Billion Dollar Heist (2023) Movie Script
It's Friday,
and it is, of course,
the Muslim prayer day.
Everyone's off,
except for the skeleton staff
at the Bangladeshi Bank,
including Zubair Bin Huda,
who is the duty manager.
He's part of
the elite team of employees
who run
the SWIFT banking system,
which is a highly secure
banking system
that sends money
around the world.
Now, Bin Huda goes,
as he does every day,
to the SWIFT printer
to check up on the transactions
from the day before.
There are usually printouts
of transactions
that came in overnight.
The SWIFT software would print
out a ledger every single day,
an audit trace of every single
transaction that occurred
on paper.
But when they came in
on February 5th morning,
as they usually do,
they found there were
no SWIFT messages at all.
In fact, the printer's
shut down. It won't work.
They try and turn it on.
Nothing will kick it
back into life.
He assumes it was simply
a technical error,
shrugs, goes home for the night,
comes back in
on Saturday morning
to check the system again.
The next day,
they somehow manually
get the printer to work.
This deputy head manager
walks in the room,
the printer starts working, and
these weird messages come out.
The printer
starts spewing out
all of these transactions,
including individual requests
to the Fed in New York
for $1 billion.
At that moment,
it's panic stations.
When I was growing up,
the biggest crime in Britain
ever recorded
was the Great Train Robbery.
It was an extraordinary thing.
They stole about 2.5 million.
That's about $4 million.
And that story
ran literally for 30 years.
Four million dollars.
What you're about to hear
is the story of an attempt
to steal...
a billion dollars
It's told by world-leading
cybersecurity and legal experts
and journalists:
the very people
who uncovered the facts
and threaded them together
to reveal how dangerous the
world of cybercrime is today.
So, there are four big threats
to the world
and to the human race.
One of them
we've just experienced,
that's the pandemic.
Then you've got weapons
of mass destruction.
You've got climate change.
But barrelling down towards us
before those is cyber.
This is the possibility
of our overdependency
on network technologies
being undermined, either by
malfunctioning of the system...
New problems are emerging
the day after an Amazon
web service outage.
Massive and mysterious,
a global outage...
...or by a targeted attack.
More than a thousand companies
have been crippled
by this attack so far.
Sounds like we're looking
at a 2022 with more hacks,
more lost money.
So, when I started hunting
hackers in the early 1990s...
our enemy was really simple.
All the malware,
all the viruses,
all the attacks were
done by teenage boys.
What will your parents think?
I've been doing this job
for two decades now.
When we first started,
the people writing viruses
and malware
were doing it for fun,
to get their name in lights,
to say, "Look what I can do."
No flash, please.
When I started analysing
viruses, they looked like this.
Malware was still spread
on floppy disks.
They were spreading at the speed
of people travelling the world
and carrying the viruses
with them.
Michelangelo has
proven less harmful than feared.
All the stuff you've got
in there you may really want,
it's just gone?
Then the internet came around,
and suddenly,
malware outbreaks could
go around the world in seconds.
For the last 36 hours,
the ILOVEYOU virus has been
creating havoc around the world.
Experts have reason to worry.
The first attack, July 19th,
infected about 300,000
systems in nine hours.
First of all, the guys who
make a living doing security
and are trying to protect themselves
are scared shitless of you,
because you can just ruin 'em.
After the period of time
where hackers
were just doing things for fun,
some of them realised that they
could use it to make money.
Prior to, like, the 2000s...
cyber was primarily around
a disruption of websites...
defacement of a webpage.
Just as we got around 2000,
the dot-com boom, the explosion,
we started into
what would become
financially motivated hackers.
This really flourished,
especially in Eastern European,
Russia, CIS bloc countries.
This was the time
of gangster capitalism,
when everyone's world in Eastern
Europe was falling apart,
where organised crime and...
former members of
the intelligence services
were taking hold
of the economy.
So you had a lot of young people
in the 1990s
who were very good
mathematicians, physicists,
computer scientists,
who simply took
the logic and the morality
of gangster capitalism online.
Virus writers
were writing viruses
to infect Windows computers,
and those computers were then
sold to email spammers,
who were using those machines
to send Viagra spam
or what have you,
basically making money.
And that changed everything.
People at that time
began to use online banking,
and they began to steal people's
online banking credentials,
from there, also get
credit card numbers,
and use that
to basically transfer funds.
Just in hundreds of dollars at
a time from these individuals.
They eventually realised
that going after individuals
was much more difficult
than just going after
the banks themselves.
Get into databases,
those databases held
credit card numbers.
Take those numbers and then
sell them on the black market.
Originally, the internet
was set up at the Pentagon...
just to be able to share
resources between computers.
And it was really never
designed to have
banking attached to it,
critical infrastructure
attached to it.
It was really designed
for availability.
It was never designed
for security.
Whereas in the early 1990s
when there was only 30,000
people connected to it
and several hundred systems,
we've moved to a system
which essentially is the
backbone of global finance.
The fact that
it's able to do that...
the fact that it's able
to sustain currently between
15 and 20 percent
of GDP globally
tells us something about
just how important
this infrastructure is.
Why did people move
into the internet
to seek economic opportunity?
Because that's where the
economic opportunity was,
untethered by norms,
untethered
by national boundaries,
and essentially limited
only by the creativity
that these individuals had.
The user nagged
the Federal Reserve Bank
with 35 payment instructions
worth $951 million.
We'd just never heard
of such a thing before.
We'd been investigating cybercrime
for a couple of decades
at that point.
You see cyber criminals go in,
and they try to transfer a few
hundred thousands of dollars,
maybe a million,
a couple of million.
But conducting a cyber-attack
to try to steal one billion?
That was an order of magnitude
that we had never seen before.
It was clear from early on
that it was one of the biggest
cyber heists in the world.
When we first started
hearing rumours
about something affecting
SWIFT network,
I didn't understand
how big it was.
But when we started realising
this is at a completely
different scale,
it just blew my mind.
Once they realised
that the money actually
was really gone,
then the panic began to set in.
They lost $81 million instantly
to a bank in the Philippines.
They see the $81 million
has already gone
and that nearly $900 million
extra has been requested.
They basically try to figure out
what to do next.
They have no idea what to do.
They hunted for ways to contact
the New York Fed.
Desperate calls are made
by them.
And it goes
to an answering machine.
You've reached
the Federal Reserve Bank...
Because it's Saturday
in New York,
and nobody's picking
up the phone.
- Please call back...
- It's a complete shitshow.
Total disorganisation,
at both ends, I would stress.
The New York Times Magazine
was planning a true-crime issue,
and my editor came to me
and asked I was interested
in doing it.
I looked into it a bit.
There definitely were
some intriguing elements,
and made me pay attention.
The Federal Reserve
has pretty much
depended on the SWIFbanking system,
and since there has rarely
been a hack, if ever,
of the SWIFT banking system...
the Federal Reserve
has never instituted
any sort of 24-7 hotline.
Eventually, they get
hold of somebody at SWIFT,
and SWIFT says,
"Just shut the whole lot down
until we know
what's going on here."
Badrul Khan decides before he
can actually make that decision,
he has to talk to the deputy
governor of the bank,
which he does.
Deputy governor doesn't want to
take the decision upon himself,
so he talks to the governor.
And guess what.
The governor says,
"It's probably a mistake.
We won't shut it down."
Work week begins
at the Bangladesh Bank
on Sunday morning,
and it's then that the general
manager of the bank
comes in and begins to take
stock of what had happened.
They're running out of options.
They're not sure what to do.
Fed is still closed in New York.
They go through
all the SWIFT material,
discover that most of
the money has gone
to the bank in Manila.
And these desperate
messages are sent out:
"Stop the transactions.
Hold that money. Do not
allow it to be withdrawn.
It's our money.
It's been stolen."
But there's a problem.
Five, four,
three, two, one!
Happy New Year!
It's Chinese New Year,
and the Rizal Commercial Bank
is closed.
The thieves chose
a sequence of days...
from Friday, Saturday,
Sunday and Monday,
when one or another
of the three countries
that would be communicating
with one another
was shut down for a holiday.
You've got to hand it
to these guys.
They knew it.
They knew that if they did it
over that weekend,
with the Friday,
the Muslim holiday,
the Sunday and the Saturday,
everything closed in New York,
and the Monday,
Chinese New Year.
They've got four days
to get the heist done.
This is really classy planning.
In that respect,
it was really an ingenious plan.
It's kind of like a great film
director in a malevolent way,
planning out, you know,
a very complex film.
The country of Bangladesh
is the 170th poorest country
in the world.
One billion dollars
is huge to them.
When we talk
about cyber-attacks,
they're not just zeros and ones.
We're not just talking
about people
moving around zeros and ones,
deleting zeros and ones.
One billion dollars
to Bangladesh
potentially means that people
starve in the country.
These things have potential
serious repercussions.
The Bangladesh Bank
heist was significant
because it showed how fragile
global banking was as a whole.
Banks don't just operate
as single isolated entities.
They're part of a system.
And that system is vulnerable.
The US Federal Reserve holds
trillions of dollars in accounts
kept by central banks
all around the world.
Its computer security systems
are state of the art, making it
one of the most difficult
financial institutions to hack.
The criminals realise
that it can't get into
the network system of the Fed,
but the Fed has to talk
to other central banks
around the world,
and this is
where they find a flaw.
The criminals turn
their attention
to the banks'
communication systems.
Every day, the Fed places
thousands of transactions
on behalf of the central banks
that hold US dollar reserves
at the Fed.
The Federal Reserve
has pretty much depended
on the SWIFT banking system
to get its instructions
about transfers.
SWIFT sends money
around the world
to thousands of member banks.
It's the main way that banks
dispatch money to one another.
SWIFT allows you
to transfer money
from one bank to another,
no matter where you are
in the world.
Make international
wire transfers.
The whole banking system
is integrated,
and they depend
above all else on SWIFT,
the international transaction
mechanisms, to work.
What it means is,
all it takes
is a single weak link
to bring down the whole network.
So although the target
is the Fed,
they are looking for a bank
with which the Fed communicates,
which holds a lot
of its reserves in New York.
But it's a long way away,
in a distant time zone
from the Fed,
and it's likely to have
patchy security systems in place
in its computer network.
My colleagues in Dhaka,
they were chasing it
for a long time.
It was a robbery of a scale
that we hadn't heard of.
The first thought
that came to my mind was,
because it was the
Bangladeshi Central Bank,
I thought the hackers found it
somehow easier to target it.
Because it was Bangladesh,
I suspected they would
be more vulnerable
to cyber-attacks as such.
"Hmm. A Bangladeshi bank.
Probably doesn't have
the same level of security
and if they do,
it's probably one or two people,
not a team of 6,000
working on it.
Let's go for it."
These attackers
weren't just skilled
in breaching networks,
figuring out how
to get into an organisation.
They had to study that
SWIFT software deeply.
This attack happened
well before that February 5th,
when the bank employee walked in
and saw that printer hadn't
printed out the audit jobs
and couldn't figure out
what was going on.
This attack started more
than a year prior to that.
These attackers had been
working for months
in the build-up until that day.
It is a mistake
for people to think
that this was something
that happened overnight.
It is a mistake
for people to think
that this happened in a month,
or two months or three months.
It is a slow,
methodical approach,
because it's a business,
all right? You build it.
Bank robberies used to be
something that happened
in the real world.
Now they only happen
in the online world.
If you would try to steal
$100 million in banknotes,
that would be, like,
ten trucks full of notes.
If you drive ten trucks
full of notes out of the bank,
someone would notice.
But when you do the same thing
online, no one notices anything.
Every movie you've ever seen
of them breaking into a bank
is them doing it
over a bank holiday
or something of that nature.
Same concept here.
This isn't Matthew Broderick
sitting in front of a computer,
like War Games
back in the 1980s,
some kid in their basement.
These are
criminal organisations.
Each person has a skill set.
It's kind of like that
Ocean's Eleven-type thing.
You know,
"This guy could crack the bank,
this guy could do
the surveillance cameras,
this is the getaway,
this is the conman."
You all have a role to play,
and you need everybody
to execute their role
to the best of their abilities
for you to be
successful and get it out.
So how do you pull off
a heist of this magnitude?
It takes the right crew of
highly skilled specialists.
And it all starts not with ones
and zeros, but with people.
Cybercrime is about
gaining credentials
to gain access,
stealing the keys.
The social engineer
is critical to a hack.
It's how you get in,
and you get in
not through digital means,
you get in through human means.
It's to do with psychology.
The criminals have to ensnare
one of the employees
of the Bangladeshi Bank,
beginning by going through
their social media profiles
and looking
for suitable targets.
Our relationship
with the computer
is one of perceived intimacy;
that when we're using
a computer,
no one else can see
what we're doing, we believe,
and it's just us and the screen.
