By Mark Kuhr, Co-Founder and CTO, Synack and
Anne-Marie Chun, Industry Analyst, Synack
If an armed robber walks into a bank and steals $81M, that’s a crime. So if a nation-state hacks into a bank and steals $81M, does that make the robbery an act of war?
If so, the banking sector could be walking into a cyber war with North Korea. This is something the US, as a country, has been tiptoeing around for decades, but US banks may have just been forced to jump in head first. Almost one year after the incident, federal prosecutors are building a case that accuses North Korea of one of the biggest bank heists of recent history: the theft of $81M from the Bangladesh Bank’s account with the New York Fed.
A New Precedent
Cybercrime costs the global economy roughly $400B per year and is expected to top $2 trillion by 2019. Not surprising when 72.1% of cyber attacks today are motivated by cyber crime/profit, according to a 2016 Hackmaggedon.com report. However, if the federal government’s initial findings on the Bangladesh Bank heist are true, this would mark the first known time that a nation-state has conducted a cyber attack on a bank for financial gain.
It appears that North Korea didn’t act alone. In fact, in a show of criminal craftiness, it appears that North Korea operated through Chinese middlemen, who would suffer the brunt of the charges in this case. The tradecraft, however, appears to be “tied forensically” to North Korea, as cited by NSA Deputy Director Richard Ledgett. According to private investigators, a rare piece of code in the Bangladesh robbery was also found in North Korea’s Sony hack in 2014.
The Challenges of Attribution
As Synack Co-Founder and CTO Mark Kuhr explained in his 2017 ShmooCon talk, strong consensus among security analysts can often lead to attribution. However, accurate attribution is difficult without signals and human intelligence. All signs point to North Korea (by way of China), but leaving such an obvious forensic footprint seems like an amateur move for this state actor. It’s possible that the perpetrator wanted to emulate North Korea and therefore tweaked the North Korean exploit code that was leaked after the Sony hack.
Regardless, before accusing North Korea or Chinese middlemen, and before suggesting to the New York Fed that they were the victim of a direct attack by a nation-state, we should be very confident in our analysis and be cognizant of disinformation tactics.
What’s Next for Banks
So what should the banking sector do? This is the beginning of a new normal – one that requires a whole lot more oversight and accountability. Until the heist, the assumption was that payment orders between nation-states were inherently legitimate. If authenticated by SWIFT, a transaction typically goes through without a second look.
At both the federal and commercial level, bank executives need to immerse themselves in their security programs and make themselves aware of the risks facing their business. Security leads should be building programs that assume breach. Investigations revealed that the attackers were likely lurking in Bangladesh’s Central Bank systems for weeks, allowing them to replicate money transfer messages and use a keylogger software to steal SWIFT credentials. Clearly the adversary had studied the target and had intimate inside knowledge of the software and the processes used in the bank.
Security teams should take a proactive approach to breach prevention and start testing their systems in a way that mimics the adversary they face – we need to start training for the enemy that we are fighting. Unfortunately, high-stakes cyberwarfare is no longer a state-to-state game. It has now hit the banking sector, and without an offensive approach, global financial assets and customer data will be at risk.