subtitlecat.com

All language subtitles for Billion.Dollar.Heist.2023.1080p.WEBRip.x264.AAC5.1-[YTS.MX]_SDH.English

Afrikaans

Akan

Albanian

Amharic

Arabic

Armenian

Azerbaijani

Basque

Belarusian

Bemba

Bengali

Bihari

Bosnian

Breton

Bulgarian Download

Cambodian

Catalan

Cebuano

Cherokee

Chichewa

Chinese (Simplified)

Chinese (Traditional)

Corsican

Croatian

Czech

Danish

Dutch Download

English Download

Esperanto

Estonian

Ewe

Faroese

Filipino

Finnish

French

Frisian

Galician

Georgian

German

Greek

Guarani

Gujarati

Haitian Creole

Hausa

Hawaiian

Hebrew Download

Hindi

Hmong

Hungarian

Icelandic

Igbo

Indonesian Download

Interlingua

Irish

Italian

Japanese Download

Javanese

Kannada

Kazakh

Kinyarwanda

Kirundi

Kongo

Korean

Krio (Sierra Leone)

Kurdish

Kurdish (Soranî)

Kyrgyz

Laothian

Latin

Latvian

Lingala

Lithuanian

Lozi

Luganda

Luo

Luxembourgish

Macedonian

Malagasy

Malay

Malayalam

Maltese

Maori

Marathi

Mauritian Creole

Moldavian

Mongolian

Myanmar (Burmese)

Montenegrin

Nepali

Nigerian Pidgin

Northern Sotho

Norwegian

Norwegian (Nynorsk)

Occitan

Oriya

Oromo

Pashto

Persian

Polish

Portuguese (Brazil)

Portuguese (Portugal) Download

Punjabi

Quechua

Romanian Download

Romansh

Runyakitara

Russian

Samoan

Scots Gaelic

Serbian

Serbo-Croatian

Sesotho

Setswana

Seychellois Creole

Shona

Sindhi

Sinhalese

Slovak

Slovenian

Somali

Spanish Download

Spanish (Latin American)