And if we were to read
an email from a friend,
we tend to believe it
at face value.
They found
close to three dozen employees.
And they constructed
a simple spear-phish email:
an email message that pretended
to be from a guy
named Rasal Alam.
And Rasal Alam said,
"Hey, I just wanna
work at your company.
Here's a rsum attached.
Have a look."
And it turned out
that they mailed that
to about 36 different employees,
and three of them
opened that attachment
connected to that email.
It was a zip file,
and the zip file contained
just a document inside.
They opened up the document
and it was his rsum.
It was a rsum for Rasel Ahlam,
who wanted to work at the bank,
but unbeknownst
to those individuals,
also contained
malicious code inside.
We can look at any data breach,
and the root cause
has either been
a technical problem
or a people problem.
And the technical problems
can be really hard
and really expensive
and really slow to fix,
but at least we can fix them.
But in the end, we have
no patch for human brains.
There's no way to fix the people
who do stupid mistakes.
When attackers try to send
these spear-phishing emails,
they try to do two things.
They try to look very normal.
It was just a rsum.
They try to fly under the radar,
to look as legitimate
as possible.
And the second is they often
try to use enticing techniques.
New dangers tonight from
the Love Bug computer virus,
this time disguised
as a friendlier email.
The first internet virus
that went around the world
in less than 48 hours was
called the ILOVEYOU virus.
And already,
business interruption costs
are estimated at more than
a billion dollars.
You would be sitting
there working away,
and then suddenly,
in your inbox,
you get an email which says,
"I love you."
And it could well be
that this is a person
who you've always
held a torch for.
And so, of course,
you're very excited,
and you press on the link,
and then you're doomed.
What happens is,
the virus infects your machine
and proceeds to email everyone
you've ever emailed.
The end result of that
is the mail servers
get bogged down,
and the only way
to solve the problem
is to shut the servers down,
hence the interruption.
The ILOVEYOU virus
was one of the first viruses
that had really
worldwide impact.
It was still a virus
written by a guy
that just wanted to get
his name in lights.
He wanted to see his virus
travel around the world
a little bit
and maybe get
in the news somewhere,
and then him be able to say,
"Oh, I wrote that."
Mr de Guzman hardly
seemed to comprehend the chaos
inflicted on
the world's computers.
But what happened was, it
spread so quickly and so fast,
it brought down email
all over the world,
and having email go down
was monumental.
Experts say that the ILOVEYOU
virus could end up costing
the world economy $10 billion
in lost work time.
It became the first sign to show
that we relied on the internet.
The internet was the basis for
our financial transactions,
for the way we do business.
I would talk to people
and remind them
and educate them and say,
"Look, you can't just click
on any attachment
that comes to you in an email."
I remember talking to a guy
about the Anna Kournikova virus
that purported to be nude
pictures of Anna Kournikova.
And he told me, he said,
"Yeah, I knew it was a virus.
I thought it was probably
a virus. But what if it wasn't?
What if it really was
nude pictures?
So I double-clicked on it."
People just don't realise
what clicking on that
attachment means.
Cyber criminals and hackers
realised a long time ago
that your username and password,
particularly to
your email account,
could get them into your
stock brokerage account,
to your online
banking account,
to send phishing emails
to other contacts.
If you protect
yourself properly,
the chances are
you won't be a victim
of what one would call
"drive-by hacking".
If, however, you're being
specifically targeted
by a hacking group,
they will follow that trace.
And they will get you.
Now, we know that at least three
members of the Bangladeshi Bank
were targeted by this after
the social engineer
had scanned
all of their social media,
and at least three of them
opened the letter
and took the bait.
Once that code
began executing
on those bank employees'
computers,
it would reach out back
to the attackers
and tell them that
these machines are now infected
and give them full control,
as if they were sitting
in front of the keyboard,
just like those employees.
There was malware
in the system
that was actually
copying screenshots,
copying keystrokes of employees,
and no one knew.
They've got
their foot in the door.
This is the essential
first step.
The first layer of security
has been breached.
And the digger, the person who
is getting deeper and deeper
into the computer network,
has to be a very
advanced hacker.
This is when you need
a real professional.
They're like ghosts.
Nobody can see them,
but they're mapping every
single bit of that network.
In the Bank of Bangladesh,
you had computers that are all
interconnected to each other,
and they're connected
using what's called a switch.
In your average bank, that has
a good security program,
those switches are
what's called segmented.
So each of those switches
only allow
a certain number of computers
to talk to each other
rather than every computer
to talk to each other.
But in the case of
the Bank of Bangladesh,
in the back-office network, they
were using these very cheap,
literally $10 switches
that didn't do any segmentation.
Every computer was potentially
connected to each other.
Basically,
it's a cost-cutting exercise.
But that cost-cutting exercise
was what the digger needed.
Those attackers
began to do
what we call a lateral traverse
across the network,
search for other computers
to infect,
look for credentials.
Whenever you log
into a computer,
your credentials are cached.
They're put into the memory
of the computer.
Attackers are able
to filter through that memory
and find used usernames
and passwords.
They don't always know
what they're for,
so they try to collect as many
credentials as they can
and see, "What computers can
I see from this computer?",
and just begin to use them
over and over again
and just try them.
Eventually, they hop on
and are able to connect
to another computer.
They get onto that one.
It's still not what
they're interested in,
but they're able to find more
usernames and passwords
and try those
on all the other computers
they can see
from that advantage point.
That's how they move across
the network over and over again.
They would delete
all traces of themselves
as they moved
across the network,
ultimately jumping from
computer to computer
until they found
the SWIFT terminal,
their ultimate goal in order
to make wire transfers
out of the Bank of Bangladesh.
It takes a long time.
They're there for months.
This is an ongoing process.
If at any moment they're
discovered to be in there,
then the whole
operation is finished.
With the Bangladeshi Bank heist,
you basically have two
operations running in parallel.
You have an offline operation
going on,
which is to do with
the money laundering.
It's the fence's responsibility
to set up
the recipient accounts.
They're gonna end up
with cold, hard cash,
and they need individuals
on the ground
to pick up that cash
and move it.
And so, in May of 2015,
before they'd even got
into the SWIFT terminal,
they were able to recruit
a Chinese individual
to go to the Philippines and
open up four bank accounts there
at a bank called RCBC.
You have to make sure
those people inside the bank
in the Philippines
have been properly corrupted
and properly instructed
as to what their role is.
The fence opens up
these accounts,
puts $500 in each of them,
and then they just go to sleep
for nine months.
These attackers were
inside the Bank of Bangladesh
for a full year,
which is incredible.
They actually got
onto that SWIFT terminal
exactly one year later...
on January 29th, 2016.
In any bank,
you have different employees.
You have back-office employees,
administrative employees,
but you also have computers
that are connected
directly to
financial transactions.
And only users who have specific
access to those machines
are allowed to use them.
When we talk about the case of
the Bank of Bangladesh,
there was a single computer
that had credentials
from a shared employee.
You had an employee that
would use that SWIFT terminal,
but also had their own computer
in the normal back-office area.
Once they got onto
that employee's computer,
they were able to jump across.
They waited. They basically
did a recon on the system.
They crawled around.
They looked and tried to fully
understand how this worked,
how SWIFT worked, how each bank
employee would make a request
into the SWIFT system,
where it would go,
how to direct that to branches
where they had set up
these accounts.
And in this case, it was just
very simple and very clever.
The thief is
not so much someone
who is physically
taking out the money
and stuffing it into a bag.
They're making sure
that every bit on the system
is coordinated.
There are all sorts of things
to get right
before that fatal moment
when the request is made.
Everything has to be
really, really
precisely coordinated
to get all the timing right.
You've got four days.
You can't afford a slip-up.
When the attackers
got into the SWIFT terminal
on January 29th of 2016,
they paused for about five days
to get their malicious
software ready
that allowed them
to cover their tracks
when they were on
that SWIFT terminal.
They decided to wait
until February 4th.
And this is no accident.
They have chosen
a long weekend
due to holidays in different
parts of the world.
That means,
instead of the usual two days
they have to get away with it
before alarms
start going off everywhere,
they've got four days.
It's brilliant.
February 4th, 2016,
was a Thursday.
That's the last day of
the working week in Bangladesh.
In Bangladesh, they work
from Sunday to Thursday.
So, at some point late
in the afternoon,
the SWIFT transaction operator
in the Bangladeshi Bank
logs off his terminal.
But three hours later,
the thief logs into
that terminal
and starts to impersonate him.
They logged into that SWIFterminal at 8:36 p.m.,
after they believed,
or really knew,
that all the bank employees
had gone home for the weekend.
And they put forward
35 different wire transactions
from that SWIFT terminal,
totalling $951 million,
almost $1 billion,
completely unheard of.
Ten hours
behind Bangladesh,
New York is waking up.
The first thing
that the Fed sees
is 35 requests
for almost the entire holdings
of the Bangladeshi Bank.
Usually, it's figures of sort
of $300,000, $500,000.
They want almost a billion!
The operator, perhaps
unsurprisingly, rejects it,
sends it back to Bangladesh.
But he rejects it not because
this is an absolutely crazy
amount of money,
but because the requests
are wrongly formatted.
As much research
that they had done,
they didn't really understand
how to fill out
those SWIFT transfers.
They were missing what's called
an intermediate bank.
New York Federal Reserve
replied to them,
via the SWIFT system,
back to their computer
that they were sitting
in front of, virtually,
saying, "Hey, these transactions
are missing information."
They think on their feet.
They reformat the requests,
send them back...
and hold their breath
to see what happens.
They ultimately corrected
34 of them.
They had forgotten one.
The one did have
the intermediate bank
went to Deutsche Bank.
That order was for $20 million
to a charity called the Shalika
Foundation in Sri Lanka.
But they had made
a typo as well,
and they had misspelled
"foundation" as "fandation".
And so Deutsche Bank
saw that typo
and questioned it and, again,
held that transaction
due to that typo.
We use that
as the poster child
for why you need
to learn how to spell.
Otherwise, you can lose
$20 million.
Ultimately, when
they return the other 34...
Bingo.
The operator approves them.
Four of them went through.
The green light is given.
The heist is on.
Those four went through
to those bank accounts
in the Philippines
that had been opened
more than six months earlier.
And they were able
to transfer out $81 million
to the bank in the Philippines.
Ultimately, they were about
to transfer $1 billion
from the Bank of Bangladesh,
but they didn't want
anyone to find out.
They began to cover
their tracks.
Normally, as a bank employee,
you'll load up
the SWIFT software,
you'll see on the screen
all the latest transactions,
you can make transactions.
And so the attackers deleted all
records of those transactions.
But it's not just digital.
In the world of finance,
everything must be a hard copy.
And the attackers
knew that as well.
Every SWIFT transaction
that takes place
is immediately printed out
locally in the Bangladeshi Bank.
So that printer cannot
be working
when the heist is going on.
The attackers hijacked
all of those print jobs,
replaced all of those
print jobs with zeros
so that nothing would
come out of the printer.
Now, the other 30
wire transactions sat around.
And, ultimately,
the attackers waited,
and they waited...
And they logged out at
3:59 a.m. Bangladesh time.
Potentially, they thought
that in New York,
the business day ended
at five p.m.,
and they weren't gonna hear
any more.
The New York Fed
had actually stopped
the rest of the transactions,
because the address for
the bank in the Philippines
was on Jupiter Street.
J-U-P-I-T-E-R.
Right, now this is when
the story gets really weird.
In a totally unrelated incident
two years earlier,
we have a Greek shipping
magnate, Dimitris Cambis,
and he is buying eight tankers.
What Dimitris knew,
but not many other people,
was that the money
for these eight oil tankers
came from Iran,
and Iran was under US sanctions.
Someone in the US
caught wind of the fact
that the Iranians were
financing Mr Cambis.
His company was put on
the sanctions watch list,
and his company
was called Jupiter Seaways.
It was just their bad luck
that they designated
the money transfers
to go to the Jupiter branch
of the Rizal Bank in Manila.
As the transfers were being sent
out from the New York Reserve
to the Philippines,
the Jupiter name was caught
by the computer system.
It halted these transactions.
The Fed had to take
a second look.
They stopped it
because they realised,
"Wait, we have somewhere
in the order 35 transactions
coming from
the Bank of Bangladesh,
adding up to $1 billion?
You know, this isn't usual."
So they held them
and sent a message back,
asking for confirmation.
Had the attackers waited
just one more hour,
they could have replied to them
via the SWIFT system,
saying these transactions
were not a mistake.
Ultimately,
the Bank of Bangladesh
might have lost
much, much more.
So far, they managed
to get $81 million.
But, boy, did they come close
to hitting the jackpot.
Just under $1 billion
was very, very nearly
stolen from this bank.
