I.

SUMMARY

The Bangladeshian bank heist was a series of unauthorized transactions made on an official computer of the
central bank of Bangladesh. Using SWIFT system, transactions were made delivering the money in different
accounts in Sri Lanka and Philippines. Amount is reaching nearly $1 Billion, but most of the payment orders were
blocked and there have been some successful attempts to recover some assets. The origin of the attack has been
connected to the hacker group Lazarus and North Korea.

II. INTRODUCTION

In today’s contemporary society, an embedded element is cyberspace. Banks have become vulnerable against
cyber attacks. All over the world, financial transactions are conducted digitally via computer networks and banks
are struggling with security issues in the never-ending race against malicious hacker groups. Traditionally, banks
have been perceived as trustworthy actors when it comes to cyber security, but history knows multiple cases of
successful cyber attacks against banks. These successful and devastating attacks have also lead to growing fear of
cyber attacks amongst banks.

Society for Worldwide Interbank Financial Telecommunications (SWIFT) has signalled warning that the number of
attacks against their network is on the rise. SWIFT is a member-owned cooperative that provides safe and secure
financial transactions for its members. The messaging platform is used worldwide and it is used to exchange a daily
average of almost 30 million financial transactions. Needless to say, attack on a platform like this can have
devastating consequences.

SWIFT is used to transfer funds, but banks themselves are responsible for their individual cyber security. This is
where hackers are exploiting weaknesses in the system. For example a hacker group called Lazarus with its
subgroup Bluenoroff have targeted and successfully attacked smaller banks in poorer and less developed countries
whose own cyber security measures and systems are poorer. The Bangladesh bank heist was conducted by
exploiting these vulnerabilities to access the SWIFT network, eventually becoming one of the largest and most
successful cyber heists ever.

III. TIMELINE OF THE ATTACK

May 2015

The first initiatives for the Bangladeshian bank attack were made, when four bank accounts were opened in
Philippine bank for being ready to future transactions. All of the accounts were not used until the day of attack and
were clearly established for attack only. None of these accounts or their owners was authenticated in the process
to either check the validity of their owners or transactions.

January 2016
The breach to the Bangladesh Bank was made by exploiting the lack of firewall and probably with helping hand
from inside. The real timeline of attack is still missing the official statement as the final report from CID have been
delayed 13 times by this date . As the official report hasn’t been finished, the dates and events presented here
embodies some level of uncertainty. The access to bank’s servers made possible the breach to SWIFT network and
inject malware to it as it was not separated from other parts. It is very likely that the attackers also installed a
keylogger to get the passwords for authorizing the transactions.

February 2016

The attack itself was started in February, 4 in 2016 by making 35 payment instructions worth of $951M to Federal
Reserve Bank. The target of the attack was the SWIFT Alliance Access software, which is used widely in the banks
around the world. The first five of the transactions were completed, but the remaining were successfully blocked
partly because of the failures made by the attackers. The targets of the payments were in the Philippines and Sri
Lanka worth of about $100M. The attackers were able to withdraw $81M in total during the period of February 5
to 9 as fictitious people. The unauthorized messages were notified in the Bangladesh bank during the February 8.

IV. DETECTION

A spelling mistake in the payment transaction which prevented the automatic system from completing the
transaction is the reason why it was reported that a bank heist worth almost 1 billion US dollars had been averted.
As a result, Deutsche Bank had flagged the transaction as suspect. Nevertheless, as the transaction had been
approved by the Fed, it was forwarded to Sri Lanka. There, the transaction was caught by a banking official in the
receiving bank as the transfer was unusually large for Sri Lanka. Before clearing the transfer, the Sri Lankan official
had contacted Deutsche Bank, which responded that the transfer is indeed suspect. As the recipient turned out to
be a fake entity, the bank was able to freeze the funds and ultimately return them to the originating bank. Out of
the reported total sum $870m of all transactions, the attackers managed to transfer only $81m. Independently, Fed
alerted the central bank of Bangladesh after detecting that the number of transfers to non-banking entities had
surged. Without the spelling mistake and the diligent work of banking officials, the attackers could have got away
with a way more substantial sum of money after successfully inserting the forged transactions to the SWIFT
network.

V. Identity of the attacker

It was managed to access some of the data through backups of the systems even though the attacker did try to
remove any evidence from the bank’s systems. The recovered files indicate that the techniques and tools used in
the attack can be linked to a group known as Lazarus. Kaspersky, who managed to access the data, summarises the
activities of the Lazarus group as follows: “It’s malware has been found in many serious cyberattacks, such as the
massive data leak and file wiper attack on Sony Pictures Entertainment in 2014; the cyberespionage campaign in
South Korea, dubbed Operation Troy, in 2013; and Operation DarkSeoul, which attacked South Korean media and
financial companies in 2013.”.
In their report Kaspersky (2017a) thoroughly analyzes the malware used in the attack. The analysis of
disassembled bytecode shows, thwa1at some of the malware is identical to the malware used in the some of the
incidents mentioned above. Even though parts of the code have been modified, probably in order change the
signature of the malware and avoid detection by automated traffic analyzing tools, the malware samples from
different incidents share some obscure techniques, which suggests that payload used in both attacks could come
from the same author or group. One of the obscure techniques found by Kaspersky (2017a) is the complete rewrite
of file contents and renaming the file before deletion. Rewriting the file content, possibly multiple times, is
commonly used to try to remove the data from the physical device and hinder forensic data recovery attempts.
However, Kaspersky (2017a) claims that most often attackers don’t include renaming to their file destruction
procedures.

