The Lazarus heist: how it went down
A heist of this size required a year of careful planning and preparation. North Korean hackers had to infiltrate the bank systems without detection, work their way through the bank’s computers one by one until they reached the digital vaults, figure out an escape route for the money, and finally clean it to make it untraceable for the relevant authorities.
The hackers dubbed themselves the Lazarus Group, and prepared to make history.
This complex string of events started with a simple email sent by Rasel Ahlam, a Bangladeshi man looking for a job at the bank. However, Rasel Ahlam didn’t exist. He was just an alias created by the Lazarus Group to get a foothold in the bank’s systems.
The sequence of events
- January 2015. Several workers receive emails asking them to follow a website link and download a CV and cover letter. At least one worker downloads the files, thus infecting a Bangladesh Bank computer with malware. That’s a clear-cut example of a socially engineered attack and a reminder to everyone not to follow any links sent from email addresses you don’t know.
- January 2015-February 2016. The hackers jump between computers until they find a safe route to the Bangladesh Bank’s SWIFT network. SWIFT is a system used by hundreds of banks to transfer large quantities of money.
- May 2015. Four bank accounts are set up in the Philippines-based bank RCBC. They were applied for with fake driving licenses. Each account holder has the same job and wage, despite being listed as working for different companies. The particular branch targeted is in Manila. $500 is deposited into each account.
- February 2016, days before the heist. The 10th-floor printer that physically backs up every transfer from all Bangladesh Bank accounts is unknowingly hacked and shut down. No notice is given as the printer always plays up.
- February 4, 2016, Thursday, 20:36. 35 transfers are made, totaling $951 million. The money is requested through Bangladesh Bank’s SWIFT network, making the requests seem legitimate. The cash comes from a Federal Reserve Bank of New York account, where Bangladesh Bank stores their fortune.
- February 5, 2016, Friday. Start of the Bangladesh weekend. No workers in the bank means the theft hasn’t been noticed yet. The four RSBC accounts are suddenly active and full of millions. Only $101 million makes it through after the Federal Reserve flags most of the transactions as suspicious.
- February 5-13, 2016. The money is continuously transferred between accounts, exchanged into local currency, and some is withdrawn — all techniques to clean dirty money.
- February 6, 2016, Saturday. The theft is finally noticed. The printer on the 10th floor has been rebooted and helps shine light on the situation. Bangladesh Bank tries to contact the Federal Reserve. Unfortunately, it’s a Saturday, and no one is at work.
Only a fraction of the money requested was transferred, with five transactions approved by the Federal Reserve on Friday morning, February 5. But why were the other 30 rejected? Luckily, it was due to America’s ever-pervasive and extensive security measures.
The RSBC bank is located on Jupiter Street in Manila. Jupiter also just so happened to be the name of an Iranian shipping vessel, thus immediately flagging the name “Jupiter” as suspicious. Once the connection was made, the Federal Reserve instantly placed a halt on most of the transactions.
$20 million of the stolen cash was sent to a Sri Lankan charity to channel it to other accounts. However, a simple spelling error raised suspicions, and the transaction was reversed very quickly.
The rest of the $81 million was laundered through two of the Philippines' premier casinos, “The Solaire” and “The Midas”, over several weeks. At the time, there were no money-laundering regulations for Filipino casinos, so all money siphoned through the casino may as well have been from legitimate sources.
How did the Lazarus Group get so far undetected?
This was done through the careful application of socially engineered scenarios. Masquerading as a humble job seeker with an innocently worded email could automatically put some readers at ease. "This person sounds harmless enough. Let’s have a look at what they’ve got to offer."
Every cybersecurity expert in the world would tell you not to open any links provided from an email address you aren’t familiar with. The bogus emails from Rasel Ahlem were sent to several workers, and all it took was one of them to click the link.
By dressing malware up in a package of nice words and familiarity, it’s a lot easier to trick people into clicking something they shouldn’t. Why spend time, effort, and resources breaking into a computer when a hacker could manipulate the victim into doing it themselves? That’s the danger of socially engineered hacking campaigns.
What’s the lesson to be learned?
Staying safe online isn’t just about having the best VPN on the market or the strength of your firewall and antivirus. You now have to be aware of common tricks and techniques that cybercriminals will employ to sneak into your network.
This whole heist, which took a year of meticulous research and planning, was triggered by one person clicking a link and downloading a file. Had the workers of Bangladesh Bank been updated with basic cybersecurity information, the heist would have been foiled instantly.
Knowledge is the best tool against these kinds of attacks. Remind yourself daily not to click on any suspicious emails — send them straight to the trash. Familiarize yourself with this helpful guide on the most common techniques used by hackers.
Online security starts with a click.
Stay safe with the world’s leading VPN