The next day,
the bank employees came in,
and the printer wasn't working,
because they installed
their malicious code
to prevent that from happening.
Ultimately,
those bank employees
didn't get it fixed
until February 6,
which would have been a Sunday.
When the printer started,
all these messages came out,
messages from the Fed asking,
"What are these 30 transactions?
Did you mean to make these?"
That triggered
the Bank of Bangladesh
to realise something
had gone wrong.
It was very clear
that they were in deep,
such that the bank manager...
This is the Bank of Bangladesh,
the federal bank, the national
bank of the country,
did not notify the leaders,
the government of Bangladesh.
He kept it under wraps.
He notified someone he knew
who knew about security.
"Get on a plane,
get to Bangladesh.
I need you to look at
these computer systems."
Initially, the governor
and his whole team
were quite perplexed.
They didn't quite know
what had happened.
So they thought that
some money had been routed
to a wrong account;
it would come back.
I get this strange phone call
from the governor's office
asking me if I would
drop everything
and come to Dhaka, Bangladesh.
So I assembled a team...
and we flew down.
When we arrived there, we met
with the Bangladesh Bank team.
And that's when I discovered
all the horrifying details
of what had actually happened.
They decide,
"Let's look at the CCTV.
What's that going to tell us?"
There were eight
hours' worth of tapes
that had to be gone through.
Your gut instinct is,
you have a malicious insider.
A physical person had to go in,
log into that machine
and try to make these transfers,
because this attack
hadn't happened before.
They had a SWIFT room,
which was locked.
And typically when
the SWIFT operators
needed to do something on SWIFT,
they had to go into the room,
sit in that chair and terminal,
and there was only
one shadow we could find.
We eventually decided
it was the person
sweeping the place after hours.
They were saying, "How could
somebody process the transaction
when there was nobody there?"
I mean, even after the payment
instructions had been sent,
they had no idea for a very long
time what was happening.
They didn't think it was a hack.
They had no traces of a hack.
But they watched eight hours of
that footage over that weekend
and realised there was
no one at that computer.
Nothing.
They had no idea that
the Bank of Bangladesh
had been breached by hackers.
Only after we see these things
happen over and over again,
we realise that cyber
has such capabilities.
Bangladesh was a bit of
a bombshell for all of us.
Hackers and most cybercrime,
it's like smash-and-grab crime.
Quickly grab something
and monetise it
as swiftly as you can.
You know, storm a bank
with shotguns, blow a safe,
fill some bags with cash.
Cybercrime...
It doesn't lend itself well
to long conspiracy
and lots of investigation
and investment
into understanding your target.
I mean, you couldn't
do Bangladesh
unless you really understood
the internal workings
of the central bank
and all the actors involved.
That's not something
that freelance hackers
really are good at.
That requires a level of
investment into resources
and frankly intelligence
that has to be sustained.
To organise something
of that complexity
and for it not to be noticed
by the intelligence agencies
of the state
where that is being planned
would be very,
very difficult indeed.
These hackers went in
and looked at the zeros and ones
in the software
and reverse engineered it,
turned it back into
understandable code.
That's not something
that happens overnight.
It was pretty clear
that this isn't just
normal criminals.
This has to be something bigger.
Once attackers have gained
access to their target network,
they want to stay undetected.
And we've seen many
interesting examples
of how exactly this is done.
What exactly happened
at the Natanz nuclear facility
last week?
It's a question people in Iran
around the world
have been asking
since a fire was reported
at Iran's main uranium
enrichment facility on Thursday.
We're used to Trojans
and viruses on the internet,
but this is the first worm
designed to damage
the physical world.
In 2010, attackers created
a piece of malicious software
that was designed to infiltrate
Iran's nuclear programme,
to get into their centrifuges,
in particular,
get onto computers
that controlled
their centrifuges.
Iran says it will
retaliate against any country
that conducts cyber-attacks
on its nuclear sites.
The intention
was to spin the centrifuges
of Iran's nuclear capabilities
out of control,
make the centrifuges explode
and push them ten years back
in the uranium enrichment programme.
As a piece of malware,
it was 40 times larger
than any piece of malware
that had ever been
encountered before.
It would have taken
the most advanced,
brilliant computer engineers
years and years of human
working hours
to produce this.
Why was it so big?
Because it needed
to cover itself up.
The attackers
were actually recording
the network traffic,
the normal network traffic,
and then playing it back
to the sensors
when they started modifying the
operations of the centrifuges
they were trying to break.
This is the equivalent of,
in the real world,
recording the CCTV footage
from a security camera
and then playing it back
to the camera
when you're doing
something bad.
That's what Stuxnet was doing.
And in the Bangladesh heist,
they were doing
something similar.
Once they made
their transactions,
they wanted to make sure no one
realised they had happened.
They were actually falsifying
the information
about transactions.
The recording of the
transactions were being done
both in electronic format,
but also falsifying the data
being sent to the printers,
which actually looked like
everything was fine.
So you find out how
you're being tracked,
and then you try
to cover your tracks.
Stuxnet did that.
The Bangladeshi heist
did it as well.
Once that money
arrived in the Philippines,
they needed to change
that money into cold, hard cash.
Right now, it's still in
digital ones and zeros,
just a transaction that said
the money has moved
from the Bank of Bangladesh
to these accounts at RCBC.
Four accounts.
The thieves had to
get it out of the Philippines,
make it disappear.
So how were they going
to do that?
There is one industry
in the Philippines
where there is absolutely
no oversight,
where it's a cash-only business.
There are no records, no names.
That is the casino industry.
When we talk about
laundering funds,
we're talking about
taking dirty, illicit funds,
running them through
a legal business
so that if I came
to you and said,
"Hey, where'd you get
that $81 million?",
you could have a paper trail
to show that you won it back.
The hard part
is not stealing the money.
The hard part is moving the
money into a form you can use
without getting caught.
And one method we've seen
for quite a while is gambling.
It was very clear that,
if, at all, there was a place
for you to do that,
it would have been
the Philippines,
because the casinos
are not regulated at all.
It's like a lot of
high-flying gamblers
who'd kind of fly to Manila,
crowd these numerous casinos
in Manila,
lots of money coming in.
People don't question
that kind of money.
I mean, you know...
"Well, as long as
it's coming to us,
we don't bother too much
about where it is coming from."
The thieves knew
if they could get that money
into the casinos,
it would essentially be lost.
What happened was,
the manager from
the Philippines bank,
she was the one who'd opened
those four accounts
using fraudulent IDs.
She got the money withdrawn from
the bank in the Philippines.
From there, it started to go
through something
called Philrem.
It's a bit like a Western Union
in the Philippines,
transferred into pesos.
I don't know
if you've ever used
Philippine pesos before,
but that's one hell
of a lot of pesos, $22 million.
In fact,
it's over one million banknotes.
They actually had
to request that cash
to come from a sister
branch location,
that arrived in boxes.
The bank manager was seen by
one of the other bank employees
collecting those boxes
and literally going outside
and loading them up
into a Lexus.
And that money
was driven away.
So, we're talking stacks
of bills carried in vans
to the Solaire Casino
right by the airport.
It allows the Chinese gamblers
to come off the plane.
Five minutes, they're on
the floor playing baccarat.
The money goes to this place.
It's wheeled in wheelbarrows
across the casino floor
up to this guarded escalator.
There's so much
physical cash involved,
they've enlisted their
own crew of gamblers
to launder the stolen funds.
And they just played baccarat,
all day long.
They had individuals,
mostly appeared to be Chinese
nationals that they had,
I assume, hired to take
those funds and launder them.
You change that cash
into casino chips,
play a few games,
cash in the chips.
And when you get that cash back,
that is then laundered.
And this wouldn't
have been unusual.
This was the Chinese lunar week.
That would've been very common
for individuals,
high rollers, to come
into the Philippines
and play at the casinos
during that time.
Spending $22 million in
a casino over a weekend,
let's face it, could be fun.
Doing this story
and trying to figure out
where in history
to sort of place this thing.
Was this the biggest
heist of all time?
No, but it certainly looked
to be the biggest cyber heist
of a bank in history.
And over the next few days,
I just remember
calling up my sources
at Symantec
and a couple other
cybersecurity firms
and getting in touch with
a guy named Eric Chien.
We have all kinds of
sensors sitting on networks
and computers
all over the world.
Any time some sort of
cyber criminal, some attacker,
is trying to breach a computer,
they're leaving traces behind.
Every attack
has a signature.
If you look at it long enough,
if you study it,
if you work it long enough,
you can understand
the way they do things.
The way they state something,
the way they code
a particular way,
the methodology of the attack,
the step-by-step approaches.
It might be considered
like Sherlock Holmesian
to come up with this idea.
"Because he walks
with a gait this way,
and he does this..."
But it is true.
We see those signatures.
We see those patterns.
What we discovered was,
by looking at the artefacts
that these attackers had used,
the malicious binaries
they had used,
the code inside of it,
as well as the email accounts
that they used
to send the initial
spear-phishing messages,
we were able to map this back
to an attacker back in 2014.
Sony Pictures is mainly housed
in Culver City.
And in 2014,
Sony Pictures went down,
which was unheard of.
On that day in November,
people would have come in,
tried to swipe their badge
and not even be able
to get into the office.
They get
into the building finally
and then they discover that
nothing else is working either.
Printers aren't working,
computers aren't working.
People who had laptops
connected to the network
would have immediately seen
skulls and crossbones
show up on their screens,
scrolling with scary
Halloween-type music
playing in the background.
And it said,
"Hacked by the GOP."
Guardians of the Peace.
A mysterious crew of hackers,
also known as the Lazarus Group.
We'd call them
the Lazarus Group.
They've been responsible
for many, many attacks
over the years.
You know, political statements
and bringing down some
websites in South Korea
and also the White House in the
United States and the Pentagon.
Now, at this point,
the penny has dropped.
Sony has been hacked.
The hack attack
has had a devastating effect
with an avalanche of leaks
revealing personal information
of employees
and salacious email exchanges
of A-list celebrities.
They ultimately compromised
Sony Pictures Network,
got inside
and wiped 10,000 computers.
On top of that,
they actually stole
all kinds of documents
and emails from Sony Pictures.
The hack
on Sony Pictures
is rocking Hollywood's
very foundation;
the industry,
warts and all, exposed.
Initially, we had no link
between the SWIFT attack
and the Sony Pictures attack.
But when we were looking
at the malware,
we found an interesting detail.
There was a component
called an indexing manager,
which was saving the logs
during the SWIFT attack
into an encrypted file.
The file was encrypted
with a really long key,
and when we just
googled for the key,
we found that the same key, exactly,
was used 18 months earlier
in the Sony Pictures attack.
This was
the moment we realised
the Bangladeshi SWIFT attack
was probably perpetrated
by the Lazarus Group.
So, who is Lazarus?
Well, from what we know,
they're a trans-global
criminal organisation
that's been trained
at a nation-state level.
The nation states really started
coming in on a criminal side...
when sanctions started.
When we start limiting
the capability of a nation
to get cash, and we up
the methodology
to monitor
the way they're getting cash,
they turn to different approaches.
So if you're a country
that's under sanction
and your ability to get funds
has been compromised,
you may be motivated to
go to the Lazarus Group
to fix your problem.
It's like a job for them.
It is a job for them.
They get recruited.
It's a nine-to-five job.
They come in, and each
of them has their specialties.
They have managers,
they have targets that
they're told to go after.
When you talk about
nation states,
obviously,
for your average nation state,
most cyber offensive campaigns
are under the military.
It's very similar to how
a military organisation
would be organised for their
cyber offensive campaigns.
There is a hotel,
for example, in China
where they've taken over
multiple floors
where they essentially
have dormitories.
They go to sleep in that hotel,
they eat in that hotel,
and they don't come
out of that hotel.
They just move from
one room to another,
hack all day and night.
And the Lazarus Group
is thought to be made up
of these state-trained hackers.
What's amazing about cyber,
when you talk about
nation states,
is the cost to entry
is extremely low.
We have nation states
who have been
trying to create
nuclear missiles,
tried to create
a nuclear programme.
Places like Iran, for example.
The dollars it costs to do so,
it's extraordinary.
But if you want to build
a cyber offensive campaign,
you get two, three,
four, five guys
and potentially threaten
to disable the power grid
in some country.
When you talk about
trying to rob a bank
or produce illicit drugs
and sell them,
the amount of people
required on the ground,
the amount of connections,
and for the dollars
that you would receive,
is nothing compared to,
"Let's get three guys,
break into a bank
and potentially
transfer $1 billion."
Back in the VIP room
of the Solaire Casino in Manila,
the money-laundering operation
is in full flight.
They just spend hours
upon hours gambling away,
collecting chips.
They transfer those chips
back into cold, hard currency.
