The Future of Payments

81 BANKING PERSPECTIVES QUARTER 4 2018 of a sovereign state, which by itself is noteworthy. During World War II, Adolph Hitler initiated a secret plan to counterfeit the U.S. dollar and British pound, a similar kind of economic warfare. But, putting the international law implications aside, the criminal complaint also revealed new details about the fraud that are material to what SWIFT is trying to accomplish – that is, hardening the global banking system’s defenses to cyberattacks. At the very beginning of the complaint, the Department of Justice announces what the cyberattack represents: “a wide ranging, multiyear conspiracy to conduct computer intrusions and commit wire fraud by co-conspirators working on behalf of [North Korea].” The complaint then reveals the involvement of these North Korean actors in the “fraudulent transfer of $81 million from Bangladesh Bank” and drops another startling fact: that these actors “engaged in computer intrusions and cyberheists at many more financial services victims in the United States, and in the other countries ... with attempted losses well over $1 billion.” Unlike the objective of these North Korean state actors regarding Sony, where the motive was to retaliate for the perceived attack against their leader, who was ostensibly sullied by the Sony’s film, here the cyberattack on financial institutions was simpler in its objective. It was, according to the complaint, to further “the goal of stealing money from banks.” Upon reflection, it is not a complete surprise that North Korea, one of the poorest nations on earth, would have state actors become cyberthieves in an effort to level the playing field. The criminal complaint continues to describe the methodology used to steal money from banks. In the scheme described, a North Korean actor creates a spearphishing message that is designed to have social engineering consequences in the targeted financial institution, and to cause a person within the target financial institution to respond in a manner that opens the door of the financial institution’s computer system to the perpetrators. As the complaint frames it, the response of the person who succumbs to the phishing is a response that “grants access to the bank’s computer network.” Once the malefactors have gotten into the financial institution’s general computer network, they work their way through the internal network to the “SWIFT communication system,” exploiting the absence of a firewall between the institution’s general computer system and its SWIFT interface. In other cases, where the malefactors encountered a firewall, the “firewall was modified to allow inbound access using a specific port, and then shortly afterward malware used that port to begin accepting commands.” Then, through the use of the inserted malware, the state actors cause the financial institution to send fraudulent SWIFT messages, achieving the overall objective of stealing money from the victimized financial institutions. But the nefarious scheme did not stop with theft. It continued with the additional steps needed to perfect a cover-up. The state actors inserted malware that worked to destroy the audit trail that would enable the victim financial institutions to detect that they had sent fraudulent payment orders over the SWIFT network. In the words of the criminal complaint, the malware enabled the malefactors “to conceal their activities and cover their tracks.” The complaint reveals that the North Korean actors “were successful in gaining access to multiple other banks in multiple countries.” It proceeds to name Vietnam, the Philippines, and countries in Africa and Southeast Asia. Judging by a list of victimized financial institutions, they appear to be predominately located in emerging markets. The Bank of Bangladesh also is situated in an emerging market country. It is now obvious that the state actors were very successful in raising hundreds of millions of dollars of ill-gotten gains, gains that might be used to finance future operations. The facts described above appear in the form of a sworn criminal complaint executed by an agent of the Federal Bureau of Investigation. In making the complaint public, and notably in revealing specific details of its case, the The nefarious scheme did not stop with theft. It continued with the additional steps needed to perfect a cover-up.