Sundanese

Swahili

Swedish Download

Tajik

Tamil

Tatar

Telugu

Thai

Tigrinya

Tonga

Tshiluba

Tumbuka

Turkish

Turkmen

Twi

Uighur

Ukrainian

Urdu

Uzbek

Vietnamese

Welsh

Wolof

Xhosa

Yiddish

Yoruba

Zulu

Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:02,000 --> 00:00:07,000 Downloaded from YTS.MX 2 00:00:08,000 --> 00:00:13,000 Official YIFY movies site: YTS.MX 3 00:00:52,182 --> 00:00:53,357 [BUTTON CLICKS] 4 00:00:54,402 --> 00:00:56,404 [KEYBOARD KEYS CLICK] 5 00:00:58,188 --> 00:01:00,016 [ELECTRONIC WHIRRING] 6 00:01:09,373 --> 00:01:10,809 [MUEZZIN CALLS] 7 00:01:10,809 --> 00:01:12,115 MAN 1: It's Friday, 8 00:01:12,115 --> 00:01:15,423 and it is, of course, the Muslim prayer day. 9 00:01:15,423 --> 00:01:18,513 Everyone's off, except for the skeleton staff 10 00:01:18,513 --> 00:01:20,645 at the Bangladeshi Bank, 11 00:01:20,645 --> 00:01:24,562 including Zubair Bin Huda, who is the duty manager. 12 00:01:24,562 --> 00:01:26,086 [ELECTRONIC CHIRPING] 13 00:01:27,870 --> 00:01:31,395 MAN 2: He's part of the elite team of employees 14 00:01:31,395 --> 00:01:35,095 who run the SWIFT banking system, 15 00:01:35,095 --> 00:01:38,663 which is a highly secure banking system 16 00:01:38,663 --> 00:01:41,318 that sends money around the world. 17 00:01:43,538 --> 00:01:47,281 Now, Bin Huda goes, as he does every day, 18 00:01:47,281 --> 00:01:49,152 to the SWIFT printer 19 00:01:49,152 --> 00:01:53,374 to check up on the transactions from the day before. 20 00:01:53,374 --> 00:01:56,159 MAN 2: There are usually printouts 21 00:01:56,159 --> 00:01:58,422 of transactions that came in overnight. 22 00:01:58,422 --> 00:02:02,774 The SWIFT software would print out a ledger every single day, 23 00:02:02,774 --> 00:02:06,952 an audit trace of every single transaction that occurred 24 00:02:06,952 --> 00:02:08,693 on paper. 25 00:02:08,693 --> 00:02:11,392 MAN 4: But when they came in on February 5th morning, 26 00:02:11,392 --> 00:02:12,871 as they usually do, 27 00:02:12,871 --> 00:02:15,744 they found there were no SWIFT messages at all. 28 00:02:15,744 --> 00:02:20,009 In fact, the printer's shut down. It won't work. 29 00:02:20,009 --> 00:02:21,358 They try and turn it on. 30 00:02:21,358 --> 00:02:25,188 Nothing will kick it back into life. 31 00:02:25,188 --> 00:02:28,148 He assumes it was simply a technical error, 32 00:02:28,148 --> 00:02:30,193 shrugs, goes home for the night, 33 00:02:30,193 --> 00:02:32,282 comes back in on Saturday morning 34 00:02:32,282 --> 00:02:34,502 to check the system again. 35 00:02:35,677 --> 00:02:36,939 MAN 5: The next day, 36 00:02:36,939 --> 00:02:40,160 they somehow manually get the printer to work. 37 00:02:40,160 --> 00:02:42,466 This deputy head manager walks in the room, 38 00:02:42,466 --> 00:02:46,122 the printer starts working, and these weird messages come out. 39 00:02:46,122 --> 00:02:49,560 MAN 1: The printer starts spewing out 40 00:02:49,560 --> 00:02:51,736 all of these transactions, 41 00:02:51,736 --> 00:02:56,306 including individual requests to the Fed in New York 42 00:02:56,306 --> 00:02:59,353 for $1 billion. 43 00:03:01,268 --> 00:03:04,880 At that moment, it's panic stations. 44 00:03:10,712 --> 00:03:12,757 [SIRENS WAIL] 45 00:03:22,637 --> 00:03:23,638 [CAR HORN BLARES] 46 00:03:24,465 --> 00:03:26,075 [MODEM DIALS] 47 00:03:36,738 --> 00:03:40,132 [KEYBOARD KEYS CLICK] 48 00:03:44,789 --> 00:03:50,230 When I was growing up, the biggest crime in Britain 49 00:03:50,230 --> 00:03:52,319 ever recorded was the Great Train Robbery. 50 00:03:52,319 --> 00:03:56,366 It was an extraordinary thing. They stole about £2.5 million. 51 00:03:56,366 --> 00:03:58,760 That's about $4 million. 52 00:03:58,760 --> 00:04:04,244 And that story ran literally for 30 years. 53 00:04:05,245 --> 00:04:06,768 Four million dollars. 54 00:04:07,856 --> 00:04:10,293 What you're about to hear 55 00:04:10,293 --> 00:04:14,036 is the story of an attempt to steal... 56 00:04:15,037 --> 00:04:17,518 a billion dollars 57 00:04:18,475 --> 00:04:20,434 It's told by world-leading 58 00:04:20,434 --> 00:04:23,959 cybersecurity and legal experts and journalists: 59 00:04:23,959 --> 00:04:26,309 the very people who uncovered the facts 60 00:04:26,309 --> 00:04:27,919 and threaded them together 61 00:04:27,919 --> 00:04:32,489 to reveal how dangerous the world of cybercrime is today. 62 00:04:47,199 --> 00:04:49,898 [DOG BARKS] 63 00:04:49,898 --> 00:04:53,336 MISHA: So, there are four big threats 64 00:04:53,336 --> 00:04:57,471 to the world and to the human race. 65 00:04:57,471 --> 00:04:59,603 One of them we've just experienced, 66 00:04:59,603 --> 00:05:01,736 that's the pandemic. 67 00:05:01,736 --> 00:05:04,826 Then you've got weapons of mass destruction. 68 00:05:04,826 --> 00:05:08,220 You've got climate change. 69 00:05:08,220 --> 00:05:13,965 But barrelling down towards us before those is cyber. 70 00:05:18,666 --> 00:05:20,537 [KEYBOARD KEYS CLICK] 71 00:05:24,498 --> 00:05:25,934 This is the possibility 72 00:05:25,934 --> 00:05:30,068 of our overdependency on network technologies 73 00:05:30,068 --> 00:05:34,943 being undermined, either by malfunctioning of the system... 74 00:05:34,943 --> 00:05:36,597 NEWSCASTER: New problems are emerging 75 00:05:36,597 --> 00:05:39,164 the day after an Amazon web service outage. 76 00:05:39,164 --> 00:05:42,254 Massive and mysterious, a global outage... 77 00:05:42,254 --> 00:05:45,214 ...or by a targeted attack. 78 00:05:45,214 --> 00:05:47,129 NEWSCASTER: More than a thousand companies 79 00:05:47,129 --> 00:05:49,305 have been crippled by this attack so far. 80 00:05:49,305 --> 00:05:52,264 Sounds like we're looking at a 2022 with more hacks, 81 00:05:52,264 --> 00:05:53,570 more lost money. 82 00:05:54,354 --> 00:05:57,095 [MODEMS DIAL] 83 00:05:59,924 --> 00:06:04,233 So, when I started hunting hackers in the early 1990s... 84 00:06:05,452 --> 00:06:07,671 our enemy was really simple. 85 00:06:07,671 --> 00:06:10,152 All the malware, all the viruses, 86 00:06:10,152 --> 00:06:13,111 all the attacks were done by teenage boys. 87 00:06:13,111 --> 00:06:15,462 REPORTER: What will your parents think? 88 00:06:17,594 --> 00:06:20,815 I've been doing this job for two decades now. 89 00:06:24,253 --> 00:06:25,472 When we first started, 90 00:06:25,472 --> 00:06:27,909 the people writing viruses and malware 91 00:06:27,909 --> 00:06:29,476 were doing it for fun, 92 00:06:29,476 --> 00:06:32,392 to get their name in lights, to say, "Look what I can do." 93 00:06:32,392 --> 00:06:34,655 No flash, please. 94 00:06:34,655 --> 00:06:37,788 When I started analysing viruses, they looked like this. 95 00:06:37,788 --> 00:06:41,052 Malware was still spread on floppy disks. 96 00:06:41,052 --> 00:06:44,708 They were spreading at the speed of people travelling the world 97 00:06:44,708 --> 00:06:47,102 and carrying the viruses with them. 98 00:06:47,102 --> 00:06:50,540 [IN GERMAN] Michelangelo has proven less harmful than feared. 99 00:06:50,540 --> 00:06:53,108 All the stuff you've got in there you may really want, 100 00:06:53,108 --> 00:06:54,414 it's just gone? 101 00:06:54,414 --> 00:06:56,459 Then the internet came around, and suddenly, 102 00:06:56,459 --> 00:06:59,331 malware outbreaks could go around the world in seconds. 103 00:06:59,331 --> 00:07:00,942 For the last 36 hours, 104 00:07:00,942 --> 00:07:04,685 the ILOVEYOU virus has been creating havoc around the world. 105 00:07:04,685 --> 00:07:08,166 Experts have reason to worry. The first attack, July 19th, 106 00:07:08,166 --> 00:07:11,648 infected about 300,000 systems in nine hours. 107 00:07:11,648 --> 00:07:14,129 First of all, the guys who make a living doing security 108 00:07:14,129 --> 00:07:16,044 and are trying to protect themselves 109 00:07:16,044 --> 00:07:19,569 are scared shitless of you, because you can just ruin 'em. 110 00:07:19,569 --> 00:07:20,875 After the period of time 111 00:07:20,875 --> 00:07:22,529 where hackers were just doing things for fun, 112 00:07:22,529 --> 00:07:26,010 some of them realised that they could use it to make money. 113 00:07:28,535 --> 00:07:31,668 Prior to, like, the 2000s... 114 00:07:31,668 --> 00:07:35,716 cyber was primarily around a disruption of websites... 115 00:07:36,630 --> 00:07:38,893 defacement of a webpage. 116 00:07:38,893 --> 00:07:42,505 Just as we got around 2000, the dot-com boom, the explosion, 117 00:07:42,505 --> 00:07:44,376 we started into what would become 118 00:07:44,376 --> 00:07:46,161 financially motivated hackers. 119 00:07:46,161 --> 00:07:49,033 This really flourished, especially in Eastern European, 120 00:07:49,033 --> 00:07:53,124 Russia, CIS bloc countries. 121 00:07:53,124 --> 00:07:55,953 MISHA: This was the time of gangster capitalism, 122 00:07:55,953 --> 00:08:00,001 when everyone's world in Eastern Europe was falling apart, 123 00:08:00,001 --> 00:08:02,612 where organised crime and... 124 00:08:02,612 --> 00:08:05,528 former members of the intelligence services 125 00:08:05,528 --> 00:08:09,314 were taking hold of the economy. 126 00:08:10,881 --> 00:08:14,276 So you had a lot of young people in the 1990s 127 00:08:14,276 --> 00:08:17,932 who were very good mathematicians, physicists, 128 00:08:17,932 --> 00:08:20,282 computer scientists, 129 00:08:20,282 --> 00:08:23,503 who simply took the logic and the morality 130 00:08:23,503 --> 00:08:26,593 of gangster capitalism online. 131 00:08:30,074 --> 00:08:32,163 MIKKO: Virus writers were writing viruses 132 00:08:32,163 --> 00:08:33,817 to infect Windows computers, 133 00:08:33,817 --> 00:08:36,951 and those computers were then sold to email spammers, 134 00:08:36,951 --> 00:08:39,954 who were using those machines to send Viagra spam 135 00:08:39,954 --> 00:08:42,652 or what have you, basically making money. 136 00:08:42,652 --> 00:08:44,436 And that changed everything. 137 00:08:44,436 --> 00:08:47,135 [HIP-HOP MUSIC] 138 00:08:48,789 --> 00:08:51,574 ERIC: People at that time began to use online banking, 139 00:08:51,574 --> 00:08:54,621 and they began to steal people's online banking credentials, 140 00:08:54,621 --> 00:08:57,275 from there, also get credit card numbers, 141 00:08:57,275 --> 00:08:59,408 and use that to basically transfer funds. 142 00:08:59,408 --> 00:09:02,672 Just in hundreds of dollars at a time from these individuals. 143 00:09:02,672 --> 00:09:05,893 They eventually realised that going after individuals 144 00:09:05,893 --> 00:09:07,198 was much more difficult 145 00:09:07,198 --> 00:09:10,288 than just going after the banks themselves. 146 00:09:10,288 --> 00:09:11,942 Get into databases, 147 00:09:11,942 --> 00:09:14,423 those databases held credit card numbers. 