You put a hundred
gamblers into the VIP lounge
playing cash, so maybe the house
has a one or two percent margin.
But all the rest is untraceable
money that they walk out with.
What's interesting
about these individuals,
they weren't interested
in winning.
They were just interested
in playing.
If you lose the money,
the money doesn't go
to the casino,
it goes to the other players.
So you can play the table
where the other players are,
your partners.
Then you can lose
the dirty money on purpose,
moving the money
to your partners.
Now it's cashed out.
Now it looks like it came from a
great win in a poker tournament
instead of being stolen
from somewhere.
So, casinos are a good way
of laundering money.
Real-world criminals have
done that for decades.
Online criminals
are doing it today.
They played for a whole week,
that whole lunar week,
every day, like workers,
nine to five, essentially,
in that casino.
Finally, the Chinese
New Year celebrations
have come to an end.
The staff at the RCBC bank
in Manila are back at work.
Now, the Bangladesh Bank
is still desperately trying
to put a stop
on any further withdrawals
from those accounts
in the Bank of the Philippines.
They've lost
$22 million already,
but there's still $59 million
left that they can save.
They're firing message
after message to Manila,
"Hold all transactions."
In the Philippines,
they got those messages.
They got those messages
as part of many other
transaction messages they got
that were sitting in
a printer queue
at the bottom of the stack,
and ultimately, they never
saw those messages.
At this point, the fence
gets in touch with the manager
of the bank in Jupiter Street.
"Can you please authorise
the transfer of $59 million?"
She authorises that $59 million.
It goes straight
to the Solaire Casino.
More money laundering.
Five hours later,
after increasingly urgent calls
from the Bangladesh Bank,
the manager finally puts a block
on all of the accounts.
But, really, it's too late.
The money's gone.
It's incredible when you think
what the Lazarus Group
was able to pull off with
just some ones and zeros.
They guide their bespoke malware
into the computer network
of a bank,
and then a year later,
they're literally washing
$100 million
through a casino
in the Philippines.
It's astonishing.
But what's really, really scary
is what happened
just a year later.
Now back to
the major cyber-attack,
the ransomware crippling 200,000
computers in 150 countries.
The thousands of targets all
received this ominous message
in English on their screens:
Everyone was basically locked up
with this malware
that we discovered had been
launched by the same attackers
as the Central Bank
of Bangladesh.
So they design this malware,
and then they lose
control of it entirely.
And that caused chaos.
Ambulances were
diverted to other hospitals.
Patients were turned away,
their operations cancelled.
You know,
the first sign that something
was seriously wrong was when
hospitals in the United Kingdom
started telling patients,
"Don't come."
That their systems had been
locked up with ransomware.
It's unclear if it was
accidentally released too early,
it appears so,
or if it was
designed not to work
and just begin wiping computers,
because it didn't matter.
Even if you paid them, you would
not get the decryption key.
They didn't have
the decryption key.
They couldn't decrypt your files anymore.
Japan, Turkey
and the Philippines
were also affected.
In the US, FedEx was hit.
That virulent virus
spiralled out of control.
In Germany, it attacked the
network of the Deutsche Bahn,
German Railway.
In Spain,
WannaCry hit Telefonica,
the biggest telecommunications company.
It hit the banking systems,
and ATMs didn't work.
This thing was hitting companies
in something like 150 countries.
Other targets in the US
include Merck Pharmaceutical
in New Jersey.
Even the company that makes
Oreo cookies may have been hit.
So, you had the health
service, you had transport,
you had communications,
you had the finance system,
and you had governance
all with one tiny piece
of crappy malware, WannaCry.
In other attacks,
they have to send you
a spear-phishing email,
trick you into double-clicking
on an attachment.
In this case, your computer
just had to be on,
connected to the internet,
and it would have got infected
by WannaCry.
It succeeded because
the crappy malware
was being infiltrated
into the systems
on the back
of a much more powerful tool
called EternalBlue,
which had been developed by
the National Security Agency
in the United States.
The thing the NSA
never wanted to talk about
was the fact that it was
travelling on a digital missile
that had been built
at its own intelligence agency.
They repurposed something
created by the US government,
leaked
by the Russian government,
put it into their ransomware
that allowed it to spread
all over the world,
any computer on at that time.
So one crappy piece
of malware
can hit every single aspect
of the critical national infrastructure
within the space
of about ten days
in different countries.
Eventually, there's a court case
after about a month.
There's a court case in Manila.
Ultimately, the bank manager
didn't want anyone to find out.
But when he finally got in touch
with the Bank
of the Philippines, they said,
"If you need this money returned,
you need to get a court order."
So he files a court order,
but court orders are public
in the Philippines,
like in many other countries.
A reporter spots it and realised
that this has happened,
publishes it in a newspaper,
and it all comes out.
The $81 million
money-laundering scandal
is now considered one of
the biggest bank heists in Asia.
But how exactly
did thieves steal
such a huge amount of money?
Not just known
in the Philippines
and the Bank of Bangladesh,
when the Bangladesh
government finds out
the bank manager has been
doing this behind the scenes,
but the whole world finds out.
And ultimately,
the Bangladesh Bank
needs to get assistance
from the FBI.
The New York Fed is involved.
The United States is involved.
This becomes
a whole worldwide issue
and begins to ripple across
the financial industry
that this was even possible.
Experts believe that hackers
were able to break into the
New York Federal Reserve's
special account for Bangladesh,
getting away with $81 million.
Now, Bangladesh's Central Bank
governor, Atiur Rahman,
has resigned after hackers stole
tens of millions of dollars
from the nation's
foreign reserves.
The bank was criticised for
its handling of the breach...
The governor was
an excellent central banker.
I have a lot of respect for him.
He was deemed one of the top
bankers by the Asia MoneyWeek.
And poor fellow, that time,
he was faced with
this sort of scenario
which he honestly
didn't understand.
He had really pushed
the financial system
in Bangladesh into
the 21st century.
He had to essentially fall
on his sword and resign
in disgrace,
and his career was ruined.
Many others at the bank
had to resign as well.
An emotional Maia Deguito,
the manager of the RCBC branch
in Jupiter Street in Makati,
insists she is innocent
in the face of accusations
she is involved in the
money-laundering scheme.
So far, only the branch manager
has been charged by the
Anti-Money Laundering Council.
One of the great
injustices of this whole scandal
is that the only person who
got convicted of anything
was Maia Deguito,
and she was just the mid-level
branch manager of the RCBC,
the bank in the Philippines
that received the actual funds.
Typical, isn't it?
A crime that was conceived
and carried out
by a whole bunch of men,
and the only person who
gets done for it is a woman
who probably wasn't that
guilty in the first place.
But she received a sentence
of 56 years in jail
and a fine of $109 million,
which is significantly more
than the thieves actually stole.
To my mind,
there's no question
that she was a scapegoat.
I mean, the currency traders
who turned that $81 million
into pesos got off scot-free.
There are a couple of
Chinese operators
who brought these gamblers
in from China.
We know that they received tens
of millions of dollars in cash.
They vanished back to Macau.
No trace of them was ever found.
We can't say for sure,
but certainly it looks like
people at the Rizal Bank headquarters
buried these requests
to stop these transactions.
But nobody else at the Rizal
Bank was ever accused.
Oddly enough, in this giant
scheme that involved
a half a dozen countries,
nearly $1 billion,
only one bank employee
in a small branch in Manila
was ever convicted of
doing anything wrong.
It's incredible. Total impunity.
I think the most
important lesson
of the Bangladesh Bank
is a lesson of scale.
The internet is
a fantastic thing.
It's made our world
much, much smaller.
You can do all sorts of things.
It's fantastic.
But that interconnectivity,
where everything
is linked to everything else,
means that if you get bad actors
in that system,
then the damage
is infinitely more immense
than it was before.
When I started this job
two decades ago,
you had to explain to people,
what is a virus?
What is a cyber-attack?
Today, we don't talk about
making sure this file doesn't
get deleted any more.
We literally talk about making
sure the supply chain is up,
food can reach people's tables.
Our job is not just to protect
people's computers.
Our job is to ensure
society is up and running.
Everything
that we use now,
water, electricity,
the financial system,
the comms system,
depends on the integrity
of unbelievably complex
networked computer systems.
And our dependence
is becoming such
that, should anything go wrong,
be it a technical hitch
or be it a hack,
it can actually lead
to our lives grinding to a halt
in a very short space of time.
We're sort of in a state
where we're increasing
our vulnerability
and our attack surface
every single day.
And instead of pausing
and thinking about
how to lock up our power grid,
really, where our energy has
been focused is on escalation.
Countries like the United
States, China and Russia
have already arrogated
the right to themselves
to attack with full force,
whether cyber
or conventional weapons,
against anyone who brings down
a serious piece of critical
national infrastructure.
We've had Stuxnet blowing
up the Natanz centrifuge plant.
We've had ransomware attacks,
which hit the Eastern Seaboard.
There was no gas
to the Eastern Seaboard
for a whole week
in the United States.
We had Russia
against the Ukraine,
shutting out the power
in the middle of winter.
We're talking about
people losing their lives.
We've also had cyber-attacks
that potentially affected
US elections.
We had the healthcare in the UK
brought down,
dialysis machines
no longer working.
This is an extremely
fragile situation,
much more fragile
than the period of dtente,
because so many more
countries have these weapons.
Malware is much more difficult
to control than nuclear weapons.
People always warn me
of the cyber Pearl Harbor
or the cyber 9/11,
but it's almost worse than that.
Every day, there are thousands
of cyber-attacks,
and we're just getting more and
more and more inured to them.
It's like a plague.
I think we'll see much
more hostile cyber activity,
much more cyber bank robberies,
much more cyber espionage.
We'll see much more cyber war.
In many ways,
I think we've seen nothing yet.
As attacks increase
in their sophistication
and their range,
then the impact
can be ever greater.
There is a cyber-attack on
critical national infrastructure
coming to a place near you
within the next
five to ten years.
If it's done well,
and if it's really malicious,
that could be catastrophic.
What's amazing about the
Bank of Bangladesh heist is...
they almost walked away
with $1 billion.
The mistakes that they made
that led to them only walking
with $81 million
were literally a typo in a name
and potentially
not being patient enough,
waiting just one more hour.
We could be telling
a completely different story.
Presumably, these guys
kept perhaps 95 percent
of that cash.
You could walk out
with 95 percent
of what you came in with,
have nobody trace that money,
no record of it whatsoever,
and get on a plane with it,
and you're home free.
Even if you had invested
a year's work,
that you had recruited
a really decent set of hackers,
that you had corrupted
bank officials,
you'll be looking at a profit
of about $75 million.
For a year's work,
not a bad pay-off.
The Bank of Bangladesh heist
showed them what was possible.
They proved that
they could do it.
After that attack,
it didn't stop.
We saw continued attacks
on various banks across Asia,
I think in
the Philippines again.
And also, they started hacking
the cryptocurrency exchanges,
where people store their Bitcoin
and Monero digital currency,
which has proved to be
incredibly lucrative for them.
In 2017,
Lazarus was thought
to have successfully attacked
at least five Asian
cryptocurrency exchanges.
That's a total of
$571 million that was lost.
Cryptocurrency exchanges
just have the bare minimum
of security, we're learning now.
In 2020, as the global
pandemic spiralled,
AstraZeneca, makers of
one of the key vaccines,
was hit by an attack,
extorting the company
and stealing sensitive
information for profit.
The sums involved
are astronomical,
and Lazarus is still
very much at large.
They have been designated
by the United States an APT;
that's an
advanced persistent threat.
Now, the fundamental criteria
is that they represent a threat
to US national security
and national infrastructure.
So, just by dint of it
being called an APmeans that the Lazarus Group
is serious stuff.
Marvel fans,
think HYDRA.
James Bond films,
think of SPECTRE.
It's something like that.
Now, it's tempting to
think this comparison is absurd,
but this is the scale
that Lazarus operates on.
Arguably, they're the most
potent cyber criminals
in business today.
So the nation state's
involvement in cybercrime
means that cybercrime
has actually morphed
into cyber warfare.
You can have zero trust
in these systems.
You need to assume that
everything has been broken,
everything is being listened to,
that everything can be captured,
and operate accordingly.
If a small group
can plan something
and get away with $81 million,
which involved
the Fed in New York,
SWIFT in Brussels,
the Bangladeshi Bank in Dhaka,
and then all the peripherals
in Manila,
just think about what one of the
really professional operations
in China, Russia,
the NSA, GCHQ,
just think what havoc
they could wreak.
And every year, the hacks get
bigger, the damage greater,
the implications graver.
Armies literally have hackers
hammering at the gates.
And it just takes
a simple breach,
one person, one weak link,
and those armies
will storm the defences
and bring down a network
that our way of life depends on.
It happened in Bangladesh
in 2016.