A little is known about the members of the group. However, when combing through logs of a more recent incident
linked to the Lazarus group, Kaspersky (2017b) found a link to the North Korea. While criminals usually mask their
real location and IP addresses by using VPN services and proxies, the server logs of a seized Command & Control
server indicated, that the server had been accessed once from a North Korean IP address. While IP address is not
really a solid evidence for North Korea’s involvement in the group’s activities, it is nevertheless compelling to
consider, that the connection could indeed originate from the operator’s real IP address. It is entirely possible, that
either human error or misconfiguration has lead some of the operator’s network traffic to be routed directly to the
host instead of being routed through a network of proxies and VPNs. This reasoning is also supported by Novetta’s
(2016) report, which suggests that the group has been targeting especially South Korean and USA based entities i.e.
enemies of the North Korea. However, due to the nature of cyberspace, it is extremely difficult to identify the true
origin of any connection. Also, attackers could simply want to throw researchers of the real tracks by leaving
behind purportedly solid evidence.

VI. LIABILITY OF RCBC OFFICIALS

BRANCH MANAGER

A MAKATI CITY court on Thursday convicted former Rizal Commercial Banking Corp. (RCBC) branch manager
Maia Santos-Deguito of eight counts of money-laundering involving $81 million stolen from Bangladesh Bank’s
account with the Federal Reserve Bank of New York in February 2016.

At the same time, Ms. Deguito was acquitted of one charge due to double jeopardy as she was charged twice for
allowing a transaction worth $14.31 million.

In its 26-page decision, the court found that Ms. Deguito “facilitated these transactions to their full and complete
implementation without any sign of hesitation. It also said that she must be “responsible and criminally liable” as
she was the manager of RCBC Jupiter Street branch which processed the transactions. “(H)er declaration in the
open court that she has nothing to do with these transactions was a complete and comprehensive lie.”
OTHER OFFICIALS

In a resolution signed by Assistant State Prosecutor Mary Jane Systat, the DOJ sustained the application of the
“willful blindness doctrine” in finding probable cause to indict the respondents Raul Victor Tan, National Sales
Director Ismael Reyes, Regional Sales Director Brigitte Capiñ a, Customer Service Head Romualdo Agarrado and
Senior Customer Relationship Angela Ruth Torres for violation of Republic Act 9160 or the Anti-Money Laundering
Act of 2001.

The willful blindness doctrine is defined as the deliberate avoidance or knowledge of a crime, especially by failing
to make a reasonable inquiry about suspected wrongdoing, despite being aware that it is highly probable.

“There is no better way to describe the acts of respondents Tan, Capiñ a, Reyes, Agarrado and Torres than this,” the
resolution read.

The five RCBC officers are being accused of facilitating the suspicious transactions involving the accounts of a
certain Michael Cruz ($6 million), Jessie Christopher Lagrosas ($30 million), Alfred Vergara ($20 million) and
Enrico Vasquez ($25 million) despite stop-payment requests from the Bangladesh Bank.

The respondents, according to the DOJ, were found instrumental in the lifting of the temporary hold on the four
beneficiary accounts of the international inward remittances of funds allegedly wrongfully taken from the
Bangladesh Bank, and the withdrawal of such funds, among other acts.

The resolution found the five to have, among others, deliberately avoided knowledge of the crime, “by failing to
make a reasonable inquiry about suspected wrongdoing, despite being aware that it is highly probable.”

It added: “By the very nature of their work in handling millions of pesos in daily transactions, the degree of
responsibility, care and trustworthiness expected of bank employees and officials are greater than those of
ordinary clerks and employee.

VIII. HOW THE MONEY EASILY ENTERED PHILIPPINES

In the fallout of the $100-million Bangladesh Bank heist, the Philippine financial industry became front and center
in the media, raising questions on how such a huge amount of dirty money easily got into the country.

The money was coursed through Philippines' banking system, deposited to a Filipino-Chinese businessman's bank
account, and transferred to 3 large casinos – these are just some important details in a story that is developing into
the biggest documented case of money laundering in Philippine history.

Reason found was the ease of fund transfer to PH.

The Philippines' involvement in the $100-million Bangladesh Bank heist, which has risked its return to the FATF
gray list, showed the urgency of putting more teeth into the Anti-Money Laundering Act (AMLA), said Securities
and Exchange Commission chairperson Teresita Herbosa, who co-chairs AMLC.