148 00:09:14,423 --> 00:09:17,600 Take those numbers and then sell them on the black market. 149 00:09:17,600 --> 00:09:19,341 [EVIL LAUGHTER] 150 00:09:19,341 --> 00:09:23,345 NICOLE: Originally, the internet was set up at the Pentagon... 151 00:09:25,042 --> 00:09:29,003 just to be able to share resources between computers. 152 00:09:32,136 --> 00:09:35,226 And it was really never designed to have 153 00:09:35,226 --> 00:09:38,490 banking attached to it, 154 00:09:38,490 --> 00:09:41,711 critical infrastructure attached to it. 155 00:09:41,711 --> 00:09:44,366 It was really designed for availability. 156 00:09:44,366 --> 00:09:47,108 It was never designed for security. 157 00:09:48,500 --> 00:09:50,502 RAFAL: Whereas in the early 1990s 158 00:09:50,502 --> 00:09:53,505 when there was only 30,000 people connected to it 159 00:09:53,505 --> 00:09:56,813 and several hundred systems, we've moved to a system 160 00:09:56,813 --> 00:09:59,947 which essentially is the backbone of global finance. 161 00:10:01,339 --> 00:10:04,560 The fact that it's able to do that... 162 00:10:04,560 --> 00:10:07,432 the fact that it's able to sustain currently between 163 00:10:07,432 --> 00:10:10,392 15 and 20 percent of GDP globally 164 00:10:10,392 --> 00:10:12,742 tells us something about just how important 165 00:10:12,742 --> 00:10:14,918 this infrastructure is. 166 00:10:14,918 --> 00:10:17,094 Why did people move into the internet 167 00:10:17,094 --> 00:10:18,661 to seek economic opportunity? 168 00:10:18,661 --> 00:10:21,621 Because that's where the economic opportunity was, 169 00:10:21,621 --> 00:10:23,579 untethered by norms, 170 00:10:23,579 --> 00:10:25,799 untethered by national boundaries, 171 00:10:25,799 --> 00:10:28,497 and essentially limited only by the creativity 172 00:10:28,497 --> 00:10:30,194 that these individuals had. 173 00:10:40,814 --> 00:10:43,817 REPORTER: The user nagged the Federal Reserve Bank 174 00:10:43,817 --> 00:10:48,386 with 35 payment instructions worth $951 million. 175 00:10:48,386 --> 00:10:50,867 ERIC: We'd just never heard of such a thing before. 176 00:10:50,867 --> 00:10:53,043 We'd been investigating cybercrime 177 00:10:53,043 --> 00:10:55,567 for a couple of decades at that point. 178 00:10:55,567 --> 00:10:57,700 You see cyber criminals go in, 179 00:10:57,700 --> 00:11:01,748 and they try to transfer a few hundred thousands of dollars, 180 00:11:01,748 --> 00:11:05,055 maybe a million, a couple of million. 181 00:11:05,055 --> 00:11:09,059 But conducting a cyber-attack to try to steal one billion? 182 00:11:09,059 --> 00:11:13,020 That was an order of magnitude that we had never seen before. 183 00:11:13,020 --> 00:11:14,674 It was clear from early on 184 00:11:14,674 --> 00:11:18,112 that it was one of the biggest cyber heists in the world. 185 00:11:18,112 --> 00:11:20,505 When we first started hearing rumours 186 00:11:20,505 --> 00:11:23,813 about something affecting SWIFT network, 187 00:11:23,813 --> 00:11:26,424 I didn't understand how big it was. 188 00:11:26,424 --> 00:11:28,122 But when we started realising 189 00:11:28,122 --> 00:11:30,646 this is at a completely different scale, 190 00:11:30,646 --> 00:11:32,561 it just blew my mind. 191 00:11:46,314 --> 00:11:47,445 ERIC: Once they realised 192 00:11:47,445 --> 00:11:49,578 that the money actually was really gone, 193 00:11:49,578 --> 00:11:51,623 then the panic began to set in. 194 00:11:51,623 --> 00:11:56,890 They lost $81 million instantly to a bank in the Philippines. 195 00:11:56,890 --> 00:11:59,980 MISHA: They see the $81 million has already gone 196 00:11:59,980 --> 00:12:05,855 and that nearly $900 million extra has been requested. 197 00:12:08,815 --> 00:12:13,254 They basically try to figure out what to do next. 198 00:12:13,254 --> 00:12:15,865 They have no idea what to do. 199 00:12:15,865 --> 00:12:19,129 They hunted for ways to contact the New York Fed. 200 00:12:19,129 --> 00:12:20,957 [PHONE DIALLING] 201 00:12:20,957 --> 00:12:23,655 Desperate calls are made by them. 202 00:12:24,395 --> 00:12:26,136 [PHONE RINGS] 203 00:12:27,834 --> 00:12:29,749 MISHA: And it goes to an answering machine. 204 00:12:29,749 --> 00:12:31,751 You've reached the Federal Reserve Bank... 205 00:12:31,751 --> 00:12:33,622 Because it's Saturday in New York, 206 00:12:33,622 --> 00:12:36,016 and nobody's picking up the phone. 207 00:12:36,016 --> 00:12:39,106 - Please call back... - It's a complete shitshow. 208 00:12:39,106 --> 00:12:43,153 Total disorganisation, at both ends, I would stress. 209 00:12:45,503 --> 00:12:49,246 The New York Times Magazine was planning a true-crime issue, 210 00:12:49,246 --> 00:12:50,421 and my editor came to me 211 00:12:50,421 --> 00:12:52,902 and asked I was interested in doing it. 212 00:12:54,251 --> 00:12:55,600 I looked into it a bit. 213 00:12:55,600 --> 00:12:58,125 There definitely were some intriguing elements, 214 00:12:58,125 --> 00:12:59,779 and made me pay attention. 215 00:13:02,129 --> 00:13:04,435 The Federal Reserve has pretty much 216 00:13:04,435 --> 00:13:07,177 depended on the SWIFT banking system, 217 00:13:07,177 --> 00:13:11,878 and since there has rarely been a hack, if ever, 218 00:13:11,878 --> 00:13:14,837 of the SWIFT banking system... 219 00:13:14,837 --> 00:13:18,058 the Federal Reserve has never instituted 220 00:13:18,058 --> 00:13:20,800 any sort of 24-7 hotline. 221 00:13:20,800 --> 00:13:22,540 [DIALLING] 222 00:13:22,540 --> 00:13:26,501 MISHA: Eventually, they get hold of somebody at SWIFT, 223 00:13:26,501 --> 00:13:28,155 and SWIFT says, 224 00:13:28,155 --> 00:13:29,765 "Just shut the whole lot down 225 00:13:29,765 --> 00:13:32,507 until we know what's going on here." 226 00:13:32,507 --> 00:13:36,163 Badrul Khan decides before he can actually make that decision, 227 00:13:36,163 --> 00:13:39,166 he has to talk to the deputy governor of the bank, 228 00:13:39,166 --> 00:13:40,820 which he does. 229 00:13:40,820 --> 00:13:43,823 Deputy governor doesn't want to take the decision upon himself, 230 00:13:43,823 --> 00:13:47,435 so he talks to the governor. And guess what. 231 00:13:47,435 --> 00:13:50,655 The governor says, "It's probably a mistake. 232 00:13:50,655 --> 00:13:52,614 We won't shut it down." 233 00:13:56,009 --> 00:13:58,750 JOSHUA: Work week begins at the Bangladesh Bank 234 00:13:58,750 --> 00:14:00,187 on Sunday morning, 235 00:14:00,187 --> 00:14:02,972 and it's then that the general manager of the bank 236 00:14:02,972 --> 00:14:05,845 comes in and begins to take stock of what had happened. 237 00:14:05,845 --> 00:14:07,411 MISHA: They're running out of options. 238 00:14:07,411 --> 00:14:11,111 They're not sure what to do. Fed is still closed in New York. 239 00:14:11,111 --> 00:14:13,200 They go through all the SWIFT material, 240 00:14:13,200 --> 00:14:16,072 discover that most of the money has gone 241 00:14:16,072 --> 00:14:18,205 to the bank in Manila. 242 00:14:18,205 --> 00:14:21,164 JOSHUA: And these desperate messages are sent out: 243 00:14:21,164 --> 00:14:22,600 "Stop the transactions. 244 00:14:22,600 --> 00:14:25,168 Hold that money. Do not allow it to be withdrawn. 245 00:14:25,168 --> 00:14:27,127 It's our money. It's been stolen." 246 00:14:28,650 --> 00:14:30,260 MISHA: But there's a problem. 247 00:14:30,260 --> 00:14:32,219 ALL: Five, four, 248 00:14:32,219 --> 00:14:35,135 three, two, one! 249 00:14:35,135 --> 00:14:37,920 Happy New Year! 250 00:14:37,920 --> 00:14:39,879 [ALL CHEER] 251 00:14:41,924 --> 00:14:43,795 MISHA: It's Chinese New Year, 252 00:14:43,795 --> 00:14:46,929 and the Rizal Commercial Bank is closed. 253 00:14:46,929 --> 00:14:48,975 [SOMBRE MUSIC] 254 00:14:51,673 --> 00:14:56,199 JOSHUA: The thieves chose a sequence of days... 255 00:14:56,199 --> 00:15:00,638 from Friday, Saturday, Sunday and Monday, 256 00:15:00,638 --> 00:15:03,815 when one or another of the three countries 257 00:15:03,815 --> 00:15:06,557 that would be communicating with one another 258 00:15:06,557 --> 00:15:09,169 was shut down for a holiday. 259 00:15:15,566 --> 00:15:17,612 MISHA: You've got to hand it to these guys. 260 00:15:17,612 --> 00:15:19,005 They knew it. 261 00:15:19,005 --> 00:15:21,703 They knew that if they did it over that weekend, 262 00:15:21,703 --> 00:15:23,966 with the Friday, the Muslim holiday, 263 00:15:23,966 --> 00:15:27,187 the Sunday and the Saturday, everything closed in New York, 264 00:15:27,187 --> 00:15:30,538 and the Monday, Chinese New Year. 265 00:15:32,322 --> 00:15:37,110 They've got four days to get the heist done. 266 00:15:37,110 --> 00:15:39,373 This is really classy planning. 267 00:15:41,375 --> 00:15:45,422 JOSHUA: In that respect, it was really an ingenious plan. 268 00:15:45,422 --> 00:15:49,426 It's kind of like a great film director in a malevolent way, 269 00:15:49,426 --> 00:15:53,082 planning out, you know, a very complex film. 270 00:15:56,433 --> 00:15:58,131 ERIC: The country of Bangladesh 271 00:15:58,131 --> 00:16:01,873 is the 170th poorest country in the world. 272 00:16:01,873 --> 00:16:04,267 One billion dollars is huge to them. 273 00:16:04,267 --> 00:16:06,356 When we talk about cyber-attacks, 274 00:16:06,356 --> 00:16:08,054 they're not just zeros and ones. 275 00:16:08,054 --> 00:16:10,186 We're not just talking about people 276 00:16:10,186 --> 00:16:13,755 moving around zeros and ones, deleting zeros and ones. 277 00:16:15,539 --> 00:16:18,107 One billion dollars to Bangladesh 278 00:16:18,107 --> 00:16:21,545 potentially means that people starve in the country. 279 00:16:21,545 --> 00:16:25,245 These things have potential serious repercussions. 280 00:16:27,725 --> 00:16:30,206 MISHA: The Bangladesh Bank heist was significant 281 00:16:30,206 --> 00:16:34,297 because it showed how fragile global banking was as a whole. 282 00:16:36,169 --> 00:16:40,260 Banks don't just operate as single isolated entities. 283 00:16:40,260 --> 00:16:42,784 They're part of a system. 284 00:16:42,784 --> 00:16:45,482 And that system is vulnerable. 285 00:16:47,702 --> 00:16:52,402 The US Federal Reserve holds trillions of dollars in accounts 286 00:16:52,402 --> 00:16:55,579 kept by central banks all around the world. 287 00:16:55,579 --> 00:16:59,279 Its computer security systems are state of the art, making it 288 00:16:59,279 --> 00:17:03,587 one of the most difficult financial institutions to hack. 289 00:17:07,287 --> 00:17:10,551 The criminals realise that it can't get into 290 00:17:10,551 --> 00:17:14,076 the network system of the Fed, 291 00:17:14,076 --> 00:17:17,906 but the Fed has to talk to other central banks 292 00:17:17,906 --> 00:17:19,777 around the world, 293 00:17:19,777 --> 00:17:23,390 and this is where they find a flaw. 294 00:17:23,390 --> 00:17:25,305 [KEYBOARD KEYS CLICK SOFTLY] 295 00:17:25,305 --> 00:17:27,437 The criminals turn their attention 296 00:17:27,437 --> 00:17:30,440 to the banks' communication systems. 