But, as with the supernotes, the potential value of financial manipulation for North Korea goes at least somewhat beyond profit-seeking. If successful, it would also at least somewhat undermine the integrity of worldwide markets by deleting transaction records and distorting financial truth. Such tactics are tempting for government agencies but carry enormous risk. In the run-up to the Iraq War, the New York Times reported that United States considered draining Saddam Hussein’s bank accounts, but decided against it, fearful of crossing a Rubicon of state-sponsored cyber fraud that would harm the American economy and global stability. In 2014, President Obama’s NSA review commission argued that the United States should pledge never to hack and manipulate financial records. To do so, it said, would have a tremendously negative impact on trust in the global economic system.
Bank robbery is a terrible idea. Not only is it illegal, but it also yields an awful return on investment. In the United States, the average bank robbery nets around $4,000 in cash, and the average bank robber pulls off only three heists before getting caught. Prospects are a little better overseas, but not much. Strikingly bold capers, like the 2005 theft at Banco Central in Brazil that required months of secretive tunnel-digging, can fetch tens of millions of dollars, but the vast majority of significant attempts end in catastrophic failure.
North Korean operatives found a better way to rob banks. They did not have to break through reinforced concrete or tunnel under vaults to get at the money, and they had no need to use force or threats. Instead, they simply duped the bank’s computers into giving it away. To do this, they set their sights on a core system in international business called the Society for Worldwide Interbank Financial Telecommunication, or SWIFT. The SWIFT system has been around since the 1970s. Its eleven thousand financial institutions in more than two hundred countries process tens of millions of transactions per day. The daily transfers total trillions of dollars, more than the annual gross domestic product of most countries. Many financial institutions in the SWIFT system have special user accounts for custom SWIFT software to communicate their business to other banks all over the world. Analyses from the cybersecurity firms BAE Systems and Kaspersky, as well as reporting in Wired, provide evidence for how the North Koreans targeted these accounts.
The Central Bank of Bangladesh stores some of its money in the Federal Reserve Bank of New York, which the Central Bank uses for settling international transactions. On February 4, 2016, the Bangladeshi bank initiated about three dozen payments. Per the transfer requests sent over the SWIFT system, the bank wanted some of its New York money, totaling almost a billion dollars, moved to a series of other accounts in Sri Lanka and the Philippines.
Around the same time and halfway across the world, a printer inside the Central Bank of Bangladesh stopped working. The printer was an ordinary HP LaserJet 400, located in a windowless, twelve- by eight-foot room. The device had one very important job: Day and night, it automatically printed physical records of the bank’s SWIFT transactions. When employees arrived on the morning of February 5, they found nothing in the printer’s output tray. They tried to print manually, but found they could not; the computer terminal connected to the SWIFT network generated an error message saying it was missing a file. The employees were now blind to transactions taking place at their own bank. The silent printer was the dog that did not bark: a sign that something was deeply wrong, but not immediately recognized as such.
This was not an ordinary machine failure. Instead, it was the culmination of shrewd North Korean preparation and aggressiveness. The hackers’ clever move was to target not the SWIFT system itself, but the machine through which the Bangladeshis connected to it. The special accounts used by the Central Bank of Bangladesh to interact with the system had enormous power, including the capacity to create, approve, and submit new transactions. By focusing their espionage on the bank’s network and users, the hackers were eventually able to gain access to these accounts.
It took time to figure out how the Bangladeshis connected to the SWIFT system and to get access to their credentials. Yet even as the hackers were moving through the bank’s network and preparing their operation—a process that took months—the Central Bank of Bangladesh failed to detect them. In part, this was because the bank was not looking very hard. After the hack, according to Reuters, a police investigation identified several shoddy security practices, including cheap equipment and a lack of security software, which made it easier for hackers to reach sensitive computers.
Once the hackers gained access to the bank’s SWIFT accounts, they could initiate transactions just like any authorized user. To further avoid detection, they wrote special malicious code to bypass the internal antifraud checks in SWIFT software. Worse still, they manipulated transaction logs, making it harder to figure out where the bank’s money was going and casting doubt on the veracity of the logs upon which this, and every, high-volume financial institution depends. The North Korean strike against these logs was a dagger to the heart of the system. They sidelined the printer with additional malicious code, buying themselves time while the system processed their illicit transfer requests.