You’ve probably heard of the hackers who almost got away with $1 billion, only to be thwarted by a typo. (if it weren’t for those meddling keyboards!)
What you probably didn’t hear was that they had already wired $100 million to themselves, are assumed to have pocketed anywhere from $21 million to $81 million in cold hard cash.
Sure, Billions is more than millions, but one a single hack that returns $21 million is a good pay-day by anyone’s standards.
The group managed to hack into the Bangladesh Central Bank, and gained access to specific machines on their network. From there they wired payment instructions over the Swift network to transfer nearly $1 Billion dollars in cash, all from a bank with just $28 Billion in foreign exchange reserves.
These were not 2-bit hackers who were foiled by typo’s, this was a well targeted attack, that would have probably occurred even if the bank upgraded their switches from $10 D-links to $100,000 Cisco routers, it wouldn’t have made a difference. The BAE report on the breach made for some interesting bed-time reading, but what really struck me was that the hackers were smart enough to suppress print-outs of confirmations, thereby ensuring no bank employees knew of the breach.
Each payment instruction generates a paper print out for employees to verify physically, but because that paper printout was generated by the same comprimised software, it was trivial to suppress.
But Hacking is one thing, knowing how to wire the money anonymously in a heavily regulated banking system is another.
The hackers had figured out that the best way to smuggle out millions of dollars was via casinos in the Philippines, that aren’t covered by anti money-laundering laws. This knowledge isn’t something that appears on last week’s Jeopadry, or a question you pose on Reddit, it’s something that only insiders know about.
Oh, and by the way, another $20 million was routed to Sri Lanka, suggesting there are other avenues to launder money out of the system from that Island nation as well.
But just who are these sophisticated hackers?
The Philippines Senators who had a hearing on the incident suggested that the perpetrators ‘could’ be Chinese. And while there’s probably a conflict of interest in their statement (nobody wants to admit that there are criminals in their own borders), evidence does seem to suggest it’s at least a likelihood.
And if I were to put on my tin-foil hat for a while, we may be able to correlate this attack to something that occurred late last year, keep in mind though this is venturing deep in the crazy woman with cat territory, and you have been warned.
So with that warning, let me take you back to good ol’ 2015.
In September of that year, President Obama and President Xi had a ‘broad agreement’ that both nations will no longer hack each other for ‘commercial purposes’. Nationwide espionage and intelligence gathering was still OK, but intentionally targeting corporations for their intellectual property was not.
Of course, the agreement was a bit vague on specifics, if Chinese hackers were to target Lockheed Martin to obtain the designs for the F-35 fighter — would that be considered commercial?
But overall the agreement was clear that both countries would not use hacking to advance their commercial interest. Keep in mind, that both countries vehemently denied they ever did this, so in essence the statement was merely formalizing something both countries have always denied doing–sort of saying we promise never to do the things we never did in the first place.
To give you a flavor of corporate espionage, I recommend reading a brilliant post titled “Stealing White” by Del Quintin Wilber from Bloomberg. It’s a long read (almost 4000 words long), which involves a Malaysian trying to steal the secrets of Titanium Dioxide production from Dupont. Apparently Titanium Dioxide makes a perfect white, that is the envy of all other whites, but the plot of stealing the manufacturing secrets of this perfect white is elaborate enough to make Wile E. Coyote green with envy, and just like in the cartoons it fails.
The Bloomberg piece concludes with an interesting point “the Chinese may have gotten what they needed directly from the chemical company. Newly filed court documents reveal that the FBI motel raid found evidence DuPont’s computers had been hacked.”
So elaborate espionage didn’t work as effectively as simply hacking into the source and getting it directly, and for a long time it was assumed that these breaches were executed by the hackers from the Chinese Government themselves. Think of it as a special arm dedicated to corporate espionage.
Of course, let me re-iterate that this is merely hypothetical, and let’s also not forget that the Snowden leaks suggest that the NSA was also in on the corporate espionage game, and spied on Corporate entities like Brazil’s Petrobras.
And here’s where the tin-foil comes in.
If China did indeed have a corporate espionage arm (not saying they did), and that arm was disbanded back in September due to the agreement with the US–what would happen exactly?
Well you’d think hundreds (if not thousands) of well-trained hackers, who specialized in the breaching of corporate networks would soon be out of jobs. And since hacking, especially government level hacking, isn’t exactly a generic skill set you can use to job-hop around, the most likely scenario would be that these hackers soon become freelancers.
And freelancers sooner or later coalesce into well organized teams which high levels of knowledge and expertise.
But what kind of heist could a group of well-trained, highly skilled, out of a job hackers do?
Hypothetically they could infiltrate a financial organization and start routing money to themselves–maybe? Identifying flaws in the global monetary system and using them to steal about $1 Billion from bank in Bangladesh?