297 00:17:31,963 --> 00:17:35,402 Every day, the Fed places thousands of transactions 298 00:17:35,402 --> 00:17:39,058 on behalf of the central banks that hold US dollar reserves 299 00:17:39,058 --> 00:17:40,320 at the Fed. 300 00:17:40,320 --> 00:17:42,757 The Federal Reserve has pretty much depended 301 00:17:42,757 --> 00:17:45,107 on the SWIFT banking system 302 00:17:45,107 --> 00:17:48,067 to get its instructions about transfers. 303 00:17:48,067 --> 00:17:51,026 SWIFT sends money around the world 304 00:17:51,026 --> 00:17:52,941 to thousands of member banks. 305 00:17:52,941 --> 00:17:57,946 It's the main way that banks dispatch money to one another. 306 00:17:59,165 --> 00:18:01,602 ERIC: SWIFT allows you to transfer money 307 00:18:01,602 --> 00:18:02,777 from one bank to another, 308 00:18:02,777 --> 00:18:04,561 no matter where you are in the world. 309 00:18:04,561 --> 00:18:07,347 Make international wire transfers. 310 00:18:07,347 --> 00:18:11,568 MISHA: The whole banking system is integrated, 311 00:18:11,568 --> 00:18:15,659 and they depend above all else on SWIFT, 312 00:18:15,659 --> 00:18:21,143 the international transaction mechanisms, to work. 313 00:18:21,143 --> 00:18:23,319 ERIC: What it means is, all it takes 314 00:18:23,319 --> 00:18:28,803 is a single weak link to bring down the whole network. 315 00:18:30,370 --> 00:18:33,373 So although the target is the Fed, 316 00:18:33,373 --> 00:18:37,725 they are looking for a bank with which the Fed communicates, 317 00:18:37,725 --> 00:18:42,338 which holds a lot of its reserves in New York. 318 00:18:42,338 --> 00:18:44,123 But it's a long way away, 319 00:18:44,123 --> 00:18:48,562 in a distant time zone from the Fed, 320 00:18:48,562 --> 00:18:51,304 and it's likely to have 321 00:18:51,304 --> 00:18:56,396 patchy security systems in place in its computer network. 322 00:18:58,963 --> 00:19:00,791 KRISHNA: My colleagues in Dhaka, 323 00:19:00,791 --> 00:19:04,012 they were chasing it for a long time. 324 00:19:04,012 --> 00:19:07,450 It was a robbery of a scale that we hadn't heard of. 325 00:19:09,235 --> 00:19:11,585 The first thought that came to my mind was, 326 00:19:11,585 --> 00:19:14,631 because it was the Bangladeshi Central Bank, 327 00:19:14,631 --> 00:19:17,243 I thought the hackers found it 328 00:19:17,243 --> 00:19:19,549 somehow easier to target it. 329 00:19:19,549 --> 00:19:21,377 Because it was Bangladesh, 330 00:19:21,377 --> 00:19:24,424 I suspected they would be more vulnerable 331 00:19:24,424 --> 00:19:26,774 to cyber-attacks as such. 332 00:19:28,515 --> 00:19:31,344 JOSHUA: "Hmm. A Bangladeshi bank. 333 00:19:31,344 --> 00:19:33,998 Probably doesn't have the same level of security 334 00:19:33,998 --> 00:19:36,218 and if they do, it's probably one or two people, 335 00:19:36,218 --> 00:19:40,222 not a team of 6,000 working on it. 336 00:19:41,136 --> 00:19:42,355 Let's go for it." 337 00:19:42,355 --> 00:19:44,661 ERIC: These attackers weren't just skilled 338 00:19:44,661 --> 00:19:45,923 in breaching networks, 339 00:19:45,923 --> 00:19:47,838 figuring out how to get into an organisation. 340 00:19:47,838 --> 00:19:52,016 They had to study that SWIFT software deeply. 341 00:19:52,016 --> 00:19:55,194 This attack happened well before that February 5th, 342 00:19:55,194 --> 00:19:56,847 when the bank employee walked in 343 00:19:56,847 --> 00:19:59,894 and saw that printer hadn't printed out the audit jobs 344 00:19:59,894 --> 00:20:01,939 and couldn't figure out what was going on. 345 00:20:01,939 --> 00:20:04,812 This attack started more than a year prior to that. 346 00:20:04,812 --> 00:20:07,293 These attackers had been working for months 347 00:20:07,293 --> 00:20:09,120 in the build-up until that day. 348 00:20:09,120 --> 00:20:11,253 It is a mistake for people to think 349 00:20:11,253 --> 00:20:13,560 that this was something that happened overnight. 350 00:20:13,560 --> 00:20:15,649 It is a mistake for people to think 351 00:20:15,649 --> 00:20:18,956 that this happened in a month, or two months or three months. 352 00:20:18,956 --> 00:20:21,394 It is a slow, methodical approach, 353 00:20:21,394 --> 00:20:25,528 because it's a business, all right? You build it. 354 00:20:32,274 --> 00:20:35,146 Bank robberies used to be something that happened 355 00:20:35,146 --> 00:20:37,497 in the real world. 356 00:20:37,497 --> 00:20:40,630 Now they only happen in the online world. 357 00:20:42,806 --> 00:20:46,767 If you would try to steal $100 million in banknotes, 358 00:20:46,767 --> 00:20:49,160 that would be, like, ten trucks full of notes. 359 00:20:49,160 --> 00:20:51,511 If you drive ten trucks full of notes out of the bank, 360 00:20:51,511 --> 00:20:54,035 someone would notice. 361 00:20:54,035 --> 00:20:57,299 But when you do the same thing online, no one notices anything. 362 00:20:57,299 --> 00:21:01,042 Every movie you've ever seen of them breaking into a bank 363 00:21:01,042 --> 00:21:03,436 is them doing it over a bank holiday 364 00:21:03,436 --> 00:21:05,394 or something of that nature. 365 00:21:05,394 --> 00:21:07,222 Same concept here. 366 00:21:12,096 --> 00:21:15,361 This isn't Matthew Broderick sitting in front of a computer, 367 00:21:15,361 --> 00:21:17,450 like War Games back in the 1980s, 368 00:21:17,450 --> 00:21:19,321 some kid in their basement. 369 00:21:21,105 --> 00:21:24,370 These are criminal organisations. 370 00:21:24,370 --> 00:21:26,023 Each person has a skill set. 371 00:21:26,023 --> 00:21:29,070 It's kind of like that Ocean's Eleven-type thing. 372 00:21:30,593 --> 00:21:33,074 You know, "This guy could crack the bank, 373 00:21:33,074 --> 00:21:35,337 this guy could do the surveillance cameras, 374 00:21:35,337 --> 00:21:37,774 this is the getaway, this is the conman." 375 00:21:37,774 --> 00:21:39,559 You all have a role to play, 376 00:21:39,559 --> 00:21:42,301 and you need everybody to execute their role 377 00:21:42,301 --> 00:21:44,085 to the best of their abilities 378 00:21:44,085 --> 00:21:46,870 for you to be successful and get it out. 379 00:21:48,742 --> 00:21:53,007 MISHA: So how do you pull off a heist of this magnitude? 380 00:21:53,007 --> 00:21:58,317 It takes the right crew of highly skilled specialists. 381 00:21:58,317 --> 00:22:03,191 And it all starts not with ones and zeros, but with people. 382 00:22:07,151 --> 00:22:10,590 Cybercrime is about gaining credentials 383 00:22:10,590 --> 00:22:12,635 to gain access, 384 00:22:12,635 --> 00:22:15,421 stealing the keys. 385 00:22:15,421 --> 00:22:19,816 The social engineer is critical to a hack. 386 00:22:19,816 --> 00:22:22,253 It's how you get in, and you get in 387 00:22:22,253 --> 00:22:26,388 not through digital means, you get in through human means. 388 00:22:26,388 --> 00:22:28,956 It's to do with psychology. 389 00:22:31,306 --> 00:22:35,528 The criminals have to ensnare one of the employees 390 00:22:35,528 --> 00:22:38,052 of the Bangladeshi Bank, 391 00:22:38,052 --> 00:22:41,882 beginning by going through their social media profiles 392 00:22:41,882 --> 00:22:44,711 and looking for suitable targets. 393 00:22:45,929 --> 00:22:48,932 Our relationship with the computer 394 00:22:48,932 --> 00:22:51,848 is one of perceived intimacy; 395 00:22:51,848 --> 00:22:54,373 that when we're using a computer, 396 00:22:54,373 --> 00:22:57,767 no one else can see what we're doing, we believe, 397 00:22:57,767 --> 00:23:00,379 and it's just us and the screen. 398 00:23:02,119 --> 00:23:05,819 And if we were to read an email from a friend, 399 00:23:05,819 --> 00:23:08,909 we tend to believe it at face value. 400 00:23:12,216 --> 00:23:15,219 ERIC: They found close to three dozen employees. 401 00:23:15,219 --> 00:23:18,832 And they constructed a simple spear-phish email: 402 00:23:18,832 --> 00:23:21,748 an email message that pretended to be from a guy 403 00:23:21,748 --> 00:23:24,446 named Rasal Alam. 404 00:23:24,446 --> 00:23:26,056 And Rasal Alam said, 405 00:23:26,056 --> 00:23:28,581 "Hey, I just wanna work at your company. 406 00:23:28,581 --> 00:23:31,410 Here's a résumé attached. Have a look." 407 00:23:31,410 --> 00:23:34,108 And it turned out that they mailed that 408 00:23:34,108 --> 00:23:36,893 to about 36 different employees, and three of them 409 00:23:36,893 --> 00:23:39,722 opened that attachment connected to that email. 410 00:23:40,984 --> 00:23:42,333 It was a zip file, 411 00:23:42,333 --> 00:23:44,640 and the zip file contained just a document inside. 412 00:23:44,640 --> 00:23:47,295 They opened up the document and it was his résumé. 413 00:23:47,295 --> 00:23:50,733 It was a résumé for Rasel Ahlam, who wanted to work at the bank, 414 00:23:50,733 --> 00:23:52,996 but unbeknownst to those individuals, 415 00:23:52,996 --> 00:23:56,826 also contained malicious code inside. 416 00:23:56,826 --> 00:23:58,741 MIKKO: We can look at any data breach, 417 00:23:58,741 --> 00:24:01,222 and the root cause has either been 418 00:24:01,222 --> 00:24:03,311 a technical problem 419 00:24:03,311 --> 00:24:05,400 or a people problem. 420 00:24:05,400 --> 00:24:08,229 And the technical problems can be really hard 421 00:24:08,229 --> 00:24:10,536 and really expensive and really slow to fix, 422 00:24:10,536 --> 00:24:12,581 but at least we can fix them. 423 00:24:12,581 --> 00:24:16,150 But in the end, we have no patch for human brains. 424 00:24:17,804 --> 00:24:22,243 There's no way to fix the people who do stupid mistakes. 425 00:24:22,243 --> 00:24:23,723 When attackers try to send 426 00:24:23,723 --> 00:24:27,030 these spear-phishing emails, they try to do two things. 427 00:24:27,030 --> 00:24:30,512 They try to look very normal. It was just a résumé. 428 00:24:30,512 --> 00:24:31,818 They try to fly under the radar, 429 00:24:31,818 --> 00:24:33,515 to look as legitimate as possible. 430 00:24:33,515 --> 00:24:37,476 And the second is they often try to use enticing techniques. 431 00:24:43,612 --> 00:24:47,050 New dangers tonight from the Love Bug computer virus, 432 00:24:47,050 --> 00:24:49,966 this time disguised as a friendlier email. 433 00:24:49,966 --> 00:24:53,579 The first internet virus that went around the world 434 00:24:53,579 --> 00:24:57,887 in less than 48 hours was called the ILOVEYOU virus. 435 00:24:57,887 --> 00:25:00,499 And already, business interruption costs 436 00:25:00,499 --> 00:25:03,676 are estimated at more than a billion dollars. 