ITHappens Cybersecurity Series: Laurens Klaassen

ITHappens proudly presents a new series of articles: ITHappens Cybersecurity series! Within this series, we uncover recent cybersecurity trends and topics! We do this based on expertise and literature reviews which have been done by either graduated thesis writers of the Information Management master, by courses where the cybersecurity theme is being part of the course, or by collaborations with companies.  Stay tuned for more articles regarding Cybersecurity!

About the author

Laurens Klaassen is a master’s student in the fields of Information Management and Finance. Both being Msc programs of Tilburg University. With this background in mind, his interest lies at the junction of the Financial and Informatics worlds. Particularly data analytics & machine learning with financial applications and FinTech is where his expertise lies.

Why this topic?

Laurens chose this subject because of the increasingly more common coordinated cyberattacks which are funded by sovereign states. Reasons for these attacks are very divergent, but in most cases, the attacks are cases of (un)declared digital warfare. Examples of this are attacks from and to Russian and Ukranian cyber domains. In other cases, attacks are done to bypass international sanctions. This article focuses mostly on the second reason, even though it also contains properties of the first mentioned reason.

The Lazarus Hack: A Symphony of Cyber Intrusion

In the ever-evolving landscape of cybersecurity, the Lazarus group’s attempted heist on the National Bank of Bangladesh in 2016 stands out as a chilling testament to the sophisticated methods employed by cybercriminals. Let’s delve into the intricate timeline of events and dissect the vulnerabilities that allowed this audacious attack to unfold.

Unravelling the Scheme: A Timeline Perspective

The story begins with Lazarus gathering intel on the National Bank of Bangladesh. Spear-phishing, a well-known tactic, served as their entry point. Armed with email addresses and social media details, the hackers launched a convincing phishing campaign, initiating a seemingly innocuous job application email in January 2015. The attachment carried malicious content, breaching the bank’s defences (U.S. Department of Justice, 2018).

Once inside, Lazarus skilfully navigated the bank’s network, eventually infiltrating computers linked to the SWIFT network—the lifeline of interbank financial transactions. The Society for Worldwide Interbank Financial Telecommunications (SWIFT) network became a goldmine for the hackers, offering a gateway to manipulate financial transactions between banks (Swift, n.d.).

Exploiting this newfound access, Lazarus executed fraudulent SWIFT transactions, siphoning funds from the National Bank of Bangladesh to their own accounts. To cover their tracks, they deployed malware to create faux documentation and ERP database entries, camouflaging the deceit (U.S. Department of Justice, 2018).

However, fortune intervened. An attempt to wire funds to a Philippine bank triggered alarms at the New York Fed, halting the transaction. The word ‘Jupiter,’ coincidentally associated with a sanctioned Iranian oil tanker, set off red flags. The heist, initially targeting $951 million, only yielded $81 million due to this stroke of luck (BBC News, 2021).

The Lazarus Saga: Prelude to Bangladesh

This wasn’t Lazarus’s inaugural foray into cybercrime. Operation Troy in 2013 marked their initial notable hack, employing DDoS attacks and wiping hard drives across South Korea. The 2014 Sony Pictures breach followed, fuelled by geopolitical motives and opposition to the movie “The Interview” (Sherstobitoff et al., 2013; Haggard & Lindsay, 2015).

The Bank of Bangladesh hack, however, seemed more opportunistic than politically driven. Lazarus targeted the bank based on size and identified cybersecurity loopholes, showcasing a shift in their modus operandi.

Fortifying Cybersecurity: A Desideratum for Financial Institutions

Enter the realm of security engineering—the backbone of defence against cyber threats. Effective security intertwines policy, mechanisms, assurance, and incentives (Anderson, 2020). Policies articulate objectives, and mechanisms, including encryption and access controls, bring them to fruition (Aminzade, 2018; Suleski et al., 2023). End-to-end encryption secures financial transactions, while real-time fraud detection acts as a vigilant guardian (Ometov et al., 2018; Hossain & Islam, 2023).

Assurance quantifies trust, urging regular security audits, compliance with international standards, and a robust incident response plan (Borky & Bradley, 2018). Incentives, the linchpin, drive adherence. Cybersecurity education, strict consequences for breaches, and legal repercussions fortify this incentive structure (Slapničar et al., 2022).

Deconstructing the Hack: Vulnerabilities Exposed

The Lazarus breach laid bare critical vulnerabilities in the Bangladesh Bank’s cybersecurity fabric. Spear phishing, the initial gambit, preyed on human susceptibility. Employees, unaware of the looming threat, unwittingly activated the malware-laden email attachments (U.S. Department of Justice, 2018).

The hackers’ ability to maintain an undetected backdoor exposed flaws in the security system, exploiting a fake TLS protocol to outsmart existing safeguards (Wang et al., 2020). Access to SWIFT credentials, possibly acquired through malware or insider recruitment, provided the key to the kingdom (Corkery, 2016).

The subsequent installation of secure deletion malware further masked their tracks, aided by the strategic removal of the printer—the final piece in the puzzle, ensuring the bank remained oblivious (U.S. Department of Justice, 2018).

Repercussions: Beyond Financial Loss

The aftermath echoed far beyond financial loss. Recovery efforts, legal battles, and leadership upheavals ensued. Lorenzo Tan and Atiur Rahman resigned, their reputations tarnished. Legal battles between Bangladesh Bank and RCBC unfolded, resulting in fines and protracted investigations (Gladstone, 2016; Writer, 2016).

Judicial implications extended to discussions of blacklisting the Philippines for money laundering. The lingering CID forensic examination casts doubts on Bangladesh’s investigative competency (Chowdhury, 2022; IMF, 2023).

