, in this sense, thank you for taking the time to listen to my presentation, which you are very successful, informative day. If you have any questions or would like to contact me the best ways via my profile on LinkedIn or sing, thank you and stay safe. Thank you very much to give back. Thank you.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00