437 00:25:03,676 --> 00:25:06,592 MISHA: You would be sitting there working away, 438 00:25:06,592 --> 00:25:08,507 and then suddenly, in your inbox, 439 00:25:08,507 --> 00:25:12,554 you get an email which says, "I love you." 440 00:25:12,554 --> 00:25:15,252 And it could well be that this is a person 441 00:25:15,252 --> 00:25:17,820 who you've always held a torch for. 442 00:25:17,820 --> 00:25:20,344 And so, of course, you're very excited, 443 00:25:20,344 --> 00:25:24,087 and you press on the link, and then you're doomed. 444 00:25:24,087 --> 00:25:26,873 What happens is, the virus infects your machine 445 00:25:26,873 --> 00:25:29,963 and proceeds to email everyone you've ever emailed. 446 00:25:29,963 --> 00:25:32,618 The end result of that is the mail servers 447 00:25:32,618 --> 00:25:33,706 get bogged down, 448 00:25:33,706 --> 00:25:36,143 and the only way to solve the problem 449 00:25:36,143 --> 00:25:39,276 is to shut the servers down, hence the interruption. 450 00:25:39,276 --> 00:25:42,323 The ILOVEYOU virus was one of the first viruses 451 00:25:42,323 --> 00:25:45,065 that had really worldwide impact. 452 00:25:45,065 --> 00:25:47,110 [CLAMOURING] 453 00:25:47,110 --> 00:25:49,722 It was still a virus written by a guy 454 00:25:49,722 --> 00:25:52,594 that just wanted to get his name in lights. 455 00:25:52,594 --> 00:25:53,813 He wanted to see his virus 456 00:25:53,813 --> 00:25:55,597 travel around the world a little bit 457 00:25:55,597 --> 00:25:57,381 and maybe get in the news somewhere, 458 00:25:57,381 --> 00:25:59,819 and then him be able to say, "Oh, I wrote that." 459 00:25:59,819 --> 00:26:03,083 REPORTER: Mr de Guzman hardly seemed to comprehend the chaos 460 00:26:03,083 --> 00:26:05,041 inflicted on the world's computers. 461 00:26:05,041 --> 00:26:08,610 But what happened was, it spread so quickly and so fast, 462 00:26:08,610 --> 00:26:11,265 it brought down email all over the world, 463 00:26:11,265 --> 00:26:13,920 and having email go down was monumental. 464 00:26:13,920 --> 00:26:17,358 Experts say that the ILOVEYOU virus could end up costing 465 00:26:17,358 --> 00:26:21,580 the world economy $10 billion in lost work time. 466 00:26:21,580 --> 00:26:25,627 It became the first sign to show that we relied on the internet. 467 00:26:25,627 --> 00:26:29,196 The internet was the basis for our financial transactions, 468 00:26:29,196 --> 00:26:31,154 for the way we do business. 469 00:26:32,460 --> 00:26:33,635 I would talk to people 470 00:26:33,635 --> 00:26:35,332 and remind them and educate them and say, 471 00:26:35,332 --> 00:26:36,899 "Look, you can't just click 472 00:26:36,899 --> 00:26:39,380 on any attachment that comes to you in an email." 473 00:26:39,380 --> 00:26:42,818 I remember talking to a guy about the Anna Kournikova virus 474 00:26:42,818 --> 00:26:45,995 that purported to be nude pictures of Anna Kournikova. 475 00:26:45,995 --> 00:26:48,955 And he told me, he said, "Yeah, I knew it was a virus. 476 00:26:48,955 --> 00:26:52,088 I thought it was probably a virus. But what if it wasn't? 477 00:26:52,088 --> 00:26:53,960 What if it really was nude pictures? 478 00:26:53,960 --> 00:26:55,788 So I double-clicked on it." 479 00:26:56,919 --> 00:26:58,399 People just don't realise 480 00:26:58,399 --> 00:27:02,055 what clicking on that attachment means. 481 00:27:02,055 --> 00:27:06,102 Cyber criminals and hackers realised a long time ago 482 00:27:06,102 --> 00:27:09,018 that your username and password, 483 00:27:09,018 --> 00:27:11,804 particularly to your email account, 484 00:27:11,804 --> 00:27:15,285 could get them into your stock brokerage account, 485 00:27:15,285 --> 00:27:18,201 to your online banking account, 486 00:27:18,201 --> 00:27:23,903 to send phishing emails to other contacts. 487 00:27:23,903 --> 00:27:27,994 MISHA: If you protect yourself properly, 488 00:27:27,994 --> 00:27:31,214 the chances are you won't be a victim 489 00:27:31,214 --> 00:27:35,218 of what one would call "drive-by hacking". 490 00:27:35,218 --> 00:27:39,483 If, however, you're being specifically targeted 491 00:27:39,483 --> 00:27:42,965 by a hacking group, they will follow that trace. 492 00:27:43,879 --> 00:27:45,533 And they will get you. 493 00:27:46,839 --> 00:27:48,449 [MOUSE CLICKS] 494 00:27:48,449 --> 00:27:53,280 Now, we know that at least three members of the Bangladeshi Bank 495 00:27:53,280 --> 00:27:56,587 were targeted by this after the social engineer 496 00:27:56,587 --> 00:27:58,981 had scanned all of their social media, 497 00:27:58,981 --> 00:28:00,722 and at least three of them 498 00:28:00,722 --> 00:28:04,073 opened the letter and took the bait. 499 00:28:04,073 --> 00:28:06,249 ERIC: Once that code began executing 500 00:28:06,249 --> 00:28:08,295 on those bank employees' computers, 501 00:28:08,295 --> 00:28:10,906 it would reach out back to the attackers 502 00:28:10,906 --> 00:28:13,866 and tell them that these machines are now infected 503 00:28:13,866 --> 00:28:15,302 and give them full control, 504 00:28:15,302 --> 00:28:18,044 as if they were sitting in front of the keyboard, 505 00:28:18,044 --> 00:28:21,134 just like those employees. 506 00:28:21,134 --> 00:28:23,745 KRISHNA: There was malware in the system 507 00:28:23,745 --> 00:28:26,574 that was actually copying screenshots, 508 00:28:28,358 --> 00:28:33,450 copying keystrokes of employees, and no one knew. 509 00:28:33,450 --> 00:28:35,801 MISHA: They've got their foot in the door. 510 00:28:35,801 --> 00:28:38,760 This is the essential first step. 511 00:28:38,760 --> 00:28:42,677 The first layer of security has been breached. 512 00:28:48,639 --> 00:28:52,339 And the digger, the person who is getting deeper and deeper 513 00:28:52,339 --> 00:28:54,558 into the computer network, 514 00:28:54,558 --> 00:28:58,258 has to be a very advanced hacker. 515 00:28:58,258 --> 00:29:02,958 This is when you need a real professional. 516 00:29:02,958 --> 00:29:05,656 They're like ghosts. Nobody can see them, 517 00:29:05,656 --> 00:29:10,009 but they're mapping every single bit of that network. 518 00:29:11,967 --> 00:29:13,577 In the Bank of Bangladesh, 519 00:29:13,577 --> 00:29:16,145 you had computers that are all interconnected to each other, 520 00:29:16,145 --> 00:29:19,279 and they're connected using what's called a switch. 521 00:29:19,279 --> 00:29:23,022 In your average bank, that has a good security program, 522 00:29:23,022 --> 00:29:25,676 those switches are what's called segmented. 523 00:29:25,676 --> 00:29:27,591 So each of those switches only allow 524 00:29:27,591 --> 00:29:30,290 a certain number of computers to talk to each other 525 00:29:30,290 --> 00:29:32,814 rather than every computer to talk to each other. 526 00:29:32,814 --> 00:29:35,382 But in the case of the Bank of Bangladesh, 527 00:29:35,382 --> 00:29:38,559 in the back-office network, they were using these very cheap, 528 00:29:38,559 --> 00:29:42,084 literally $10 switches that didn't do any segmentation. 529 00:29:42,084 --> 00:29:45,348 Every computer was potentially connected to each other. 530 00:29:45,348 --> 00:29:48,308 Basically, it's a cost-cutting exercise. 531 00:29:48,308 --> 00:29:53,530 But that cost-cutting exercise was what the digger needed. 532 00:29:53,530 --> 00:29:55,489 ERIC: Those attackers began to do 533 00:29:55,489 --> 00:29:58,231 what we call a lateral traverse across the network, 534 00:29:58,231 --> 00:30:01,147 search for other computers to infect, 535 00:30:01,147 --> 00:30:03,062 look for credentials. 536 00:30:04,585 --> 00:30:06,848 Whenever you log into a computer, 537 00:30:06,848 --> 00:30:08,676 your credentials are cached. 538 00:30:08,676 --> 00:30:11,331 They're put into the memory of the computer. 539 00:30:11,331 --> 00:30:14,290 Attackers are able to filter through that memory 540 00:30:14,290 --> 00:30:16,640 and find used usernames and passwords. 541 00:30:16,640 --> 00:30:19,469 They don't always know what they're for, 542 00:30:19,469 --> 00:30:22,385 so they try to collect as many credentials as they can 543 00:30:22,385 --> 00:30:25,432 and see, "What computers can I see from this computer?", 544 00:30:25,432 --> 00:30:27,608 and just begin to use them over and over again 545 00:30:27,608 --> 00:30:28,652 and just try them. 546 00:30:28,652 --> 00:30:31,264 [VIDEO GAME MUSIC] 547 00:30:31,264 --> 00:30:32,613 Eventually, they hop on 548 00:30:32,613 --> 00:30:35,050 and are able to connect to another computer. 549 00:30:35,050 --> 00:30:36,312 They get onto that one. 550 00:30:36,312 --> 00:30:38,271 It's still not what they're interested in, 551 00:30:38,271 --> 00:30:40,664 but they're able to find more usernames and passwords 552 00:30:40,664 --> 00:30:42,405 and try those on all the other computers 553 00:30:42,405 --> 00:30:44,190 they can see from that advantage point. 554 00:30:44,190 --> 00:30:48,020 That's how they move across the network over and over again. 555 00:30:48,020 --> 00:30:50,544 They would delete all traces of themselves 556 00:30:50,544 --> 00:30:52,894 as they moved across the network, 557 00:30:52,894 --> 00:30:55,636 ultimately jumping from computer to computer 558 00:30:55,636 --> 00:30:57,681 until they found the SWIFT terminal, 559 00:30:57,681 --> 00:31:00,815 their ultimate goal in order to make wire transfers 560 00:31:00,815 --> 00:31:02,817 out of the Bank of Bangladesh. 561 00:31:04,993 --> 00:31:06,777 MISHA: It takes a long time. 562 00:31:06,777 --> 00:31:10,172 They're there for months. This is an ongoing process. 563 00:31:10,172 --> 00:31:14,220 If at any moment they're discovered to be in there, 564 00:31:14,220 --> 00:31:18,137 then the whole operation is finished. 565 00:31:22,141 --> 00:31:24,056 With the Bangladeshi Bank heist, 566 00:31:24,056 --> 00:31:27,276 you basically have two operations running in parallel. 567 00:31:27,276 --> 00:31:29,670 You have an offline operation going on, 568 00:31:29,670 --> 00:31:32,238 which is to do with the money laundering. 569 00:31:36,895 --> 00:31:38,940 It's the fence's responsibility 570 00:31:38,940 --> 00:31:43,902 to set up the recipient accounts. 571 00:31:43,902 --> 00:31:46,382 ERIC: They're gonna end up with cold, hard cash, 572 00:31:46,382 --> 00:31:48,080 and they need individuals on the ground 573 00:31:48,080 --> 00:31:50,909 to pick up that cash and move it. 574 00:31:53,172 --> 00:31:54,434 And so, in May of 2015, 575 00:31:54,434 --> 00:31:56,871 before they'd even got into the SWIFT terminal, 576 00:31:56,871 --> 00:31:59,656 they were able to recruit a Chinese individual 577 00:31:59,656 --> 00:32:03,312 to go to the Philippines and open up four bank accounts there 578 00:32:03,312 --> 00:32:05,227 at a bank called RCBC. 579 00:32:05,227 --> 00:32:08,883 MISHA: You have to make sure those people inside the bank 580 00:32:08,883 --> 00:32:10,711 in the Philippines 581 00:32:10,711 --> 00:32:12,974 have been properly corrupted 582 00:32:12,974 --> 00:32:17,674 and properly instructed as to what their role is. 583 00:32:17,674 --> 00:32:20,068 The fence opens up these accounts, 584 00:32:20,068 --> 00:32:22,592 puts $500 in each of them, 585 00:32:22,592 --> 00:32:25,726 and then they just go to sleep for nine months. 