Lessons for the Financial Sector

This cyber saga reverberated through the global financial sector, urging introspection and fortification. Authentication and authorization mechanisms demand reinforcement. Multi-factor authentication, biometric verification, and stricter access controls emerge as imperatives (Das & Spicer, 2016).

Technical security measures, including real-time monitoring and robust intrusion detection systems, must be paramount (SWIFT, 2019). Improved communication channels, timely incident response plans, and a culture of transparency rise as bulwarks against cyber onslaughts (Das & Spicer, 2016; Mazumder, 2020).

Conclusion: Charting a Resilient Future

The Bangladesh Bank cyber heist serves as a stark reminder of the intricate dance between human vulnerabilities and technological defences. As financial institutions navigate this ever-shifting landscape, a holistic cybersecurity strategy emerges as their beacon. It hinges on meticulous training, fortified authentication, robust technical measures, and a seamless tapestry of policies and mechanisms. In this symphony of security, the Bangladesh Bank saga echoes a resounding call for vigilance, adaptation, and unwavering resilience.

 

References:

1. 1. Aminzade, M. (2018). Confidentiality, integrity and availability – finding a balanced IT framework. Network Security, 2018(5), 9–11. https://doi.org/10.1016/s1353-4858(18)30043-6 
   2. Anderson, R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems. 
   3. John Wiley & Sons. BBC News. (2021, June 20). The Lazarus heist: How North Korea almost pulled off a billion-dollar hack. BBC News. https://www.bbc.com/news/stories-57520169 
   4. Borky, J. M., & Bradley, T. H. (2018). Protecting Information with Cybersecurity. In Springer eBooks (pp. 345–404). https://doi.org/10.1007/978-3-319-95669-5_10 Broin, A. (2018). 
   5. Chowdhury, Z. (2022, December 26). BB heist case: CID fails to produce forensic probe report in 7 years. The Business Standard. https://www.tbsnews.net/bangladesh/crime/bb-heist-case-cid-fails-produce-forensic-probe-report-7-years-557450 
   6. Corkery, M. (2016, May 13). Once again, thieves enter Swift financial network and steal. The New York Times. https://www.nytimes.com/2016/05/13/business/dealbook/swift-global-bank-network-attack.html 
   7. Das, N., & Spicer, J. (2016, July 21). How the New York Fed fumbled over the Bangladesh Bank cyber-heist. Reuters. https://www.reuters.com/investigates/special-report/cyber-heist-federal/ 
   8. Gladstone, R. (2016, March 15). Bangladesh bank chief resigns after cyber theft of $81 million. The New York Times. https://www.nytimes.com/2016/03/16/world/asia/bangladesh-bank-chief-resigns-after-cyber-theft-of-81-million.html?smid=url-share 
   9. Haggard, S., & Lindsay, J. R. (2015). North Korea and the Sony Hack: Exporting Instability Through Cyberspace. East-West Center. https://www.jstor.org/stable/resrep06456
   10. Hossain, M. A., & Islam, M. S. (2023). Ensuring network security with a robust intrusion detection system using ensemble-based machine learning. Array, 19, 100306. https://doi.org/10.1016/j.array.2023.100306
   11. IMF. (2023, February 7). The fight against money laundering and terrorism financing. https://www.imf.org/en/About/Factsheets/Sheets/2023/Fight-against-money-laundering-and-terrorism-financing 
   12. Mazumder, M. (2020, April 4). The spillover effect of the Bangladesh Bank Cyber Heist on banks’ cyber risk disclosures in Bangladesh. https://ssrn.com/abstract=3771379 
   13. Ometov, A., Bezzateev, S., Mäkitalo, N., Andreev, S., Mikkonen, T., & Koucheryavy, Y. (2018). Multi-Factor Authentication: a survey. Cryptography, 2(1), 1. https://doi.org/10.3390/cryptography2010001 
   14. Sherstobitoff, R., Liba, I., & Walter, J. (2013). Dissecting Operation Troy: Cyber Espionage in South Korea. Korea, 2009, 10.
   15. Slapničar, S., Vuko, T., Čular, M., & Drašček, M. (2022). Effectiveness of cybersecurity audit. International Journal of Accounting Information Systems, 44, 100548. https://doi.org/10.1016/j.accinf.2021.100548 
   16. Suleski, T., Ahmed, M., Yang, W., & Wang, E. (2023). A review of multi-factor authentication in the Internet of Healthcare Things. Digital Health, 9, 205520762311771. https://doi.org/10.1177/20552076231177144 
   17. Swift. (n.d.). Messaging and Standards | Swift. https://www.swift.com/about-us/discover-swift/messaging-and-standards 
   18. SWIFT. (2019). Three years on from Bangladesh Tackling the adversaries. In SWIFT. https://www.swift.com/swift-resource/210491/download?language=en 
   19. U.S. Department of Justice. (2018). Park Jin Hyok Criminal Complaint. [Press release]. https://www.justice.gov/opa/press-release/file/1092091/download 
   20. Wang, Y., Xu, G., Liu, X., Mao, W., Si, C., Pedrycz, W., & Wang, W. (2020). Identifying vulnerabilities of SSL/TLS certificate verification in Android apps with static and dynamic analysis. Journal of Systems and Software, 167, 110609. https://doi.org/10.1016/j.jss.2020.110609 
   21. Writer, M. S. N. S. (2016). Philippines faces fallout from Bangladesh bank heist. Nikkei Asia. https://asia.nikkei.com/Business/Finance/Philippines-faces-fallout-from-Bangladesh-bank-heist