Global wave of bank burglaries should revive calls to kick N. Korea out of SWIFT

In recent weeks, I’ve watched with keen interest, and some schadenfreude, as news reports have implicated Pakistani and North Korean hackers in a series of massive bank burglaries involving as many as 12 banks around the world, starting with the theft of $81 million (or $101 million, depending on which report you believe) from the Bangladesh Bank’s account in the U.S. Federal Reserve.

These burglaries did not involve guns or ski masks. They were something more like armored car burglaries, but they didn’t involve armored cars. They involved malicious code inserted into software used to connect the banks to SWIFT, the Society for Worldwide Interbank Financial Telecommunications. Although the Bangladesh Bank and SWIFT have been pointing fingers at each other, IT security experts are finding North Korean fingerprints all over the malware behind the theft.

It’s now clear the global banking system has been under sustained attack from a sophisticated group — dubbed “Lazarus” — that has been linked to North Korea, according to a report from cybersecurity firm Symantec.

In at least four cases, computer hackers have been able to gain a dangerous level of access to SWIFT, the worldwide interbank communication network that settles transactions.

In early February, hackers broke into Bangladesh’s central bank and stole $101 million. Their methods appear to have been deployed in similar heists last year targeting commercial banks in Ecuador and Vietnam.

Symantec revealed evidence on Thursday that suggests hackers used the same technique to slip into a bank in the Philippines in October. Symantec (SYMC) did not name the bank.

[….]

The “Lazarus” group has been linked to a string of attacks on U.S. and South Korean government, finance and media websites since 2009. Cybersecurity firm Novetta carefully documented how “Lazarus” hacked Sony Pictures in 2014, stealing data and destroying computers at the Hollywood movie studio.

The U.S. government has publicly blamed that hack on the government of North Korea. [CNN]

SWIFT has since released a series of increasingly panicked press releases about cybersecurity. The integrity of its system has never faced a greater challenge.

Security researchers have tied the recent spate of digital breaches on Asian banks to North Korea, in what they say appears to be the first known case of a nation using digital attacks for financial gain.

In three recent attacks on banks, researchers working for the digital security firm Symantec said, the thieves deployed a rare piece of code that had been seen in only two previous cases: the hacking attack at Sony Pictures in December 2014 and attacks on banks and media companies in South Korea in 2013. Government officials in the United States and South Korea have blamed those attacks on North Korea, though they have not provided independent verification.

On Thursday, the Symantec researchers said they had uncovered evidence linking an attack at a bank in the Philippines last October with attacks on Tien Phong Bank in Vietnam in December and one in February on the central bank of Bangladesh that resulted in the theft of more than $81 million.

“If you believe North Korea was behind those attacks, then the bank attacks were also the work of North Korea,” said Eric Chien, a security researcher at Symantec, who found that identical code was used across all three attacks.

“We’ve never seen an attack where a nation-state has gone in and stolen money,” Mr. Chien added. “This is a first.” [N.Y. Times, Nicole Perlroth & Michael Corkery]

And of course, North Korea isn’t the kind of place where hackers operate independently from their moms’ basements. Hacking by North Koreans means hacking by North Korea. In a way, we should count ourselves lucky that the North Koreans only got away with Jed Clampett money; they tried to steal much more:

In the attack at Bangladesh’s central bank in February, the thieves tried to transfer $1 billion in funds from an account at the Federal Reserve Bank of New York. Fed officials became suspicious of the some of requested transfers and released only $81 million to accounts in the Philippines.

“If you presume it’s North Korea, $1 billion is almost 10 percent of their G.D.P.,” Mr. Chien said. “This is not small change for them.” [N.Y. Times]

Although I have no love of North Korean hackers or bank burglars, and no enmity against the utility of SWIFT’s services, I can’t help feeling some schadenfreude for SWIFT, given its resistance to enforcing U.N. sanctions, including sanctions against North Korea. SWIFT tried to stay neutral in the world’s (admittedly half-hearted) struggle to force North Korea to live by the world’s rules. Now, SWIFT may become North Korea’s greatest victim.

SWIFT is not a bank; it’s the virtual post office for banks. It’s a financial messaging service, a consortium established by the banking industry as a more efficient way to deliver messages between banks to debit and credit accounts. Think of SWIFT messages as sealed envelopes, with the name of the sender and recipient, and their addresses, written on the outside. SWIFT is an electronic network that delivers those envelopes, but doesn’t open them. Nearly every bank on earth relies on SWIFT, and in a sense, its reach is broader than Treasury’s, because SWIFT messages transactions in all currencies, not just dollars or Euro. SWIFT is based in Belgium, with large facilities in Switzerland and Virginia, and is regulated by EU law.