586 00:32:28,598 --> 00:32:31,950 ERIC: These attackers were inside the Bank of Bangladesh 587 00:32:31,950 --> 00:32:34,822 for a full year, which is incredible. 588 00:32:41,307 --> 00:32:43,265 They actually got onto that SWIFT terminal 589 00:32:43,265 --> 00:32:44,788 exactly one year later... 590 00:32:47,617 --> 00:32:50,229 on January 29th, 2016. 591 00:32:55,495 --> 00:32:58,019 In any bank, you have different employees. 592 00:32:58,019 --> 00:33:01,414 You have back-office employees, administrative employees, 593 00:33:01,414 --> 00:33:04,330 but you also have computers that are connected 594 00:33:04,330 --> 00:33:07,159 directly to financial transactions. 595 00:33:07,159 --> 00:33:11,076 And only users who have specific access to those machines 596 00:33:11,076 --> 00:33:12,555 are allowed to use them. 597 00:33:12,555 --> 00:33:15,036 When we talk about the case of the Bank of Bangladesh, 598 00:33:15,036 --> 00:33:18,605 there was a single computer that had credentials 599 00:33:18,605 --> 00:33:20,085 from a shared employee. 600 00:33:20,085 --> 00:33:23,218 You had an employee that would use that SWIFT terminal, 601 00:33:23,218 --> 00:33:26,830 but also had their own computer in the normal back-office area. 602 00:33:26,830 --> 00:33:29,355 Once they got onto that employee's computer, 603 00:33:29,355 --> 00:33:31,052 they were able to jump across. 604 00:33:31,052 --> 00:33:34,969 They waited. They basically did a recon on the system. 605 00:33:34,969 --> 00:33:36,579 They crawled around. 606 00:33:36,579 --> 00:33:39,756 They looked and tried to fully understand how this worked, 607 00:33:39,756 --> 00:33:43,804 how SWIFT worked, how each bank employee would make a request 608 00:33:43,804 --> 00:33:47,155 into the SWIFT system, where it would go, 609 00:33:47,155 --> 00:33:49,244 how to direct that to branches 610 00:33:49,244 --> 00:33:52,117 where they had set up these accounts. 611 00:33:52,117 --> 00:33:55,729 And in this case, it was just very simple and very clever. 612 00:33:58,166 --> 00:34:00,342 The thief is not so much someone 613 00:34:00,342 --> 00:34:03,302 who is physically taking out the money 614 00:34:03,302 --> 00:34:05,695 and stuffing it into a bag. 615 00:34:05,695 --> 00:34:07,610 They're making sure 616 00:34:07,610 --> 00:34:12,572 that every bit on the system is coordinated. 617 00:34:12,572 --> 00:34:16,228 There are all sorts of things to get right 618 00:34:16,228 --> 00:34:21,494 before that fatal moment when the request is made. 619 00:34:21,494 --> 00:34:24,105 Everything has to be 620 00:34:24,105 --> 00:34:26,716 really, really precisely coordinated 621 00:34:26,716 --> 00:34:29,937 to get all the timing right. You've got four days. 622 00:34:29,937 --> 00:34:31,547 You can't afford a slip-up. 623 00:34:31,547 --> 00:34:34,333 When the attackers got into the SWIFT terminal 624 00:34:34,333 --> 00:34:38,728 on January 29th of 2016, they paused for about five days 625 00:34:38,728 --> 00:34:41,079 to get their malicious software ready 626 00:34:41,079 --> 00:34:43,168 that allowed them to cover their tracks 627 00:34:43,168 --> 00:34:45,257 when they were on that SWIFT terminal. 628 00:34:45,257 --> 00:34:48,173 They decided to wait until February 4th. 629 00:34:48,173 --> 00:34:49,826 And this is no accident. 630 00:34:52,960 --> 00:34:55,702 MISHA: They have chosen a long weekend 631 00:34:55,702 --> 00:34:58,574 due to holidays in different parts of the world. 632 00:34:58,574 --> 00:35:01,186 That means, instead of the usual two days 633 00:35:01,186 --> 00:35:02,535 they have to get away with it 634 00:35:02,535 --> 00:35:04,841 before alarms start going off everywhere, 635 00:35:04,841 --> 00:35:07,931 they've got four days. It's brilliant. 636 00:35:09,498 --> 00:35:11,935 ERIC: February 4th, 2016, was a Thursday. 637 00:35:11,935 --> 00:35:14,634 That's the last day of the working week in Bangladesh. 638 00:35:14,634 --> 00:35:16,940 In Bangladesh, they work from Sunday to Thursday. 639 00:35:16,940 --> 00:35:19,421 So, at some point late in the afternoon, 640 00:35:19,421 --> 00:35:22,685 the SWIFT transaction operator in the Bangladeshi Bank 641 00:35:22,685 --> 00:35:24,687 logs off his terminal. 642 00:35:28,778 --> 00:35:30,476 But three hours later, 643 00:35:30,476 --> 00:35:33,435 the thief logs into that terminal 644 00:35:33,435 --> 00:35:35,829 and starts to impersonate him. 645 00:35:35,829 --> 00:35:38,919 They logged into that SWIFT terminal at 8:36 p.m., 646 00:35:38,919 --> 00:35:41,051 after they believed, or really knew, 647 00:35:41,051 --> 00:35:44,403 that all the bank employees had gone home for the weekend. 648 00:35:44,403 --> 00:35:48,233 And they put forward 35 different wire transactions 649 00:35:48,233 --> 00:35:52,280 from that SWIFT terminal, totalling $951 million, 650 00:35:52,280 --> 00:35:55,631 almost $1 billion, completely unheard of. 651 00:35:58,678 --> 00:36:02,029 MISHA: Ten hours behind Bangladesh, 652 00:36:02,029 --> 00:36:03,813 New York is waking up. 653 00:36:04,945 --> 00:36:07,252 The first thing that the Fed sees 654 00:36:07,252 --> 00:36:09,297 is 35 requests 655 00:36:09,297 --> 00:36:13,214 for almost the entire holdings of the Bangladeshi Bank. 656 00:36:13,214 --> 00:36:17,523 Usually, it's figures of sort of $300,000, $500,000. 657 00:36:17,523 --> 00:36:19,525 They want almost a billion! 658 00:36:19,525 --> 00:36:23,746 The operator, perhaps unsurprisingly, rejects it, 659 00:36:23,746 --> 00:36:26,488 sends it back to Bangladesh. 660 00:36:26,488 --> 00:36:28,751 But he rejects it not because 661 00:36:28,751 --> 00:36:32,581 this is an absolutely crazy amount of money, 662 00:36:32,581 --> 00:36:36,585 but because the requests are wrongly formatted. 663 00:36:36,585 --> 00:36:39,153 ERIC: As much research that they had done, 664 00:36:39,153 --> 00:36:41,851 they didn't really understand how to fill out 665 00:36:41,851 --> 00:36:43,331 those SWIFT transfers. 666 00:36:43,331 --> 00:36:45,942 They were missing what's called an intermediate bank. 667 00:36:45,942 --> 00:36:48,162 New York Federal Reserve replied to them, 668 00:36:48,162 --> 00:36:50,469 via the SWIFT system, back to their computer 669 00:36:50,469 --> 00:36:52,688 that they were sitting in front of, virtually, 670 00:36:52,688 --> 00:36:56,475 saying, "Hey, these transactions are missing information." 671 00:36:56,475 --> 00:36:58,520 They think on their feet. 672 00:36:58,520 --> 00:37:02,829 They reformat the requests, send them back... 673 00:37:02,829 --> 00:37:06,006 and hold their breath to see what happens. 674 00:37:06,006 --> 00:37:08,574 ERIC: They ultimately corrected 34 of them. 675 00:37:08,574 --> 00:37:09,879 They had forgotten one. 676 00:37:09,879 --> 00:37:12,230 The one did have the intermediate bank 677 00:37:12,230 --> 00:37:13,448 went to Deutsche Bank. 678 00:37:13,448 --> 00:37:15,581 That order was for $20 million 679 00:37:15,581 --> 00:37:19,802 to a charity called the Shalika Foundation in Sri Lanka. 680 00:37:19,802 --> 00:37:22,109 But they had made a typo as well, 681 00:37:22,109 --> 00:37:25,417 and they had misspelled "foundation" as "fandation". 682 00:37:25,417 --> 00:37:27,680 And so Deutsche Bank saw that typo 683 00:37:27,680 --> 00:37:29,856 and questioned it and, again, 684 00:37:29,856 --> 00:37:32,293 held that transaction due to that typo. 685 00:37:32,293 --> 00:37:34,643 - [POP] - [MELODIC CHIME] 686 00:37:34,643 --> 00:37:36,863 RAKESH: We use that as the poster child 687 00:37:36,863 --> 00:37:40,083 for why you need to learn how to spell. 688 00:37:40,083 --> 00:37:43,783 Otherwise, you can lose $20 million. [CHUCKLES] 689 00:37:43,783 --> 00:37:47,265 ERIC: Ultimately, when they return the other 34... 690 00:37:48,570 --> 00:37:50,268 MISHA: Bingo. 691 00:37:50,268 --> 00:37:52,487 The operator approves them. 692 00:37:52,487 --> 00:37:55,795 ERIC: Four of them went through. 693 00:37:55,795 --> 00:38:00,495 MISHA: The green light is given. The heist is on. 694 00:38:00,495 --> 00:38:03,629 ERIC: Those four went through to those bank accounts 695 00:38:03,629 --> 00:38:06,066 in the Philippines that had been opened 696 00:38:06,066 --> 00:38:07,589 more than six months earlier. 697 00:38:07,589 --> 00:38:10,636 And they were able to transfer out $81 million 698 00:38:10,636 --> 00:38:12,638 to the bank in the Philippines. 699 00:38:34,181 --> 00:38:37,837 Ultimately, they were about to transfer $1 billion 700 00:38:37,837 --> 00:38:39,534 from the Bank of Bangladesh, 701 00:38:39,534 --> 00:38:42,494 but they didn't want anyone to find out. 702 00:38:47,847 --> 00:38:51,459 They began to cover their tracks. 703 00:38:51,459 --> 00:38:53,200 Normally, as a bank employee, 704 00:38:53,200 --> 00:38:55,071 you'll load up the SWIFT software, 705 00:38:55,071 --> 00:38:57,944 you'll see on the screen all the latest transactions, 706 00:38:57,944 --> 00:38:59,598 you can make transactions. 707 00:38:59,598 --> 00:39:04,342 And so the attackers deleted all records of those transactions. 708 00:39:07,083 --> 00:39:08,563 But it's not just digital. 709 00:39:08,563 --> 00:39:13,002 In the world of finance, everything must be a hard copy. 710 00:39:13,002 --> 00:39:16,005 And the attackers knew that as well. 711 00:39:20,575 --> 00:39:23,622 Every SWIFT transaction that takes place 712 00:39:23,622 --> 00:39:28,975 is immediately printed out locally in the Bangladeshi Bank. 713 00:39:28,975 --> 00:39:31,978 So that printer cannot be working 714 00:39:31,978 --> 00:39:34,676 when the heist is going on. 715 00:39:34,676 --> 00:39:37,549 ERIC: The attackers hijacked all of those print jobs, 716 00:39:37,549 --> 00:39:40,421 replaced all of those print jobs with zeros 717 00:39:40,421 --> 00:39:43,555 so that nothing would come out of the printer. 718 00:39:43,555 --> 00:39:48,516 Now, the other 30 wire transactions sat around. 719 00:39:48,516 --> 00:39:51,867 And, ultimately, the attackers waited, 720 00:39:51,867 --> 00:39:54,261 and they waited... 721 00:39:54,261 --> 00:39:58,874 And they logged out at 3:59 a.m. Bangladesh time. 722 00:39:58,874 --> 00:40:01,442 Potentially, they thought that in New York, 723 00:40:01,442 --> 00:40:03,096 the business day ended at five p.m., 724 00:40:03,096 --> 00:40:04,924 and they weren't gonna hear any more. 725 00:40:04,924 --> 00:40:06,882 The New York Fed had actually stopped 726 00:40:06,882 --> 00:40:08,449 the rest of the transactions, 727 00:40:08,449 --> 00:40:11,931 because the address for the bank in the Philippines 728 00:40:11,931 --> 00:40:15,804 was on Jupiter Street. J-U-P-I-T-E-R. 729 00:40:15,804 --> 00:40:20,853 Right, now this is when the story gets really weird. 