And believe you me, it's going
to happen again very soon.
and it is, of course,
the Muslim prayer day.
Everyone's off,
except for the skeleton staff
at the Bangladeshi Bank,
including Zubair Bin Huda,
who is the duty manager.
He's part of
the elite team of employees
who run
the SWIFT banking system,
which is a highly secure
banking system
that sends money
around the world.
Now, Bin Huda goes,
as he does every day,
to the SWIFT printer
to check up on the transactions
from the day before.
There are usually printouts
of transactions
that came in overnight.
The SWIFT software would print
out a ledger every single day,
an audit trace of every single
transaction that occurred
on paper.
But when they came in
on February 5th morning,
as they usually do,
they found there were
no SWIFT messages at all.
In fact, the printer's
shut down. It won't work.
They try and turn it on.
Nothing will kick it
back into life.
He assumes it was simply
a technical error,
shrugs, goes home for the night,
comes back in
on Saturday morning
to check the system again.
The next day,
they somehow manually
get the printer to work.
This deputy head manager
walks in the room,
the printer starts working, and
these weird messages come out.
The printer
starts spewing out
all of these transactions,
including individual requests
to the Fed in New York
for $1 billion.
At that moment,
it's panic stations.
When I was growing up,
the biggest crime in Britain
ever recorded
was the Great Train Robbery.
It was an extraordinary thing.
They stole about 2.5 million.
That's about $4 million.
And that story
ran literally for 30 years.
Four million dollars.
What you're about to hear
is the story of an attempt
to steal...
a billion dollars
It's told by world-leading
cybersecurity and legal experts
and journalists:
the very people
who uncovered the facts
and threaded them together
to reveal how dangerous the
world of cybercrime is today.
So, there are four big threats
to the world
and to the human race.
One of them
we've just experienced,
that's the pandemic.
Then you've got weapons
of mass destruction.
You've got climate change.
But barrelling down towards us
before those is cyber.
This is the possibility
of our overdependency
on network technologies
being undermined, either by
malfunctioning of the system...
New problems are emerging
the day after an Amazon
web service outage.
Massive and mysterious,
a global outage...
...or by a targeted attack.
More than a thousand companies
have been crippled
by this attack so far.
Sounds like we're looking
at a 2022 with more hacks,
more lost money.
So, when I started hunting
hackers in the early 1990s...
our enemy was really simple.
All the malware,
all the viruses,
all the attacks were
done by teenage boys.
What will your parents think?
I've been doing this job
for two decades now.
When we first started,
the people writing viruses
and malware
were doing it for fun,
to get their name in lights,
to say, "Look what I can do."
No flash, please.
When I started analysing
viruses, they looked like this.
Malware was still spread
on floppy disks.
They were spreading at the speed
of people travelling the world
and carrying the viruses
with them.
Michelangelo has
proven less harmful than feared.
All the stuff you've got
in there you may really want,
it's just gone?
Then the internet came around,
and suddenly,
malware outbreaks could
go around the world in seconds.
For the last 36 hours,
the ILOVEYOU virus has been
creating havoc around the world.
Experts have reason to worry.
The first attack, July 19th,
infected about 300,000
systems in nine hours.
First of all, the guys who
make a living doing security
and are trying to protect themselves
are scared shitless of you,
because you can just ruin 'em.
After the period of time
where hackers
were just doing things for fun,
some of them realised that they
could use it to make money.
Prior to, like, the 2000s...
cyber was primarily around
a disruption of websites...
defacement of a webpage.
Just as we got around 2000,
the dot-com boom, the explosion,
we started into
what would become
financially motivated hackers.
This really flourished,
especially in Eastern European,
Russia, CIS bloc countries.
This was the time
of gangster capitalism,
when everyone's world in Eastern
Europe was falling apart,
where organised crime and...
former members of
the intelligence services
were taking hold
of the economy.
So you had a lot of young people
in the 1990s
who were very good
mathematicians, physicists,
computer scientists,
who simply took
the logic and the morality
of gangster capitalism online.
Virus writers
were writing viruses
to infect Windows computers,
and those computers were then
sold to email spammers,
who were using those machines
to send Viagra spam
or what have you,
basically making money.
And that changed everything.
People at that time
began to use online banking,
and they began to steal people's
online banking credentials,
from there, also get
credit card numbers,
and use that
to basically transfer funds.
Just in hundreds of dollars at
a time from these individuals.
They eventually realised
that going after individuals
was much more difficult
than just going after
the banks themselves.
Get into databases,
those databases held
credit card numbers.
Take those numbers and then
sell them on the black market.
Originally, the internet
was set up at the Pentagon...
just to be able to share
resources between computers.
And it was really never
designed to have
banking attached to it,
critical infrastructure
attached to it.
It was really designed
for availability.
It was never designed
for security.
Whereas in the early 1990s
when there was only 30,000
people connected to it
and several hundred systems,
we've moved to a system
which essentially is the
backbone of global finance.
The fact that
it's able to do that...
the fact that it's able
to sustain currently between
15 and 20 percent
of GDP globally
tells us something about
just how important
this infrastructure is.
Why did people move
into the internet
to seek economic opportunity?
Because that's where the
economic opportunity was,
untethered by norms,
untethered
by national boundaries,
and essentially limited
only by the creativity
that these individuals had.
The user nagged
the Federal Reserve Bank
with 35 payment instructions
worth $951 million.
We'd just never heard
of such a thing before.
We'd been investigating cybercrime
for a couple of decades
at that point.
You see cyber criminals go in,
and they try to transfer a few
hundred thousands of dollars,
maybe a million,
a couple of million.
But conducting a cyber-attack
to try to steal one billion?
That was an order of magnitude
that we had never seen before.
It was clear from early on
that it was one of the biggest
cyber heists in the world.
When we first started
hearing rumours
about something affecting
SWIFT network,
I didn't understand
how big it was.
But when we started realising
this is at a completely
different scale,
it just blew my mind.
Once they realised
that the money actually
was really gone,
then the panic began to set in.
They lost $81 million instantly
to a bank in the Philippines.
They see the $81 million
has already gone
and that nearly $900 million
extra has been requested.
They basically try to figure out
what to do next.
They have no idea what to do.
They hunted for ways to contact
the New York Fed.
Desperate calls are made
by them.
And it goes
to an answering machine.
You've reached
the Federal Reserve Bank...
Because it's Saturday
in New York,
and nobody's picking
up the phone.
- Please call back...
- It's a complete shitshow.
Total disorganisation,
at both ends, I would stress.
The New York Times Magazine
was planning a true-crime issue,
and my editor came to me
and asked I was interested
in doing it.
I looked into it a bit.
There definitely were
some intriguing elements,
and made me pay attention.
The Federal Reserve
has pretty much
depended on the SWIFbanking system,
and since there has rarely
been a hack, if ever,
of the SWIFT banking system...
the Federal Reserve
has never instituted
any sort of 24-7 hotline.
Eventually, they get
hold of somebody at SWIFT,
and SWIFT says,
"Just shut the whole lot down
until we know
what's going on here."
Badrul Khan decides before he
can actually make that decision,
he has to talk to the deputy
governor of the bank,
which he does.
Deputy governor doesn't want to
take the decision upon himself,
so he talks to the governor.
And guess what.
The governor says,
"It's probably a mistake.
We won't shut it down."
Work week begins
at the Bangladesh Bank
on Sunday morning,
and it's then that the general
manager of the bank
comes in and begins to take
stock of what had happened.
They're running out of options.
They're not sure what to do.
Fed is still closed in New York.
They go through
all the SWIFT material,
discover that most of
the money has gone
to the bank in Manila.
And these desperate
messages are sent out:
"Stop the transactions.
Hold that money. Do not
allow it to be withdrawn.
It's our money.
It's been stolen."
But there's a problem.
Five, four,
three, two, one!
Happy New Year!
It's Chinese New Year,
and the Rizal Commercial Bank
is closed.
The thieves chose
a sequence of days...
from Friday, Saturday,
Sunday and Monday,
when one or another
of the three countries
that would be communicating
with one another
was shut down for a holiday.
You've got to hand it
to these guys.
They knew it.
They knew that if they did it
over that weekend,
with the Friday,
the Muslim holiday,
the Sunday and the Saturday,
everything closed in New York,
and the Monday,
Chinese New Year.
They've got four days
to get the heist done.
This is really classy planning.
In that respect,
it was really an ingenious plan.
It's kind of like a great film
director in a malevolent way,
planning out, you know,
a very complex film.
The country of Bangladesh
is the 170th poorest country
in the world.
One billion dollars
is huge to them.
When we talk
about cyber-attacks,
they're not just zeros and ones.
We're not just talking
about people
moving around zeros and ones,
deleting zeros and ones.
One billion dollars
to Bangladesh
potentially means that people
starve in the country.
These things have potential
serious repercussions.
The Bangladesh Bank
heist was significant
because it showed how fragile
global banking was as a whole.
Banks don't just operate
as single isolated entities.
They're part of a system.
And that system is vulnerable.
The US Federal Reserve holds
trillions of dollars in accounts
kept by central banks
all around the world.
Its computer security systems
are state of the art, making it
one of the most difficult
financial institutions to hack.
The criminals realise
that it can't get into
the network system of the Fed,
but the Fed has to talk
to other central banks
around the world,
and this is
where they find a flaw.
The criminals turn
their attention
to the banks'
communication systems.
Every day, the Fed places
thousands of transactions
on behalf of the central banks
that hold US dollar reserves
at the Fed.
The Federal Reserve
has pretty much depended
on the SWIFT banking system
to get its instructions
about transfers.
SWIFT sends money
around the world
to thousands of member banks.
It's the main way that banks
dispatch money to one another.
SWIFT allows you
to transfer money
from one bank to another,
no matter where you are
in the world.
Make international
wire transfers.
The whole banking system
is integrated,
and they depend
above all else on SWIFT,
the international transaction
mechanisms, to work.
What it means is,
all it takes
is a single weak link
to bring down the whole network.
So although the target
is the Fed,
they are looking for a bank
with which the Fed communicates,
which holds a lot
of its reserves in New York.
But it's a long way away,
in a distant time zone
from the Fed,
and it's likely to have
patchy security systems in place
in its computer network.
My colleagues in Dhaka,
they were chasing it
for a long time.
It was a robbery of a scale
that we hadn't heard of.
The first thought
that came to my mind was,
because it was the
Bangladeshi Central Bank,
I thought the hackers found it
somehow easier to target it.
Because it was Bangladesh,
I suspected they would
be more vulnerable
to cyber-attacks as such.
"Hmm. A Bangladeshi bank.
Probably doesn't have
the same level of security
and if they do,
it's probably one or two people,
not a team of 6,000
working on it.
Let's go for it."
These attackers
weren't just skilled
in breaching networks,
figuring out how
to get into an organisation.
They had to study that
SWIFT software deeply.
This attack happened
well before that February 5th,
when the bank employee walked in
and saw that printer hadn't
printed out the audit jobs
and couldn't figure out
what was going on.
This attack started more
than a year prior to that.
These attackers had been
working for months
in the build-up until that day.
It is a mistake
for people to think
that this was something
that happened overnight.
It is a mistake
for people to think
that this happened in a month,
or two months or three months.
It is a slow,
methodical approach,
because it's a business,
all right? You build it.
Bank robberies used to be
something that happened
in the real world.
Now they only happen
in the online world.
If you would try to steal
$100 million in banknotes,
that would be, like,
ten trucks full of notes.
If you drive ten trucks
full of notes out of the bank,
someone would notice.
But when you do the same thing
online, no one notices anything.
Every movie you've ever seen
of them breaking into a bank
is them doing it
over a bank holiday
or something of that nature.
Same concept here.
This isn't Matthew Broderick
sitting in front of a computer,
like War Games
back in the 1980s,
some kid in their basement.
These are
criminal organisations.
Each person has a skill set.
It's kind of like that
Ocean's Eleven-type thing.
You know,
"This guy could crack the bank,
this guy could do
the surveillance cameras,
this is the getaway,
this is the conman."
You all have a role to play,
and you need everybody
to execute their role
to the best of their abilities
for you to be
successful and get it out.
So how do you pull off
a heist of this magnitude?
It takes the right crew of
highly skilled specialists.
And it all starts not with ones
and zeros, but with people.
Cybercrime is about
gaining credentials
to gain access,
stealing the keys.
The social engineer
is critical to a hack.
It's how you get in,
and you get in
not through digital means,
you get in through human means.
It's to do with psychology.
The criminals have to ensnare
one of the employees
of the Bangladeshi Bank,
beginning by going through
their social media profiles
and looking
for suitable targets.
Our relationship
with the computer
is one of perceived intimacy;
that when we're using
a computer,
no one else can see
what we're doing, we believe,
and it's just us and the screen.