SWIFT has long had an uncomfortable coexistence with sanctions. In Treasury’s War, Juan Zarate tells the story of how a Treasury official persuaded a friend at SWIFT to share information from financial messages going to and from known terrorist financiers. The information made an invaluable contribution to Treasury’s early successes against Al Qaeda’s finances. Exposure of the program by the New York Times in 2006 was a severe setback to Treasury, and an embarrassment to SWIFT, which had cultivated a reputation for protecting the confidentiality of its transactions. That revelation has caused SWIFT to resist cooperating with international sanctions ever since, even sanctions approved by the U.N. Security Council.

Starting in early 2012, advocates of sanctions against Iran began to demand that Iran be disconnected from SWIFT, and it didn’t take long for that to happen – Congress introduced legislation that would authorize sanctions against SWIFT (see section 220), the EU passed a sanctions regulation clarifying that financial sanctions on Iranian banks also apply to financial messaging, and SWIFT cut off 30 Iranian banks, including its Central Bank. The SWIFT sanctions legislation was controversial and drew strong opposition from banking industry lobbyists.

At the time, SWIFT’s chief executive called the action “extraordinary and unprecedented,” but as an EU official conceded, it was “a very efficient measure” that could “seriously cripple the banking sector of Iran.” By most accounts, disconnecting Iran from SWIFT was one of the most effective sanctions against Iran, denying those banks the means to transfer money in any currency. The Economist later wrote, “The earlier SWIFT ban is widely seen as having helped persuade Iran’s government to negotiate over its nuclear programme.”

In 2001, the same year that SWIFT began passing information about Al Qaeda to Treasury, SWIFT welcomed North Korean banks to its network. As of 2013, SWIFT was only messaging about 50,000 transactions a year for North Korean banks (compared to about 1 million for Iran). This probably reflects the concentration of North Korea’s wealth in the state, and the almost complete absence of truly private enterprise with exposure to the financial system (in North Korea, truly private enterprise operates on cash, usually yuan and dollars, in the gray markets called jangmadang).

Since 2013, when the United Nations Security Council approved Resolution 2094, SWIFT has arguably been obligated to cut off certain North Korean banks by this paragraph:

“11. Decides that Member States shall, in addition to implementing their obligations pursuant to paragraphs 8 (d) and (e) of resolution 1718 (2006), prevent the provision of financial services or the transfer to, through, or from their territory, or to or by their nationals or entities organized under their laws (including branches abroad), or persons or financial institutions in their territory, of any financial or other assets or resources, including bulk cash, that could contribute to the DPRK’s nuclear or ballistic missile programmes, or other activities prohibited by resolutions 1718 (2006), 1874 (2009), 2087 (2013), or this resolution, or to the evasion of measures imposed by resolutions 1718 (2006), 1874 (2009), 2087 (2013), or this resolution, including by freezing any financial or other assets or resources on their territories or that hereafter come within their territories, or that are subject to their jurisdiction or that hereafter become subject to their jurisdiction, that are associated with such programmes or activities and applying enhanced monitoring to prevent all such transactions in accordance with their national authorities and legislation;

Can SWIFT honestly argue that financial messaging isn’t a “financial service”? Can it excuse itself from the obligation to “prevent … the transfer” of funds to sanctioned banks and entities with the lame excuse that it doesn’t open the “envelopes,” it just delivers them?

Yet SWIFT has yet to announce any cutoff of North Korean banks – even those that the U.N. itself has designated. Stephan Haggard wrote in 2014 that North Korea’s SWIFT business had declined to almost nothing by 2012, but I have good reason to doubt this was true as of 2013, and let’s just leave it at that. (It has occurred to me that SWIFT actually did quietly cut the North Koreans off sometime after 2013, and that hacking SWIFT is Pyongyang’s way of inflicting some payback, but I have no evidence to support that speculative hypothesis.)

There are valid arguments against involving SWIFT in too many sanctions efforts – mainly, that less reputable services could arise to handle that business. The answer to those concerns is that the U.S. and EU should move aggressively to sanction and block any alternative messaging services that flout U.N. sanctions. Meanwhile, if any actor warrants disconnection from SWIFT, it’s North Korea, which is now the subject of six United Nations Security Council resolutions, imposing increasingly stringent sanctions on its heavily tainted banking sector. And as the North Koreans have shown again and again, if you deal with them, they’ll eventually burn you. For years, sanctions advocates have called for SWIFT to disconnect North Korean banks. Now, for the sake of SWIFT’s own integrity, would be a good time to heed those calls.