730 00:40:20,853 --> 00:40:24,857 In a totally unrelated incident two years earlier, 731 00:40:24,857 --> 00:40:28,469 we have a Greek shipping magnate, Dimitris Cambis, 732 00:40:28,469 --> 00:40:32,038 and he is buying eight tankers. 733 00:40:32,038 --> 00:40:35,258 What Dimitris knew, but not many other people, 734 00:40:35,258 --> 00:40:39,872 was that the money for these eight oil tankers 735 00:40:39,872 --> 00:40:41,917 came from Iran, 736 00:40:41,917 --> 00:40:45,660 and Iran was under US sanctions. 737 00:40:45,660 --> 00:40:48,358 Someone in the US caught wind of the fact 738 00:40:48,358 --> 00:40:51,710 that the Iranians were financing Mr Cambis. 739 00:40:51,710 --> 00:40:55,017 His company was put on the sanctions watch list, 740 00:40:55,017 --> 00:40:58,325 and his company was called Jupiter Seaways. 741 00:40:58,325 --> 00:41:00,675 [SHIP HORN BLARES] 742 00:41:00,675 --> 00:41:02,590 JOSHUA: It was just their bad luck 743 00:41:02,590 --> 00:41:05,201 that they designated the money transfers 744 00:41:05,201 --> 00:41:11,338 to go to the Jupiter branch of the Rizal Bank in Manila. 745 00:41:11,338 --> 00:41:15,211 As the transfers were being sent out from the New York Reserve 746 00:41:15,211 --> 00:41:16,996 to the Philippines, 747 00:41:16,996 --> 00:41:20,956 the Jupiter name was caught by the computer system. 748 00:41:20,956 --> 00:41:23,916 It halted these transactions. 749 00:41:23,916 --> 00:41:26,484 ERIC: The Fed had to take a second look. 750 00:41:26,484 --> 00:41:28,790 They stopped it because they realised, 751 00:41:28,790 --> 00:41:31,184 "Wait, we have somewhere in the order 35 transactions 752 00:41:31,184 --> 00:41:33,229 coming from the Bank of Bangladesh, 753 00:41:33,229 --> 00:41:37,407 adding up to $1 billion? You know, this isn't usual." 754 00:41:37,407 --> 00:41:40,062 So they held them and sent a message back, 755 00:41:40,062 --> 00:41:41,890 asking for confirmation. 756 00:41:44,589 --> 00:41:47,766 Had the attackers waited just one more hour, 757 00:41:47,766 --> 00:41:50,595 they could have replied to them via the SWIFT system, 758 00:41:50,595 --> 00:41:53,206 saying these transactions were not a mistake. 759 00:41:53,206 --> 00:41:55,295 Ultimately, the Bank of Bangladesh 760 00:41:55,295 --> 00:41:57,253 might have lost much, much more. 761 00:41:57,253 --> 00:42:01,344 MISHA: So far, they managed to get $81 million. 762 00:42:01,344 --> 00:42:05,435 But, boy, did they come close to hitting the jackpot. 763 00:42:05,435 --> 00:42:07,655 Just under $1 billion 764 00:42:07,655 --> 00:42:11,572 was very, very nearly stolen from this bank. 765 00:42:22,061 --> 00:42:25,194 ERIC: The next day, the bank employees came in, 766 00:42:25,194 --> 00:42:26,587 and the printer wasn't working, 767 00:42:26,587 --> 00:42:28,937 because they installed their malicious code 768 00:42:28,937 --> 00:42:30,722 to prevent that from happening. 769 00:42:30,722 --> 00:42:32,637 Ultimately, those bank employees 770 00:42:32,637 --> 00:42:34,900 didn't get it fixed until February 6, 771 00:42:34,900 --> 00:42:36,554 which would have been a Sunday. 772 00:42:38,251 --> 00:42:41,297 When the printer started, all these messages came out, 773 00:42:41,297 --> 00:42:42,908 messages from the Fed asking, 774 00:42:42,908 --> 00:42:46,041 "What are these 30 transactions? Did you mean to make these?" 775 00:42:46,041 --> 00:42:48,304 That triggered the Bank of Bangladesh 776 00:42:48,304 --> 00:42:51,003 to realise something had gone wrong. 777 00:42:51,003 --> 00:42:53,658 It was very clear that they were in deep, 778 00:42:53,658 --> 00:42:57,357 such that the bank manager... This is the Bank of Bangladesh, 779 00:42:57,357 --> 00:43:00,534 the federal bank, the national bank of the country, 780 00:43:00,534 --> 00:43:04,103 did not notify the leaders, 781 00:43:04,103 --> 00:43:07,236 the government of Bangladesh. He kept it under wraps. 782 00:43:07,236 --> 00:43:10,544 He notified someone he knew who knew about security. 783 00:43:10,544 --> 00:43:12,372 "Get on a plane, get to Bangladesh. 784 00:43:12,372 --> 00:43:14,940 I need you to look at these computer systems." 785 00:43:20,467 --> 00:43:22,948 Initially, the governor and his whole team 786 00:43:22,948 --> 00:43:24,166 were quite perplexed. 787 00:43:24,166 --> 00:43:27,343 They didn't quite know what had happened. 788 00:43:27,343 --> 00:43:30,216 So they thought that some money had been routed 789 00:43:30,216 --> 00:43:33,045 to a wrong account; it would come back. 790 00:43:36,309 --> 00:43:39,921 I get this strange phone call from the governor's office 791 00:43:39,921 --> 00:43:42,707 asking me if I would drop everything 792 00:43:42,707 --> 00:43:45,274 and come to Dhaka, Bangladesh. 793 00:43:49,061 --> 00:43:51,237 So I assembled a team... 794 00:43:52,107 --> 00:43:53,892 and we flew down. 795 00:43:55,937 --> 00:43:57,896 [TYRES SCREECH] 796 00:43:57,896 --> 00:44:02,596 When we arrived there, we met with the Bangladesh Bank team. 797 00:44:02,596 --> 00:44:06,121 And that's when I discovered all the horrifying details 798 00:44:06,121 --> 00:44:08,471 of what had actually happened. 799 00:44:12,388 --> 00:44:15,217 MISHA: They decide, "Let's look at the CCTV. 800 00:44:15,217 --> 00:44:17,393 What's that going to tell us?" 801 00:44:17,393 --> 00:44:20,309 RAKESH: There were eight hours' worth of tapes 802 00:44:20,309 --> 00:44:23,138 that had to be gone through. 803 00:44:23,138 --> 00:44:26,054 Your gut instinct is, you have a malicious insider. 804 00:44:26,054 --> 00:44:27,708 A physical person had to go in, 805 00:44:27,708 --> 00:44:30,842 log into that machine and try to make these transfers, 806 00:44:30,842 --> 00:44:34,715 because this attack hadn't happened before. 807 00:44:34,715 --> 00:44:37,631 RAKESH: They had a SWIFT room, which was locked. 808 00:44:37,631 --> 00:44:39,938 And typically when the SWIFT operators 809 00:44:39,938 --> 00:44:43,724 needed to do something on SWIFT, they had to go into the room, 810 00:44:43,724 --> 00:44:47,467 sit in that chair and terminal, 811 00:44:47,467 --> 00:44:52,037 and there was only one shadow we could find. 812 00:44:52,037 --> 00:44:54,779 We eventually decided it was the person 813 00:44:54,779 --> 00:44:58,391 sweeping the place after hours. 814 00:45:00,741 --> 00:45:04,310 They were saying, "How could somebody process the transaction 815 00:45:04,310 --> 00:45:05,964 when there was nobody there?" 816 00:45:05,964 --> 00:45:10,577 I mean, even after the payment instructions had been sent, 817 00:45:10,577 --> 00:45:15,408 they had no idea for a very long time what was happening. 818 00:45:15,408 --> 00:45:19,412 They didn't think it was a hack. They had no traces of a hack. 819 00:45:19,412 --> 00:45:22,632 But they watched eight hours of that footage over that weekend 820 00:45:22,632 --> 00:45:25,635 and realised there was no one at that computer. 821 00:45:25,635 --> 00:45:26,941 MISHA: Nothing. 822 00:45:26,941 --> 00:45:29,248 They had no idea that the Bank of Bangladesh 823 00:45:29,248 --> 00:45:31,859 had been breached by hackers. 824 00:45:31,859 --> 00:45:35,384 Only after we see these things happen over and over again, 825 00:45:35,384 --> 00:45:39,171 we realise that cyber has such capabilities. 826 00:45:44,045 --> 00:45:47,440 Bangladesh was a bit of a bombshell for all of us. 827 00:45:49,311 --> 00:45:52,097 Hackers and most cybercrime, 828 00:45:52,097 --> 00:45:54,055 it's like smash-and-grab crime. 829 00:45:54,055 --> 00:45:56,492 Quickly grab something and monetise it 830 00:45:56,492 --> 00:45:58,103 as swiftly as you can. 831 00:45:58,103 --> 00:46:01,236 MISHA: You know, storm a bank with shotguns, blow a safe, 832 00:46:01,236 --> 00:46:03,978 fill some bags with cash. 833 00:46:03,978 --> 00:46:06,024 RAFAL: Cybercrime... 834 00:46:06,024 --> 00:46:09,418 It doesn't lend itself well to long conspiracy 835 00:46:09,418 --> 00:46:11,856 and lots of investigation and investment 836 00:46:11,856 --> 00:46:13,596 into understanding your target. 837 00:46:13,596 --> 00:46:15,903 I mean, you couldn't do Bangladesh 838 00:46:15,903 --> 00:46:19,037 unless you really understood the internal workings 839 00:46:19,037 --> 00:46:21,909 of the central bank and all the actors involved. 840 00:46:21,909 --> 00:46:24,607 That's not something that freelance hackers 841 00:46:24,607 --> 00:46:26,827 really are good at. 842 00:46:26,827 --> 00:46:29,917 That requires a level of investment into resources 843 00:46:29,917 --> 00:46:34,095 and frankly intelligence that has to be sustained. 844 00:46:34,095 --> 00:46:38,012 To organise something of that complexity 845 00:46:38,012 --> 00:46:40,841 and for it not to be noticed 846 00:46:40,841 --> 00:46:43,539 by the intelligence agencies of the state 847 00:46:43,539 --> 00:46:46,020 where that is being planned 848 00:46:46,020 --> 00:46:50,285 would be very, very difficult indeed. 849 00:46:50,285 --> 00:46:53,419 ERIC: These hackers went in and looked at the zeros and ones 850 00:46:53,419 --> 00:46:55,725 in the software and reverse engineered it, 851 00:46:55,725 --> 00:46:58,380 turned it back into understandable code. 852 00:46:58,380 --> 00:47:00,905 That's not something that happens overnight. 853 00:47:00,905 --> 00:47:02,384 MIKKO: It was pretty clear 854 00:47:02,384 --> 00:47:04,865 that this isn't just normal criminals. 855 00:47:04,865 --> 00:47:07,128 This has to be something bigger. 856 00:47:10,044 --> 00:47:13,961 Once attackers have gained access to their target network, 857 00:47:13,961 --> 00:47:16,007 they want to stay undetected. 858 00:47:18,487 --> 00:47:20,968 And we've seen many interesting examples 859 00:47:20,968 --> 00:47:23,014 of how exactly this is done. 860 00:47:26,278 --> 00:47:27,801 REPORTER: What exactly happened 861 00:47:27,801 --> 00:47:30,195 at the Natanz nuclear facility last week? 862 00:47:30,195 --> 00:47:32,806 It's a question people in Iran around the world 863 00:47:32,806 --> 00:47:35,461 have been asking since a fire was reported 864 00:47:35,461 --> 00:47:38,856 at Iran's main uranium enrichment facility on Thursday. 865 00:47:38,856 --> 00:47:41,902 We're used to Trojans and viruses on the internet, 866 00:47:41,902 --> 00:47:43,338 but this is the first worm 867 00:47:43,338 --> 00:47:46,907 designed to damage the physical world. 