Bangladesh Bank Heist: US charges North Korean hacker
Almost five years after the Bangladesh Bank heist, the most sensational cybercrime involving a financial institution to date, the US Department of Justice has formally announced charges against Park Jin Hyok, a North Korean hacker.
Following a complaint in May 2018 and the subsequent probe, charges of "conspiracy to commit wire fraud" and "conspiracy to commit computer related fraud" was filed against Hyok. He was allegedly involved in several high-stake cyber intrusions, including the hack of Sony, creation of Wannacry ransomware, and Bangladesh Bank heist.
According to the Federal Bureau of Investigation (FBI), Hyok has three other aliases and is fluent in three languages.
CBS News reported that investigations were able to link his social media activities, email correspondences, and usage of proxies with the crimes he is alleged to have committed. The news report also states that Hyok was responsible for infection of over 300,000 computers, including devices of hospitals, schools, and businesses.
FBI in their wanted cyber fugitives list has placed the name of Hyok and two of his associates: Jon Chang Hyok and Kim Il. The trio has been alleged to be working for North Korean government's Reconnaissance General Bureau (RGB).
According to cybersecurity experts, RGB is responsible for earning the North Korean regime foreign currency through cyber exploits.
However, these charges are more symbolic in nature as the US does not have any extradition treaty with North Korea. Hyok is unlikely to ever see the inside of a US courtroom ever.
These conspiracies of RGB have been labelled as "Lazarus Group" and "Advanced Persistent Threat 38 (APT38)" by some private cybersecurity researchers.
Lazarus Group has been notorious for launching several targeted attacks on financial institutions across several countries, including Poland, Iraq, Nigeria, Ethiopia, India, Thailand, Malaysia, Indonesia, Costa Rica, and, of course, Bangladesh.
From simple hacks to complex intrusions, the group is capable of launching attacks on even the most secured cyber infrastructure, according to industry experts.
During the early investigation of Bangladesh Bank heist, cyber forensic investigators going through log files identified one particular IP address which originated from North Korea.
Upon further investigation and analysis, a pattern emerged. These patterns were oddly similar to Lazarus's previous known heist.
Studying the BB heist along with other known work of Lazarous Group, Kaspersky Labs has been able to draw a modus operandi of the group.
The group does initial testing of their hacks in financial institutions to hone their skill as well as recalibrate their tools. Once the tools are ready, they attempt to compromise one single device or system within the target network. Once that is done through injecting malware, sometimes in the form of a simple email attachment, they gradually establish a foothold by replicating the infection within the target network. The group then studies the behaviour pattern of the network, learns about the security protocols, and understands the operation by analysing the network traffic.
Finally, they engineer a plan and then go for the intended rogue transactions by bypassing all the security protocols.
The BB heist happened in the very same fashion.
The Criminal Investigation Department of Bangladesh is carrying out an enquiry on the heist, said Abu Hena Mohammad Razee Hassan, the head of the Bangladesh Financial Intelligence Unit of Bangladesh Bank.
The BFIU is the central agency of Bangladesh responsible for analyzing suspicious transaction reports, cash transaction reports, and information related to money laundering and financing of terrorism from reporting agencies and other sources.
If the CID wants information about the people charged by the US Department of Justice, the BFIU would request the US department concerned for information, Razee Hassan said.