Federal prosecutors are investigating North Korea’s possible role in the theft of $81 million from the central bank of Bangladesh in what security officials fear could be a new front in cyberwarfare.
The U.S. attorney’s office in Los Angeles has been examining the extent to which the North Korea government aided and abetted the bold heist in February 2016, according to a person briefed on the investigation who was not authorized to speak publicly.
In the theft, the attackers, using a global payment messaging system known as SWIFT, were able to persuade the Federal Reserve Bank of New York to move money from the Bangladesh bank to accounts in the Philippines. The SWIFT system is used by some 11,000 banks and companies to transfer money from one country to another.
In the months that followed the Bangladesh heist, it was disclosed that cyberthieves had also attacked banks in Vietnam and Ecuador using SWIFT.
North Korea’s involvement in the attack on the Bangladesh bank had not been publicly known until The New York Times reported in May that security researchers had found evidence that pointed to the country. The researchers discovered that a rare piece of code used in the theft had also been used in the hacking attack on Sony Pictures in December 2014.
Federal prosecutors in Los Angeles are also investigating the Sony breach, and what they uncovered in that inquiry led them to examine the bank theft.
U.S. security officials have largely been quiet about whether North Korea was linked to the bank attacks, even as they have publicly attributed the Sony breach to Pyongyang.
That reticence is now slipping, however. On Tuesday, Richard Ledgett, a deputy director of the National Security Agency, noted the research that tied the two attacks “forensically” and said that if North Korea’s role in the bank robbery was confirmed, it would represent a troubling new front in cyberwarfare.
“That is a big deal,” Ledgett said at an event sponsored by the Aspen Institute.
John Carlin, the head of the Aspen Institute’s cybersecurity and technology program, who served as assistant attorney general for national security during the Obama administration, asked whether Ledgett believed that “nation states are now robbing banks.”
Ledgett responded, “I do.”
The renewed focus on North Korea’s cyberactivities comes as the Trump administration seeks to take a tougher line on that country’s nuclear program.
After a recent trip to Asia, Secretary of State Rex Tillerson said that North Korea posed an imminent threat and seemed to suggest that the United States might have to take pre-emptive military action.
The breach of the Bangladesh central bank exposed how banks of all sizes are vulnerable to cyberattacks using the SWIFT network, once thought to be among the most secure messaging systems in the world.
Investigators believe that the attackers gained access to the bank’s SWIFT credentials, possibly from someone who worked there.
Using those credentials, the attackers then sent messages over SWIFT to the New York Fed, authorizing the release of the funds from the Bangladesh bank account there.
The New York Fed released some of the $951 million to accounts in the Philippines, as requested by the attackers. But officials in New York halted the full transfer when they noticed that something seemed amiss.
SWIFT has been urging the thousands of banks that belong to its network to take precautions. A SWIFT spokeswoman declined to comment Wednesday.
Ledgett said Tuesday that large companies and banks might be fundamentally outmatched by nation-state cyberattackers and suggested that the U.S. government needed to do more to help bolster their defenses.
It is as if the “security guards at Home Depot and Target” are expected “to stand up to the North Korean army,” said Ledgett, who plans to retire soon from the National Security Agency. “On the face of it, it doesn’t make sense.”
News of the criminal investigation into North Korea’s role in the Bangladesh bank attack was reported earlier Wednesday by The Wall Street Journal. It was not clear whether any charges from the investigation were imminent.