And if we were to read
an email from a friend,
we tend to believe it
at face value.
They found
close to three dozen employees.
And they constructed
a simple spear-phish email:
an email message that pretended
to be from a guy
named Rasal Alam.
And Rasal Alam said,
"Hey, I just wanna
work at your company.
Here's a rsum attached.
Have a look."
And it turned out
that they mailed that
to about 36 different employees,
and three of them
opened that attachment
connected to that email.
It was a zip file,
and the zip file contained
just a document inside.
They opened up the document
and it was his rsum.
It was a rsum for Rasel Ahlam,
who wanted to work at the bank,
but unbeknownst
to those individuals,
also contained
malicious code inside.
We can look at any data breach,
and the root cause
has either been
a technical problem
or a people problem.
And the technical problems
can be really hard
and really expensive
and really slow to fix,
but at least we can fix them.
But in the end, we have
no patch for human brains.
There's no way to fix the people
who do stupid mistakes.
When attackers try to send
these spear-phishing emails,
they try to do two things.
They try to look very normal.
It was just a rsum.
They try to fly under the radar,
to look as legitimate
as possible.
And the second is they often
try to use enticing techniques.
New dangers tonight from
the Love Bug computer virus,
this time disguised
as a friendlier email.
The first internet virus
that went around the world
in less than 48 hours was
called the ILOVEYOU virus.
And already,
business interruption costs
are estimated at more than
a billion dollars.
You would be sitting
there working away,
and then suddenly,
in your inbox,
you get an email which says,
"I love you."
And it could well be
that this is a person
who you've always
held a torch for.
And so, of course,
you're very excited,
and you press on the link,
and then you're doomed.
What happens is,
the virus infects your machine
and proceeds to email everyone
you've ever emailed.
The end result of that
is the mail servers
get bogged down,
and the only way
to solve the problem
is to shut the servers down,
hence the interruption.
The ILOVEYOU virus
was one of the first viruses
that had really
worldwide impact.
It was still a virus
written by a guy
that just wanted to get
his name in lights.
He wanted to see his virus
travel around the world
a little bit
and maybe get
in the news somewhere,
and then him be able to say,
"Oh, I wrote that."
Mr de Guzman hardly
seemed to comprehend the chaos
inflicted on
the world's computers.
But what happened was, it
spread so quickly and so fast,
it brought down email
all over the world,
and having email go down
was monumental.
Experts say that the ILOVEYOU
virus could end up costing
the world economy $10 billion
in lost work time.
It became the first sign to show
that we relied on the internet.
The internet was the basis for
our financial transactions,
for the way we do business.
I would talk to people
and remind them
and educate them and say,
"Look, you can't just click
on any attachment
that comes to you in an email."
I remember talking to a guy
about the Anna Kournikova virus
that purported to be nude
pictures of Anna Kournikova.
And he told me, he said,
"Yeah, I knew it was a virus.
I thought it was probably
a virus. But what if it wasn't?
What if it really was
nude pictures?
So I double-clicked on it."
People just don't realise
what clicking on that
attachment means.
Cyber criminals and hackers
realised a long time ago
that your username and password,
particularly to
your email account,
could get them into your
stock brokerage account,
to your online
banking account,
to send phishing emails
to other contacts.
If you protect
yourself properly,
the chances are
you won't be a victim
of what one would call
"drive-by hacking".
If, however, you're being
specifically targeted
by a hacking group,
they will follow that trace.
And they will get you.
Now, we know that at least three
members of the Bangladeshi Bank
were targeted by this after
the social engineer
had scanned
all of their social media,
and at least three of them
opened the letter
and took the bait.
Once that code
began executing
on those bank employees'
computers,
it would reach out back
to the attackers
and tell them that
these machines are now infected
and give them full control,
as if they were sitting
in front of the keyboard,
just like those employees.
There was malware
in the system
that was actually
copying screenshots,
copying keystrokes of employees,
and no one knew.
They've got
their foot in the door.
This is the essential
first step.
The first layer of security
has been breached.
And the digger, the person who
is getting deeper and deeper
into the computer network,
has to be a very
advanced hacker.
This is when you need
a real professional.
They're like ghosts.
Nobody can see them,
but they're mapping every
single bit of that network.
In the Bank of Bangladesh,
you had computers that are all
interconnected to each other,
and they're connected
using what's called a switch.
In your average bank, that has
a good security program,
those switches are
what's called segmented.
So each of those switches
only allow
a certain number of computers
to talk to each other
rather than every computer
to talk to each other.
But in the case of
the Bank of Bangladesh,
in the back-office network, they
were using these very cheap,
literally $10 switches
that didn't do any segmentation.
Every computer was potentially
connected to each other.
Basically,
it's a cost-cutting exercise.
But that cost-cutting exercise
was what the digger needed.
Those attackers
began to do
what we call a lateral traverse
across the network,
search for other computers
to infect,
look for credentials.
Whenever you log
into a computer,
your credentials are cached.
They're put into the memory
of the computer.
Attackers are able
to filter through that memory
and find used usernames
and passwords.
They don't always know
what they're for,
so they try to collect as many
credentials as they can
and see, "What computers can
I see from this computer?",
and just begin to use them
over and over again
and just try them.
Eventually, they hop on
and are able to connect
to another computer.
They get onto that one.
It's still not what
they're interested in,
but they're able to find more
usernames and passwords
and try those
on all the other computers
they can see
from that advantage point.
That's how they move across
the network over and over again.
They would delete
all traces of themselves
as they moved
across the network,
ultimately jumping from
computer to computer
until they found
the SWIFT terminal,
their ultimate goal in order
to make wire transfers
out of the Bank of Bangladesh.
It takes a long time.
They're there for months.
This is an ongoing process.
If at any moment they're
discovered to be in there,
then the whole
operation is finished.
With the Bangladeshi Bank heist,
you basically have two
operations running in parallel.
You have an offline operation
going on,
which is to do with
the money laundering.
It's the fence's responsibility
to set up
the recipient accounts.
They're gonna end up
with cold, hard cash,
and they need individuals
on the ground
to pick up that cash
and move it.
And so, in May of 2015,
before they'd even got
into the SWIFT terminal,
they were able to recruit
a Chinese individual
to go to the Philippines and
open up four bank accounts there
at a bank called RCBC.
You have to make sure
those people inside the bank
in the Philippines
have been properly corrupted
and properly instructed
as to what their role is.
The fence opens up
these accounts,
puts $500 in each of them,
and then they just go to sleep
for nine months.
These attackers were
inside the Bank of Bangladesh
for a full year,
which is incredible.
They actually got
onto that SWIFT terminal
exactly one year later...
on January 29th, 2016.
In any bank,
you have different employees.
You have back-office employees,
administrative employees,
but you also have computers
that are connected
directly to
financial transactions.
And only users who have specific
access to those machines
are allowed to use them.
When we talk about the case of
the Bank of Bangladesh,
there was a single computer
that had credentials
from a shared employee.
You had an employee that
would use that SWIFT terminal,
but also had their own computer
in the normal back-office area.
Once they got onto
that employee's computer,
they were able to jump across.
They waited. They basically
did a recon on the system.
They crawled around.
They looked and tried to fully
understand how this worked,
how SWIFT worked, how each bank
employee would make a request
into the SWIFT system,
where it would go,
how to direct that to branches
where they had set up
these accounts.
And in this case, it was just
very simple and very clever.
The thief is
not so much someone
who is physically
taking out the money
and stuffing it into a bag.
They're making sure
that every bit on the system
is coordinated.
There are all sorts of things
to get right
before that fatal moment
when the request is made.
Everything has to be
really, really
precisely coordinated
to get all the timing right.
You've got four days.
You can't afford a slip-up.
When the attackers
got into the SWIFT terminal
on January 29th of 2016,
they paused for about five days
to get their malicious
software ready
that allowed them
to cover their tracks
when they were on
that SWIFT terminal.
They decided to wait
until February 4th.
And this is no accident.
They have chosen
a long weekend
due to holidays in different
parts of the world.
That means,
instead of the usual two days
they have to get away with it
before alarms
start going off everywhere,
they've got four days.
It's brilliant.
February 4th, 2016,
was a Thursday.
That's the last day of
the working week in Bangladesh.
In Bangladesh, they work
from Sunday to Thursday.
So, at some point late
in the afternoon,
the SWIFT transaction operator
in the Bangladeshi Bank
logs off his terminal.
But three hours later,
the thief logs into
that terminal
and starts to impersonate him.
They logged into that SWIFterminal at 8:36 p.m.,
after they believed,
or really knew,
that all the bank employees
had gone home for the weekend.
And they put forward
35 different wire transactions
from that SWIFT terminal,
totalling $951 million,
almost $1 billion,
completely unheard of.
Ten hours
behind Bangladesh,
New York is waking up.
The first thing
that the Fed sees
is 35 requests
for almost the entire holdings
of the Bangladeshi Bank.
Usually, it's figures of sort
of $300,000, $500,000.
They want almost a billion!
The operator, perhaps
unsurprisingly, rejects it,
sends it back to Bangladesh.
But he rejects it not because
this is an absolutely crazy
amount of money,
but because the requests
are wrongly formatted.
As much research
that they had done,
they didn't really understand
how to fill out
those SWIFT transfers.
They were missing what's called
an intermediate bank.
New York Federal Reserve
replied to them,
via the SWIFT system,
back to their computer
that they were sitting
in front of, virtually,
saying, "Hey, these transactions
are missing information."
They think on their feet.
They reformat the requests,
send them back...
and hold their breath
to see what happens.
They ultimately corrected
34 of them.
They had forgotten one.
The one did have
the intermediate bank
went to Deutsche Bank.
That order was for $20 million
to a charity called the Shalika
Foundation in Sri Lanka.
But they had made
a typo as well,
and they had misspelled
"foundation" as "fandation".
And so Deutsche Bank
saw that typo
and questioned it and, again,
held that transaction
due to that typo.
We use that
as the poster child
for why you need
to learn how to spell.
Otherwise, you can lose
$20 million.
Ultimately, when
they return the other 34...
Bingo.
The operator approves them.
Four of them went through.
The green light is given.
The heist is on.
Those four went through
to those bank accounts
in the Philippines
that had been opened
more than six months earlier.
And they were able
to transfer out $81 million
to the bank in the Philippines.
Ultimately, they were about
to transfer $1 billion
from the Bank of Bangladesh,
but they didn't want
anyone to find out.
They began to cover
their tracks.
Normally, as a bank employee,
you'll load up
the SWIFT software,
you'll see on the screen
all the latest transactions,
you can make transactions.
And so the attackers deleted all
records of those transactions.
But it's not just digital.
In the world of finance,
everything must be a hard copy.
And the attackers
knew that as well.
Every SWIFT transaction
that takes place
is immediately printed out
locally in the Bangladeshi Bank.
So that printer cannot
be working
when the heist is going on.
The attackers hijacked
all of those print jobs,
replaced all of those
print jobs with zeros
so that nothing would
come out of the printer.
Now, the other 30
wire transactions sat around.
And, ultimately,
the attackers waited,
and they waited...
And they logged out at
3:59 a.m. Bangladesh time.
Potentially, they thought
that in New York,
the business day ended
at five p.m.,
and they weren't gonna hear
any more.
The New York Fed
had actually stopped
the rest of the transactions,
because the address for
the bank in the Philippines
was on Jupiter Street.
J-U-P-I-T-E-R.
Right, now this is when
the story gets really weird.
In a totally unrelated incident
two years earlier,
we have a Greek shipping
magnate, Dimitris Cambis,
and he is buying eight tankers.
What Dimitris knew,
but not many other people,
was that the money
for these eight oil tankers
came from Iran,
and Iran was under US sanctions.
Someone in the US
caught wind of the fact
that the Iranians were
financing Mr Cambis.
His company was put on
the sanctions watch list,
and his company
was called Jupiter Seaways.
It was just their bad luck
that they designated
the money transfers
to go to the Jupiter branch
of the Rizal Bank in Manila.
As the transfers were being sent
out from the New York Reserve
to the Philippines,
the Jupiter name was caught
by the computer system.
It halted these transactions.
The Fed had to take
a second look.
They stopped it
because they realised,
"Wait, we have somewhere
in the order 35 transactions
coming from
the Bank of Bangladesh,
adding up to $1 billion?
You know, this isn't usual."
So they held them
and sent a message back,
asking for confirmation.
Had the attackers waited
just one more hour,
they could have replied to them
via the SWIFT system,
saying these transactions
were not a mistake.
Ultimately,
the Bank of Bangladesh
might have lost
much, much more.
So far, they managed
to get $81 million.
But, boy, did they come close
to hitting the jackpot.
Just under $1 billion
was very, very nearly
stolen from this bank.