The law, which was first introduced in 2001, left casinos out of the list of entities required to report suspicious
transactions to the AMLC. There were efforts in the Senate to include this provision in the amended AMLA in 2013,
but this was blocked by some lawmakers, and PAGCOR.

At the time, the country was at risk of being blacklisted by FATF without an amended AMLA by the deadline set by
the body.

Herbosa said not requiring casinos to report suspicious transactions might have allowed the easy entry of dirty
money into local casinos – just like what supposedly happened in the case of the Bangladesh Bank funds.

"It's a global effort to eradicate money laundering. We have to catch up with people doing that activity and while
we are doing that we need to strengthen the laws of each country to comfort to best practices,” Herbosa said.

For Senator Sergio Osmeñ a III, AMLA author, the casinos were excluded from the scope of the law due to strong
lobbying of companies.

Osmeñ a said it is now up to the next Congress to pass the needed amendment. He added that Aquino's successor
"should strongly reconsider the bank secrecy law."

"We have the strictest bank secrecy law in the whole world. Congress doesn't want to loosen it up. Why? You and I
have our own guesses. It's very easy for criminals to hide their money in the Philippines. As a matter of fact, we are
one of the most active money laundering centers in the world," Osmeñ a told ANC's News Now.

Another loophole is that AMLC can only look into an account once the concerned party is informed, also known as a
de parte inquiry, Senator Teofisto Guingona III had earlier raised.

"As a result, once informed, many have resorted to emptying out their bank accounts before the government can
inquire into them. Logic and necessity demand that we allow for an ex parte inquiry," Guingona earlier said in a
blog post.

According to the Guingona, AMLC should be allowed to look into accounts of people – even without their presence
– when there is probable case of money laundering or any unlawful activity.

VIII. Discussion

In addition to the monetary loss of $81m, the incident severely harmed the trust in the IT systems of the global
banking sector. It is clear, that the global monetary network is only as secure as the weakest bank in the alliance.
The SWIFT’s model seems to have failed to provide a layered security approach, which allowed the attackers to
exploit the system without compromising the core servers of the SWIFT network. The architecture of the
infrastructure has also been questioned by Deutsche Bank (Schuetze, 2016), and hopefully the system will become
more resilient to cyber threats. SWIFT has taken action and warned the member banks about the growing threat
against the financial network, but the potential scale of damage presented in the Bangladesh Central Bank case
calls for more concrete measures of system-level revision of the financial network. The current state where the
global financial network might get compromised due to negligence of cyber security in banks in developing
countries casts a great shadow of unreliability over the global financial sector. The Bangladesh bank heist
promoted a motion of no confidence on the global financial systems.

The weekend protocols also should be considered as a vulnerability in banking sector. The success of the heist was
mostly relying on timing during weekend: the lack of sufficient monitoring and means of communication during
weekend made it possible that the unauthorized transactions were noticed not until four days after the attack. In
other words the success of this cyber attack was relying on not only cyber domain but the physical also. This points
out the nature of cyber security which states that it cannot be assessed in a vacuum. Also the suggested insider
theory about the origin of the attack supports this view as the involvement of a physical human in the attack was
needed.

In the fallout of the incident, the governor of the Bangladesh central bank took personally the hit from the heist and
resigned from his post (The Guardian, 2016a). Additionally, the central bank of Philippine set a fine of 1-billion
pesos ($21.3M) to the Rizal Commercial Banking Corporation. The bank was used to transfer the money from the
heist to casinos in order to launder the money. Apparently, the bank had failed to follow regulation against fraud
and theft. It should now be clear, that the leaders of the banking world globally need to improve the state of
cybersecurity by both developing more secure systems as well as train their personnel to detect anomalies. As the
fraud was only detected after human intervention, it should be clear that the current state of automated fraud
detection and prevention mechanisms is not yet at adequate level, which may not ever be the case. Afterall, a
computer program following its programming is much more easily fooled than an an actual well trained thinking
human being.

North Korea’s possible involvement brings the heist to another level - political one. When governments get
involved in a malicious cyber attack the reactions, especially in media, become fierce. This could have major
political consequences if it is considered as cyber warfare. For example as a result of Russia’s alleged interference
in US presidential election in 2016 tens of Russian diplomats were expelled. In the case of Bangladesh bank heist it
should be noted that due to their difficult history, US might have in their political interests to point North Korea as
a scapegoat in the incident. Thus the accusations of North Korea’s involvement shouldn’t be embraced without
caution. Kaspersky however as a Russian company has also pointed North Korea’s possible involvement in the
bank heists conducted by Lazarus. Whoever or whatever organization was eventually behind the bank heist, the
most important thing is to focus on revisioning and enhancing the cybersecurity of financial messaging networks
and the cybersecurity strategies of individual banks.