In our cyber e-book from several months ago, we mentioned the 2014 hack of Sony Pictures and how it may have been perpetrated by the North Korean government. This event may be part of a larger trend of politically motivated cyber-attacks carried out by nation states. Reviewing a list compiled near the end of last year reveals the targeting of news outlets by an organization with ties to the President of Syria, as well as disruptions at the Las Vegas Sands due to an organization based in Iran that was seemingly responding to disparaging comments directed at the Iranian government. This is in at least some measure consistent with reports from Wired about how various governments are expanding their cyber warfare capabilities. Among the most extreme cases, The New York Times published an exposé of a company of professional “trolls” in Russia whose job is to cause chaos and bolster the online presence of the Russian government. While drawing a direct connection between these organizations and the governments themselves is impossible, the general trends around the world are quite clear.
This trend may have taken an intriguing – and disturbing – new turn over the last few months. In February of this year, 35 transfer requests totaling nearly $1 billion were sent to the New York Federal Reserve using the SWIFT credentials of the Bank of Bangladesh. Ultimately, the Fed rejected 30 of them for various reasons, but 5, totaling $81 million, were ultimately cleared and transferred to accounts in the Philippines. The money was then laundered through several casinos, after which investigators have had difficulty tracking it down. However, this was not the first attack of its kind. A similar, smaller attempt was made on the accounts of a Vietnamese bank, although it ultimately was not successful. Banco del Austro, an Ecuadorean bank, was less fortunate, losing $9 million last year to a similar scheme.
These cases, along with several others that have remained undisclosed, have been connected to each other based on a piece of unusual code that was used in each attempt. This same piece of code also appeared in the Sony hack, although the extent to which this demonstrates a direct link is uncertain. A great deal still isn’t known, but reports suggest that multiple organizations had all breached the Bank of Bangladesh at the same time, with some that may or may not have participated being connected to unidentified nation states. It also isn’t clear to what extent the hackers had help within the bank, though such assistance is likely given the nature of the attack.
So is this North Korea? Again, there isn’t really a way to know, but it is a possibility, at least. Even if this weren’t the work of a state actor, the organization that is responsible (assuming it is even a single organization) has extensive connections and tremendous resources. And if it is a state actor, even a small, isolated state like North Korea, then that goes without saying.
While international bank theft by a sovereign nation is unheard of, it would be roughly consistent with previous North Korean behavior. Given tremendous sanctions, North Korea is cut off from the rest of the world, and has extremely limited access to foreign capital. In order to finance both its nuclear program and the opulent lifestyle of its ruling class, it frequently resorts to criminal activity abroad – indeed, an entire office within the North Korean government, known as Office 39, is devoted to acquiring and spending foreign currency for Kim Jong-Un. In other words, even if North Korea is not behind this particular theft, it is not unreasonable to think that they might attempt something similar, especially now that weaknesses in SWIFT have been made apparent.
While the system as a whole is still thought to be safe, the security of individual SWIFT credentials can only be as strong as the computer systems on which they are stored. As such, system security is as critical as ever (though as we have discussed previously, even the most secure systems fail, meaning that having emergency plans is just as important). This makes the general response of the US financial sector, at least the response reported in the media, extremely disconcerting to us.
The New York Times notes in its reporting of the theft that “American bankers have noted that the security lapses all occurred at banks in third-world countries, which may give some comfort to banking customers in the United States“. Any such comfort is misplaced and dangerous. Indeed, companies in the US are the ones that consistently suffer the highest losses due to cyber crime.
The reason for this is not entirely clear, but may in part be due to the fact that there is more money in the US, thereby making it a more lucrative target and compounding any losses. Besides, while security measures might be somewhat stronger in certain countries and weaker in others, we have not been able to find any metrics relating to the overall “security” of banking systems between different countries. And even if such a metric existed, that still doesn’t mean that US institutions would be universally more secure than those of other countries. Statistically, there are bound to be many institutions in the US and other so-called “first-world countries” that are less secure than many of their counterparts in “third-world countries”. Without thoroughly and continuously reviewing security protocols and measuring them up to the methods used in these breaches, there is no reason to think that any US institution is uniquely immune to these threats.
So in addition to improving system security, what else can be done? As we’ve discussed previously, acquiring insurance for these risks is important. Indeed, a thorough review of both an insurance program and the company as a whole will not only identify any possible missing coverage, but will identify any insufficient coverage as well. This is especially important if you are involved in the management of financial transactions in any way; the Bank of Bangladesh has publicly assigned part of the blame for this theft to both SWIFT and the Federal Reserve of New York, while Banco del Austro is suing Wells Fargo, the bank that facilitated the transfer, in American courts.
Of course, if sovereign states begin openly engaging in such activities, the insurance situation could become far more complex. In our next post, we’ll delve into this issue in a bit more detail.