The next day,
the bank employees came in,
and the printer wasn't working,
because they installed
their malicious code
to prevent that from happening.
Ultimately,
those bank employees
didn't get it fixed
until February 6,
which would have been a Sunday.
When the printer started,
all these messages came out,
messages from the Fed asking,
"What are these 30 transactions?
Did you mean to make these?"
That triggered
the Bank of Bangladesh
to realise something
had gone wrong.
It was very clear
that they were in deep,
such that the bank manager...
This is the Bank of Bangladesh,
the federal bank, the national
bank of the country,
did not notify the leaders,
the government of Bangladesh.
He kept it under wraps.
He notified someone he knew
who knew about security.
"Get on a plane,
get to Bangladesh.
I need you to look at
these computer systems."
Initially, the governor
and his whole team
were quite perplexed.
They didn't quite know
what had happened.
So they thought that
some money had been routed
to a wrong account;
it would come back.
I get this strange phone call
from the governor's office
asking me if I would
drop everything
and come to Dhaka, Bangladesh.
So I assembled a team...
and we flew down.
When we arrived there, we met
with the Bangladesh Bank team.
And that's when I discovered
all the horrifying details
of what had actually happened.
They decide,
"Let's look at the CCTV.
What's that going to tell us?"
There were eight
hours' worth of tapes
that had to be gone through.
Your gut instinct is,
you have a malicious insider.
A physical person had to go in,
log into that machine
and try to make these transfers,
because this attack
hadn't happened before.
They had a SWIFT room,
which was locked.
And typically when
the SWIFT operators
needed to do something on SWIFT,
they had to go into the room,
sit in that chair and terminal,
and there was only
one shadow we could find.
We eventually decided
it was the person
sweeping the place after hours.
They were saying, "How could
somebody process the transaction
when there was nobody there?"
I mean, even after the payment
instructions had been sent,
they had no idea for a very long
time what was happening.
They didn't think it was a hack.
They had no traces of a hack.
But they watched eight hours of
that footage over that weekend
and realised there was
no one at that computer.
Nothing.
They had no idea that
the Bank of Bangladesh
had been breached by hackers.
Only after we see these things
happen over and over again,
we realise that cyber
has such capabilities.
Bangladesh was a bit of
a bombshell for all of us.
Hackers and most cybercrime,
it's like smash-and-grab crime.
Quickly grab something
and monetise it
as swiftly as you can.
You know, storm a bank
with shotguns, blow a safe,
fill some bags with cash.
Cybercrime...
It doesn't lend itself well
to long conspiracy
and lots of investigation
and investment
into understanding your target.
I mean, you couldn't
do Bangladesh
unless you really understood
the internal workings
of the central bank
and all the actors involved.
That's not something
that freelance hackers
really are good at.
That requires a level of
investment into resources
and frankly intelligence
that has to be sustained.
To organise something
of that complexity
and for it not to be noticed
by the intelligence agencies
of the state
where that is being planned
would be very,
very difficult indeed.
These hackers went in
and looked at the zeros and ones
in the software
and reverse engineered it,
turned it back into
understandable code.
That's not something
that happens overnight.
It was pretty clear
that this isn't just
normal criminals.
This has to be something bigger.
Once attackers have gained
access to their target network,
they want to stay undetected.
And we've seen many
interesting examples
of how exactly this is done.
What exactly happened
at the Natanz nuclear facility
last week?
It's a question people in Iran
around the world
have been asking
since a fire was reported
at Iran's main uranium
enrichment facility on Thursday.
We're used to Trojans
and viruses on the internet,
but this is the first worm
designed to damage
the physical world.
In 2010, attackers created
a piece of malicious software
that was designed to infiltrate
Iran's nuclear programme,
to get into their centrifuges,
in particular,
get onto computers
that controlled
their centrifuges.
Iran says it will
retaliate against any country
that conducts cyber-attacks
on its nuclear sites.
The intention
was to spin the centrifuges
of Iran's nuclear capabilities
out of control,
make the centrifuges explode
and push them ten years back
in the uranium enrichment programme.
As a piece of malware,
it was 40 times larger
than any piece of malware
that had ever been
encountered before.
It would have taken
the most advanced,
brilliant computer engineers
years and years of human
working hours
to produce this.
Why was it so big?
Because it needed
to cover itself up.
The attackers
were actually recording
the network traffic,
the normal network traffic,
and then playing it back
to the sensors
when they started modifying the
operations of the centrifuges
they were trying to break.
This is the equivalent of,
in the real world,
recording the CCTV footage
from a security camera
and then playing it back
to the camera
when you're doing
something bad.
That's what Stuxnet was doing.
And in the Bangladesh heist,
they were doing
something similar.
Once they made
their transactions,
they wanted to make sure no one
realised they had happened.
They were actually falsifying
the information
about transactions.
The recording of the
transactions were being done
both in electronic format,
but also falsifying the data
being sent to the printers,
which actually looked like
everything was fine.
So you find out how
you're being tracked,
and then you try
to cover your tracks.
Stuxnet did that.
The Bangladeshi heist
did it as well.
Once that money
arrived in the Philippines,
they needed to change
that money into cold, hard cash.
Right now, it's still in
digital ones and zeros,
just a transaction that said
the money has moved
from the Bank of Bangladesh
to these accounts at RCBC.
Four accounts.
The thieves had to
get it out of the Philippines,
make it disappear.
So how were they going
to do that?
There is one industry
in the Philippines
where there is absolutely
no oversight,
where it's a cash-only business.
There are no records, no names.
That is the casino industry.
When we talk about
laundering funds,
we're talking about
taking dirty, illicit funds,
running them through
a legal business
so that if I came
to you and said,
"Hey, where'd you get
that $81 million?",
you could have a paper trail
to show that you won it back.
The hard part
is not stealing the money.
The hard part is moving the
money into a form you can use
without getting caught.
And one method we've seen
for quite a while is gambling.
It was very clear that,
if, at all, there was a place
for you to do that,
it would have been
the Philippines,
because the casinos
are not regulated at all.
It's like a lot of
high-flying gamblers
who'd kind of fly to Manila,
crowd these numerous casinos
in Manila,
lots of money coming in.
People don't question
that kind of money.
I mean, you know...
"Well, as long as
it's coming to us,
we don't bother too much
about where it is coming from."
The thieves knew
if they could get that money
into the casinos,
it would essentially be lost.
What happened was,
the manager from
the Philippines bank,
she was the one who'd opened
those four accounts
using fraudulent IDs.
She got the money withdrawn from
the bank in the Philippines.
From there, it started to go
through something
called Philrem.
It's a bit like a Western Union
in the Philippines,
transferred into pesos.
I don't know
if you've ever used
Philippine pesos before,
but that's one hell
of a lot of pesos, $22 million.
In fact,
it's over one million banknotes.
They actually had
to request that cash
to come from a sister
branch location,
that arrived in boxes.
The bank manager was seen by
one of the other bank employees
collecting those boxes
and literally going outside
and loading them up
into a Lexus.
And that money
was driven away.
So, we're talking stacks
of bills carried in vans
to the Solaire Casino
right by the airport.
It allows the Chinese gamblers
to come off the plane.
Five minutes, they're on
the floor playing baccarat.
The money goes to this place.
It's wheeled in wheelbarrows
across the casino floor
up to this guarded escalator.
There's so much
physical cash involved,
they've enlisted their
own crew of gamblers
to launder the stolen funds.
And they just played baccarat,
all day long.
They had individuals,
mostly appeared to be Chinese
nationals that they had,
I assume, hired to take
those funds and launder them.
You change that cash
into casino chips,
play a few games,
cash in the chips.
And when you get that cash back,
that is then laundered.
And this wouldn't
have been unusual.
This was the Chinese lunar week.
That would've been very common
for individuals,
high rollers, to come
into the Philippines
and play at the casinos
during that time.
Spending $22 million in
a casino over a weekend,
let's face it, could be fun.
Doing this story
and trying to figure out
where in history
to sort of place this thing.
Was this the biggest
heist of all time?
No, but it certainly looked
to be the biggest cyber heist
of a bank in history.
And over the next few days,
I just remember
calling up my sources
at Symantec
and a couple other
cybersecurity firms
and getting in touch with
a guy named Eric Chien.
We have all kinds of
sensors sitting on networks
and computers
all over the world.
Any time some sort of
cyber criminal, some attacker,
is trying to breach a computer,
they're leaving traces behind.
Every attack
has a signature.
If you look at it long enough,
if you study it,
if you work it long enough,
you can understand
the way they do things.
The way they state something,
the way they code
a particular way,
the methodology of the attack,
the step-by-step approaches.
It might be considered
like Sherlock Holmesian
to come up with this idea.
"Because he walks
with a gait this way,
and he does this..."
But it is true.
We see those signatures.
We see those patterns.
What we discovered was,
by looking at the artefacts
that these attackers had used,
the malicious binaries
they had used,
the code inside of it,
as well as the email accounts
that they used
to send the initial
spear-phishing messages,
we were able to map this back
to an attacker back in 2014.
Sony Pictures is mainly housed
in Culver City.
And in 2014,
Sony Pictures went down,
which was unheard of.
On that day in November,
people would have come in,
tried to swipe their badge
and not even be able
to get into the office.
They get
into the building finally
and then they discover that
nothing else is working either.
Printers aren't working,
computers aren't working.
People who had laptops
connected to the network
would have immediately seen
skulls and crossbones
show up on their screens,
scrolling with scary
Halloween-type music
playing in the background.
And it said,
"Hacked by the GOP."
Guardians of the Peace.
A mysterious crew of hackers,
also known as the Lazarus Group.
We'd call them
the Lazarus Group.
They've been responsible
for many, many attacks
over the years.
You know, political statements
and bringing down some
websites in South Korea
and also the White House in the
United States and the Pentagon.
Now, at this point,
the penny has dropped.
Sony has been hacked.
The hack attack
has had a devastating effect
with an avalanche of leaks
revealing personal information
of employees
and salacious email exchanges
of A-list celebrities.
They ultimately compromised
Sony Pictures Network,
got inside
and wiped 10,000 computers.
On top of that,
they actually stole
all kinds of documents
and emails from Sony Pictures.
The hack
on Sony Pictures
is rocking Hollywood's
very foundation;
the industry,
warts and all, exposed.
Initially, we had no link
between the SWIFT attack
and the Sony Pictures attack.
But when we were looking
at the malware,
we found an interesting detail.
There was a component
called an indexing manager,
which was saving the logs
during the SWIFT attack
into an encrypted file.
The file was encrypted
with a really long key,
and when we just
googled for the key,
we found that the same key, exactly,
was used 18 months earlier
in the Sony Pictures attack.
This was
the moment we realised
the Bangladeshi SWIFT attack
was probably perpetrated
by the Lazarus Group.
So, who is Lazarus?
Well, from what we know,
they're a trans-global
criminal organisation
that's been trained
at a nation-state level.
The nation states really started
coming in on a criminal side...
when sanctions started.
When we start limiting
the capability of a nation
to get cash, and we up
the methodology
to monitor
the way they're getting cash,
they turn to different approaches.
So if you're a country
that's under sanction
and your ability to get funds
has been compromised,
you may be motivated to
go to the Lazarus Group
to fix your problem.
It's like a job for them.
It is a job for them.
They get recruited.
It's a nine-to-five job.
They come in, and each
of them has their specialties.
They have managers,
they have targets that
they're told to go after.
When you talk about
nation states,
obviously,
for your average nation state,
most cyber offensive campaigns
are under the military.
It's very similar to how
a military organisation
would be organised for their
cyber offensive campaigns.
There is a hotel,
for example, in China
where they've taken over
multiple floors
where they essentially
have dormitories.
They go to sleep in that hotel,
they eat in that hotel,
and they don't come
out of that hotel.
They just move from
one room to another,
hack all day and night.
And the Lazarus Group
is thought to be made up
of these state-trained hackers.
What's amazing about cyber,
when you talk about
nation states,
is the cost to entry
is extremely low.
We have nation states
who have been
trying to create
nuclear missiles,
tried to create
a nuclear programme.
Places like Iran, for example.
The dollars it costs to do so,
it's extraordinary.
But if you want to build
a cyber offensive campaign,
you get two, three,
four, five guys
and potentially threaten
to disable the power grid
in some country.
When you talk about
trying to rob a bank
or produce illicit drugs
and sell them,
the amount of people
required on the ground,
the amount of connections,
and for the dollars
that you would receive,
is nothing compared to,
"Let's get three guys,
break into a bank
and potentially
transfer $1 billion."
Back in the VIP room
of the Solaire Casino in Manila,
the money-laundering operation
is in full flight.
They just spend hours
upon hours gambling away,
collecting chips.
They transfer those chips
back into cold, hard currency.
You put a hundred
gamblers into the VIP lounge
playing cash, so maybe the house
has a one or two percent margin.
