North Korean Cyberhacking Redux: The Bank Heist Cases
A distinctive feature of cyber- as compared to conventional warfare is the so-called attribution problem: that it can be difficult to know with certainty where attacks are emanating from. This in turn generates difficulties for deterrence. Whom, exactly, do we need to punish to successfully deter and who undertakes the actions and how? This problem emerges in spades in the recent spate of hacks of—or more accurately thefts from—Asian and other banks. North Korean involvement is a possibility, but if so, almost certainly as one player in a complex criminal network. This fact is cold comfort, as it demonstrates once again what my colleague Marcus Noland calls the “whack-a-mole” problem: that in a highly interdependent global financial system, blocking one proliferation financing or criminal financial channel often only shifts the risks somewhere else in the system.
The evidence of North Korean involvement involves some transitive logic. The mainstream media reports (New York Times, CNN) emerged in the wake of technical analyses from major cybersecurity firms comparing the malware used in these attacks with previous hacking efforts (BAE, explicitly titled Cyber Heist Attribution, and particularly the Symantec report, with FireEye following up on a new wave of attacks against banks in the Middle East). These reports not only note similarities across recent attacks, which include banks in Ecuador and Vietnam as well as the theft from the Central Bank of Bangladesh, but similarities to past attacks.
These past attacks include in particular the 2013 hacks against South Korean banks and broadcasters, which South Korean authorities pinned on the North, and the infamous Sony hack, which the FBI attributed to North Korea. In my coverage of the Sony Hack—summarized in a piece with Jon Lindsay at the East-West Center—we argued that evidence from the Snowden papers helps explain the Obama administration’s confidence in tagging North Korea as the culprit; the NSA clearly had very substantial capabilities with respect to tracking North Korean activities. Thus if you believe the attribution of these previous attacks and you believe that the malware and operational profiles in the recent cases are adequately unique, then you can reach the conclusion of North Korean involvement. As Eric Chien from Symantec put it in the CNN piece cited above, "if you believe those government assertions, then the Bangladesh attack was North Korea."
Not so fast. In fact, we now have quite substantial information on the Bangladesh case, and it involves a shadowy complex of Chinese and Philippine actors as well; oddly the North Korea and Philippine strands of the case have not been put together in the standard coverage (Wikipedia has a surprisingly good narrative account of the Bangladesh case, pieced together from Philippine and other Asian sources). The actual event took place in early February, when hackers (perhaps with insider assistance) generated messages from the Central Bank of Bangladesh to the New York Fed, which holds some portion of Bangladesh reserves. The messages, sent through the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system, requested transfers of $951 million to accounts in Sri Lanka and the Philippines. Most of these transfer requests were deemed suspicious and blocked, but $20 million to Sri Lanka and $81 million to the Philippines went through, with the former amount recovered.
The Philippines story is its own complex tale of lax regulation if not outright malfeasance (most recent Reuters coverage here). An unknown share of all transfer requests were directed to Philippine banks, with the $81 million all going into multiple accounts at a single branch of the Rizal Commercial Banking Corp (RCBC) in Manila. A Philippine Senate inquiry revealed that most of those funds then went to casinos and casino agents in the Philippines through a remittance agency. This was possible because lobbying for this high-roller industry—which attracts a substantial mainland Chinese clientele—explicitly exempted the casinos from Philippines anti-money laundering laws. In addition, the Philippines has extremely tight bank secrecy laws.
Philippine authorities have filed charges all along this complex chain: against the manager of the RCBC branch, against the owners of the accounts, against the remittance agency and against several casino and gaming operators, including two Chinese nationals. Yet all are claiming that their actions were completely legal and that they were simply intermediaries and had no knowledge that the funds might have been stolen. Although some portion of the money has been recovered, the most recent report from Reuters cited above suggests that the trail on the remainder of it has gone cold.
One last bit of this that will take substantial time to sort through is what role if any SWIFT and the New York Fed played in this process. Given the centrality of security to the integrity of the global payments and clearing system, both SWIFT and the Fed have been vehement that they bear no responsibility for the lapses at member banking institutions; SWIFT statements on these developments can be found here. But it is somewhat puzzling—at least to an outsider—why some of these transfers were blocked as suspicious while others were allowed to go through. SWIFT has redoubled efforts to advise and even train member banking institutions on security issues.
The theft from the Central Bank of Bangladesh is an extraordinarily important development, not only for North Korea but for the history of the international financial system. It is possible that a sovereign state has effectively been complicit in bank robbery. Yet there are still numerous I’s to dot and T’s to cross before this story is clear. The biggest question going forward: if North Korean involvement can in fact be demonstrated with confidence, how should the international community respond?