But all the rest is untraceable
money that they walk out with.
What's interesting
about these individuals,
they weren't interested
in winning.
They were just interested
in playing.
If you lose the money,
the money doesn't go
to the casino,
it goes to the other players.
So you can play the table
where the other players are,
your partners.
Then you can lose
the dirty money on purpose,
moving the money
to your partners.
Now it's cashed out.
Now it looks like it came from a
great win in a poker tournament
instead of being stolen
from somewhere.
So, casinos are a good way
of laundering money.
Real-world criminals have
done that for decades.
Online criminals
are doing it today.
They played for a whole week,
that whole lunar week,
every day, like workers,
nine to five, essentially,
in that casino.
Finally, the Chinese
New Year celebrations
have come to an end.
The staff at the RCBC bank
in Manila are back at work.
Now, the Bangladesh Bank
is still desperately trying
to put a stop
on any further withdrawals
from those accounts
in the Bank of the Philippines.
They've lost
$22 million already,
but there's still $59 million
left that they can save.
They're firing message
after message to Manila,
"Hold all transactions."
In the Philippines,
they got those messages.
They got those messages
as part of many other
transaction messages they got
that were sitting in
a printer queue
at the bottom of the stack,
and ultimately, they never
saw those messages.
At this point, the fence
gets in touch with the manager
of the bank in Jupiter Street.
"Can you please authorise
the transfer of $59 million?"
She authorises that $59 million.
It goes straight
to the Solaire Casino.
More money laundering.
Five hours later,
after increasingly urgent calls
from the Bangladesh Bank,
the manager finally puts a block
on all of the accounts.
But, really, it's too late.
The money's gone.
It's incredible when you think
what the Lazarus Group
was able to pull off with
just some ones and zeros.
They guide their bespoke malware
into the computer network
of a bank,
and then a year later,
they're literally washing
$100 million
through a casino
in the Philippines.
It's astonishing.
But what's really, really scary
is what happened
just a year later.
Now back to
the major cyber-attack,
the ransomware crippling 200,000
computers in 150 countries.
The thousands of targets all
received this ominous message
in English on their screens:
Everyone was basically locked up
with this malware
that we discovered had been
launched by the same attackers
as the Central Bank
of Bangladesh.
So they design this malware,
and then they lose
control of it entirely.
And that caused chaos.
Ambulances were
diverted to other hospitals.
Patients were turned away,
their operations cancelled.
You know,
the first sign that something
was seriously wrong was when
hospitals in the United Kingdom
started telling patients,
"Don't come."
That their systems had been
locked up with ransomware.
It's unclear if it was
accidentally released too early,
it appears so,
or if it was
designed not to work
and just begin wiping computers,
because it didn't matter.
Even if you paid them, you would
not get the decryption key.
They didn't have
the decryption key.
They couldn't decrypt your files anymore.
Japan, Turkey
and the Philippines
were also affected.
In the US, FedEx was hit.
That virulent virus
spiralled out of control.
In Germany, it attacked the
network of the Deutsche Bahn,
German Railway.
In Spain,
WannaCry hit Telefonica,
the biggest telecommunications company.
It hit the banking systems,
and ATMs didn't work.
This thing was hitting companies
in something like 150 countries.
Other targets in the US
include Merck Pharmaceutical
in New Jersey.
Even the company that makes
Oreo cookies may have been hit.
So, you had the health
service, you had transport,
you had communications,
you had the finance system,
and you had governance
all with one tiny piece
of crappy malware, WannaCry.
In other attacks,
they have to send you
a spear-phishing email,
trick you into double-clicking
on an attachment.
In this case, your computer
just had to be on,
connected to the internet,
and it would have got infected
by WannaCry.
It succeeded because
the crappy malware
was being infiltrated
into the systems
on the back
of a much more powerful tool
called EternalBlue,
which had been developed by
the National Security Agency
in the United States.
The thing the NSA
never wanted to talk about
was the fact that it was
travelling on a digital missile
that had been built
at its own intelligence agency.
They repurposed something
created by the US government,
leaked
by the Russian government,
put it into their ransomware
that allowed it to spread
all over the world,
any computer on at that time.
So one crappy piece
of malware
can hit every single aspect
of the critical national infrastructure
within the space
of about ten days
in different countries.
Eventually, there's a court case
after about a month.
There's a court case in Manila.
Ultimately, the bank manager
didn't want anyone to find out.
But when he finally got in touch
with the Bank
of the Philippines, they said,
"If you need this money returned,
you need to get a court order."
So he files a court order,
but court orders are public
in the Philippines,
like in many other countries.
A reporter spots it and realised
that this has happened,
publishes it in a newspaper,
and it all comes out.
The $81 million
money-laundering scandal
is now considered one of
the biggest bank heists in Asia.
But how exactly
did thieves steal
such a huge amount of money?
Not just known
in the Philippines
and the Bank of Bangladesh,
when the Bangladesh
government finds out
the bank manager has been
doing this behind the scenes,
but the whole world finds out.
And ultimately,
the Bangladesh Bank
needs to get assistance
from the FBI.
The New York Fed is involved.
The United States is involved.
This becomes
a whole worldwide issue
and begins to ripple across
the financial industry
that this was even possible.
Experts believe that hackers
were able to break into the
New York Federal Reserve's
special account for Bangladesh,
getting away with $81 million.
Now, Bangladesh's Central Bank
governor, Atiur Rahman,
has resigned after hackers stole
tens of millions of dollars
from the nation's
foreign reserves.
The bank was criticised for
its handling of the breach...
The governor was
an excellent central banker.
I have a lot of respect for him.
He was deemed one of the top
bankers by the Asia MoneyWeek.
And poor fellow, that time,
he was faced with
this sort of scenario
which he honestly
didn't understand.
He had really pushed
the financial system
in Bangladesh into
the 21st century.
He had to essentially fall
on his sword and resign
in disgrace,
and his career was ruined.
Many others at the bank
had to resign as well.
An emotional Maia Deguito,
the manager of the RCBC branch
in Jupiter Street in Makati,
insists she is innocent
in the face of accusations
she is involved in the
money-laundering scheme.
So far, only the branch manager
has been charged by the
Anti-Money Laundering Council.
One of the great
injustices of this whole scandal
is that the only person who
got convicted of anything
was Maia Deguito,
and she was just the mid-level
branch manager of the RCBC,
the bank in the Philippines
that received the actual funds.
Typical, isn't it?
A crime that was conceived
and carried out
by a whole bunch of men,
and the only person who
gets done for it is a woman
who probably wasn't that
guilty in the first place.
But she received a sentence
of 56 years in jail
and a fine of $109 million,
which is significantly more
than the thieves actually stole.
To my mind,
there's no question
that she was a scapegoat.
I mean, the currency traders
who turned that $81 million
into pesos got off scot-free.
There are a couple of
Chinese operators
who brought these gamblers
in from China.
We know that they received tens
of millions of dollars in cash.
They vanished back to Macau.
No trace of them was ever found.
We can't say for sure,
but certainly it looks like
people at the Rizal Bank headquarters
buried these requests
to stop these transactions.
But nobody else at the Rizal
Bank was ever accused.
Oddly enough, in this giant
scheme that involved
a half a dozen countries,
nearly $1 billion,
only one bank employee
in a small branch in Manila
was ever convicted of
doing anything wrong.
It's incredible. Total impunity.
I think the most
important lesson
of the Bangladesh Bank
is a lesson of scale.
The internet is
a fantastic thing.
It's made our world
much, much smaller.
You can do all sorts of things.
It's fantastic.
But that interconnectivity,
where everything
is linked to everything else,
means that if you get bad actors
in that system,
then the damage
is infinitely more immense
than it was before.
When I started this job
two decades ago,
you had to explain to people,
what is a virus?
What is a cyber-attack?
Today, we don't talk about
making sure this file doesn't
get deleted any more.
We literally talk about making
sure the supply chain is up,
food can reach people's tables.
Our job is not just to protect
people's computers.
Our job is to ensure
society is up and running.
Everything
that we use now,
water, electricity,
the financial system,
the comms system,
depends on the integrity
of unbelievably complex
networked computer systems.
And our dependence
is becoming such
that, should anything go wrong,
be it a technical hitch
or be it a hack,
it can actually lead
to our lives grinding to a halt
in a very short space of time.
We're sort of in a state
where we're increasing
our vulnerability
and our attack surface
every single day.
And instead of pausing
and thinking about
how to lock up our power grid,
really, where our energy has
been focused is on escalation.
Countries like the United
States, China and Russia
have already arrogated
the right to themselves
to attack with full force,
whether cyber
or conventional weapons,
against anyone who brings down
a serious piece of critical
national infrastructure.
We've had Stuxnet blowing
up the Natanz centrifuge plant.
We've had ransomware attacks,
which hit the Eastern Seaboard.
There was no gas
to the Eastern Seaboard
for a whole week
in the United States.
We had Russia
against the Ukraine,
shutting out the power
in the middle of winter.
We're talking about
people losing their lives.
We've also had cyber-attacks
that potentially affected
US elections.
We had the healthcare in the UK
brought down,
dialysis machines
no longer working.
This is an extremely
fragile situation,
much more fragile
than the period of dtente,
because so many more
countries have these weapons.
Malware is much more difficult
to control than nuclear weapons.
People always warn me
of the cyber Pearl Harbor
or the cyber 9/11,
but it's almost worse than that.
Every day, there are thousands
of cyber-attacks,
and we're just getting more and
more and more inured to them.
It's like a plague.
I think we'll see much
more hostile cyber activity,
much more cyber bank robberies,
much more cyber espionage.
We'll see much more cyber war.
In many ways,
I think we've seen nothing yet.
As attacks increase
in their sophistication
and their range,
then the impact
can be ever greater.
There is a cyber-attack on
critical national infrastructure
coming to a place near you
within the next
five to ten years.
If it's done well,
and if it's really malicious,
that could be catastrophic.
What's amazing about the
Bank of Bangladesh heist is...
they almost walked away
with $1 billion.
The mistakes that they made
that led to them only walking
with $81 million
were literally a typo in a name
and potentially
not being patient enough,
waiting just one more hour.
We could be telling
a completely different story.
Presumably, these guys
kept perhaps 95 percent
of that cash.
You could walk out
with 95 percent
of what you came in with,
have nobody trace that money,
no record of it whatsoever,
and get on a plane with it,
and you're home free.
Even if you had invested
a year's work,
that you had recruited
a really decent set of hackers,
that you had corrupted
bank officials,
you'll be looking at a profit
of about $75 million.
For a year's work,
not a bad pay-off.
The Bank of Bangladesh heist
showed them what was possible.
They proved that
they could do it.
After that attack,
it didn't stop.
We saw continued attacks
on various banks across Asia,
I think in
the Philippines again.
And also, they started hacking
the cryptocurrency exchanges,
where people store their Bitcoin
and Monero digital currency,
which has proved to be
incredibly lucrative for them.
In 2017,
Lazarus was thought
to have successfully attacked
at least five Asian
cryptocurrency exchanges.
That's a total of
$571 million that was lost.
Cryptocurrency exchanges
just have the bare minimum
of security, we're learning now.
In 2020, as the global
pandemic spiralled,
AstraZeneca, makers of
one of the key vaccines,
was hit by an attack,
extorting the company
and stealing sensitive
information for profit.
The sums involved
are astronomical,
and Lazarus is still
very much at large.
They have been designated
by the United States an APT;
that's an
advanced persistent threat.
Now, the fundamental criteria
is that they represent a threat
to US national security
and national infrastructure.
So, just by dint of it
being called an APmeans that the Lazarus Group
is serious stuff.
Marvel fans,
think HYDRA.
James Bond films,
think of SPECTRE.
It's something like that.
Now, it's tempting to
think this comparison is absurd,
but this is the scale
that Lazarus operates on.
Arguably, they're the most
potent cyber criminals
in business today.
So the nation state's
involvement in cybercrime
means that cybercrime
has actually morphed
into cyber warfare.
You can have zero trust
in these systems.
You need to assume that
everything has been broken,
everything is being listened to,
that everything can be captured,
and operate accordingly.
If a small group
can plan something
and get away with $81 million,
which involved
the Fed in New York,
SWIFT in Brussels,
the Bangladeshi Bank in Dhaka,
and then all the peripherals
in Manila,
just think about what one of the
really professional operations
in China, Russia,
the NSA, GCHQ,
just think what havoc
they could wreak.
And every year, the hacks get
bigger, the damage greater,
the implications graver.
Armies literally have hackers
hammering at the gates.
And it just takes
a simple breach,
one person, one weak link,
and those armies
will storm the defences
and bring down a network
that our way of life depends on.
It happened in Bangladesh
in 2016.
And believe you me, it's going
to happen again very soon.