868 00:47:46,907 --> 00:47:51,042 ERIC: In 2010, attackers created a piece of malicious software 869 00:47:51,042 --> 00:47:55,350 that was designed to infiltrate Iran's nuclear programme, 870 00:47:55,350 --> 00:47:57,004 to get into their centrifuges, 871 00:47:57,004 --> 00:47:59,050 in particular, get onto computers 872 00:47:59,050 --> 00:48:00,921 that controlled their centrifuges. 873 00:48:00,921 --> 00:48:04,142 REPORTER: Iran says it will retaliate against any country 874 00:48:04,142 --> 00:48:06,884 that conducts cyber-attacks on its nuclear sites. 875 00:48:06,884 --> 00:48:09,538 JOSHUA: The intention was to spin the centrifuges 876 00:48:09,538 --> 00:48:12,150 of Iran's nuclear capabilities out of control, 877 00:48:12,150 --> 00:48:14,152 make the centrifuges explode 878 00:48:14,152 --> 00:48:15,414 and push them ten years back 879 00:48:15,414 --> 00:48:17,372 in the uranium enrichment programme. 880 00:48:17,372 --> 00:48:18,721 As a piece of malware, 881 00:48:18,721 --> 00:48:21,768 it was 40 times larger than any piece of malware 882 00:48:21,768 --> 00:48:24,336 that had ever been encountered before. 883 00:48:24,336 --> 00:48:28,514 It would have taken the most advanced, 884 00:48:28,514 --> 00:48:30,995 brilliant computer engineers 885 00:48:30,995 --> 00:48:34,085 years and years of human working hours 886 00:48:34,085 --> 00:48:35,956 to produce this. 887 00:48:35,956 --> 00:48:38,089 Why was it so big? 888 00:48:38,089 --> 00:48:42,310 Because it needed to cover itself up. 889 00:48:44,834 --> 00:48:47,794 MIKKO: The attackers were actually recording 890 00:48:47,794 --> 00:48:52,320 the network traffic, the normal network traffic, 891 00:48:52,320 --> 00:48:55,062 and then playing it back to the sensors 892 00:48:55,062 --> 00:48:58,848 when they started modifying the operations of the centrifuges 893 00:48:58,848 --> 00:49:00,720 they were trying to break. 894 00:49:03,201 --> 00:49:04,463 [CAMERA CLICKS] 895 00:49:04,463 --> 00:49:06,900 This is the equivalent of, in the real world, 896 00:49:06,900 --> 00:49:09,903 recording the CCTV footage from a security camera 897 00:49:09,903 --> 00:49:12,166 and then playing it back to the camera 898 00:49:12,166 --> 00:49:14,125 when you're doing something bad. 899 00:49:14,125 --> 00:49:16,301 That's what Stuxnet was doing. 900 00:49:16,301 --> 00:49:18,042 And in the Bangladesh heist, 901 00:49:18,042 --> 00:49:20,218 they were doing something similar. 902 00:49:20,218 --> 00:49:22,872 ERIC: Once they made their transactions, 903 00:49:22,872 --> 00:49:26,311 they wanted to make sure no one realised they had happened. 904 00:49:26,311 --> 00:49:29,053 They were actually falsifying the information 905 00:49:29,053 --> 00:49:30,576 about transactions. 906 00:49:30,576 --> 00:49:33,405 The recording of the transactions were being done 907 00:49:33,405 --> 00:49:34,972 both in electronic format, 908 00:49:34,972 --> 00:49:38,540 but also falsifying the data being sent to the printers, 909 00:49:38,540 --> 00:49:41,021 which actually looked like everything was fine. 910 00:49:41,021 --> 00:49:44,242 So you find out how you're being tracked, 911 00:49:44,242 --> 00:49:46,984 and then you try to cover your tracks. 912 00:49:46,984 --> 00:49:48,246 Stuxnet did that. 913 00:49:48,246 --> 00:49:50,770 The Bangladeshi heist did it as well. 914 00:49:53,207 --> 00:49:56,950 ERIC: Once that money arrived in the Philippines, 915 00:49:56,950 --> 00:50:00,519 they needed to change that money into cold, hard cash. 916 00:50:00,519 --> 00:50:02,912 Right now, it's still in digital ones and zeros, 917 00:50:02,912 --> 00:50:05,437 just a transaction that said the money has moved 918 00:50:05,437 --> 00:50:06,829 from the Bank of Bangladesh 919 00:50:06,829 --> 00:50:10,094 to these accounts at RCBC. Four accounts. 920 00:50:10,094 --> 00:50:13,532 JOSHUA: The thieves had to get it out of the Philippines, 921 00:50:13,532 --> 00:50:15,621 make it disappear. 922 00:50:15,621 --> 00:50:18,450 So how were they going to do that? 923 00:50:18,450 --> 00:50:20,843 There is one industry in the Philippines 924 00:50:20,843 --> 00:50:23,237 where there is absolutely no oversight, 925 00:50:23,237 --> 00:50:27,241 where it's a cash-only business. There are no records, no names. 926 00:50:27,241 --> 00:50:29,113 That is the casino industry. 927 00:50:41,125 --> 00:50:43,257 When we talk about laundering funds, 928 00:50:43,257 --> 00:50:45,955 we're talking about taking dirty, illicit funds, 929 00:50:45,955 --> 00:50:49,481 running them through a legal business 930 00:50:49,481 --> 00:50:52,049 so that if I came to you and said, 931 00:50:52,049 --> 00:50:55,400 "Hey, where'd you get that $81 million?", 932 00:50:55,400 --> 00:51:00,318 you could have a paper trail to show that you won it back. 933 00:51:00,318 --> 00:51:03,103 MIKKO: The hard part is not stealing the money. 934 00:51:03,103 --> 00:51:06,628 The hard part is moving the money into a form you can use 935 00:51:06,628 --> 00:51:08,152 without getting caught. 936 00:51:10,241 --> 00:51:15,202 And one method we've seen for quite a while is gambling. 937 00:51:15,202 --> 00:51:17,074 KRISHNA: It was very clear that, 938 00:51:17,074 --> 00:51:20,251 if, at all, there was a place for you to do that, 939 00:51:20,251 --> 00:51:22,166 it would have been the Philippines, 940 00:51:22,166 --> 00:51:25,038 because the casinos are not regulated at all. 941 00:51:27,171 --> 00:51:30,304 It's like a lot of high-flying gamblers 942 00:51:30,304 --> 00:51:33,307 who'd kind of fly to Manila, 943 00:51:33,307 --> 00:51:37,050 crowd these numerous casinos in Manila, 944 00:51:37,050 --> 00:51:38,399 lots of money coming in. 945 00:51:38,399 --> 00:51:41,315 People don't question that kind of money. 946 00:51:41,315 --> 00:51:42,795 I mean, you know... 947 00:51:42,795 --> 00:51:44,753 "Well, as long as it's coming to us, 948 00:51:44,753 --> 00:51:47,887 we don't bother too much about where it is coming from." 949 00:51:49,323 --> 00:51:52,283 JOSHUA: The thieves knew if they could get that money 950 00:51:52,283 --> 00:51:55,547 into the casinos, it would essentially be lost. 951 00:51:56,809 --> 00:51:58,115 ERIC: What happened was, 952 00:51:58,115 --> 00:52:00,421 the manager from the Philippines bank, 953 00:52:00,421 --> 00:52:03,381 she was the one who'd opened those four accounts 954 00:52:03,381 --> 00:52:05,557 using fraudulent IDs. 955 00:52:05,557 --> 00:52:09,952 She got the money withdrawn from the bank in the Philippines. 956 00:52:11,563 --> 00:52:12,955 From there, it started to go 957 00:52:12,955 --> 00:52:14,566 through something called Philrem. 958 00:52:14,566 --> 00:52:18,004 It's a bit like a Western Union in the Philippines, 959 00:52:18,004 --> 00:52:20,180 transferred into pesos. 960 00:52:20,180 --> 00:52:22,487 MISHA: I don't know if you've ever used 961 00:52:22,487 --> 00:52:24,010 Philippine pesos before, 962 00:52:24,010 --> 00:52:28,057 but that's one hell of a lot of pesos, $22 million. 963 00:52:28,057 --> 00:52:33,454 In fact, it's over one million banknotes. 964 00:52:33,454 --> 00:52:35,630 ERIC: They actually had to request that cash 965 00:52:35,630 --> 00:52:38,981 to come from a sister branch location, 966 00:52:38,981 --> 00:52:40,853 that arrived in boxes. 967 00:52:40,853 --> 00:52:44,422 The bank manager was seen by one of the other bank employees 968 00:52:44,422 --> 00:52:47,599 collecting those boxes and literally going outside 969 00:52:47,599 --> 00:52:49,862 and loading them up into a Lexus. 970 00:52:49,862 --> 00:52:50,993 [CAR ENGINE STARTS] 971 00:52:50,993 --> 00:52:53,344 And that money was driven away. 972 00:52:59,785 --> 00:53:03,702 JOSHUA: So, we're talking stacks of bills carried in vans 973 00:53:03,702 --> 00:53:07,227 to the Solaire Casino right by the airport. 974 00:53:07,227 --> 00:53:10,448 It allows the Chinese gamblers to come off the plane. 975 00:53:10,448 --> 00:53:13,320 Five minutes, they're on the floor playing baccarat. 976 00:53:16,410 --> 00:53:19,979 The money goes to this place. It's wheeled in wheelbarrows 977 00:53:19,979 --> 00:53:24,113 across the casino floor up to this guarded escalator. 978 00:53:24,113 --> 00:53:26,420 [RAP MUSIC] 979 00:53:35,255 --> 00:53:38,215 MISHA: There's so much physical cash involved, 980 00:53:38,215 --> 00:53:41,305 they've enlisted their own crew of gamblers 981 00:53:41,305 --> 00:53:44,830 to launder the stolen funds. 982 00:53:44,830 --> 00:53:47,093 ERIC: And they just played baccarat, 983 00:53:47,093 --> 00:53:49,617 all day long. 984 00:53:49,617 --> 00:53:51,140 They had individuals, 985 00:53:51,140 --> 00:53:54,231 mostly appeared to be Chinese nationals that they had, 986 00:53:54,231 --> 00:53:57,538 I assume, hired to take those funds and launder them. 987 00:53:57,538 --> 00:54:01,499 MISHA: You change that cash into casino chips, 988 00:54:01,499 --> 00:54:03,152 play a few games, 989 00:54:03,152 --> 00:54:04,937 cash in the chips. 990 00:54:04,937 --> 00:54:10,595 And when you get that cash back, that is then laundered. 991 00:54:10,595 --> 00:54:13,119 And this wouldn't have been unusual. 992 00:54:13,119 --> 00:54:15,513 This was the Chinese lunar week. 993 00:54:15,513 --> 00:54:18,298 That would've been very common for individuals, 994 00:54:18,298 --> 00:54:20,561 high rollers, to come into the Philippines 995 00:54:20,561 --> 00:54:22,868 and play at the casinos during that time. 996 00:54:22,868 --> 00:54:26,611 Spending $22 million in a casino over a weekend, 997 00:54:26,611 --> 00:54:28,569 let's face it, could be fun. 998 00:54:32,878 --> 00:54:36,708 NICOLE: Doing this story and trying to figure out 999 00:54:36,708 --> 00:54:40,407 where in history to sort of place this thing. 1000 00:54:40,407 --> 00:54:43,323 Was this the biggest heist of all time? 1001 00:54:43,323 --> 00:54:47,327 No, but it certainly looked to be the biggest cyber heist 1002 00:54:47,327 --> 00:54:50,243 of a bank in history. 1003 00:54:50,243 --> 00:54:54,378 And over the next few days, I just remember 1004 00:54:54,378 --> 00:54:58,425 calling up my sources at Symantec 1005 00:54:58,425 --> 00:55:00,993 and a couple other cybersecurity firms 1006 00:55:00,993 --> 00:55:04,257 and getting in touch with a guy named Eric Chien. 1007 00:55:06,085 --> 00:55:09,131 ERIC: We have all kinds of sensors sitting on networks 1008 00:55:09,131 --> 00:55:10,785 and computers all over the world. 1009 00:55:10,785 --> 00:55:14,136 Any time some sort of cyber criminal, some attacker, 1010 00:55:14,136 --> 00:55:18,053 is trying to breach a computer, they're leaving traces behind. 1011 00:55:19,577 --> 00:55:23,537 EJ: Every attack has a signature. 1012 00:55:23,537 --> 00:55:25,104 If you look at it long enough, 1013 00:55:25,104 --> 00:55:27,454 if you study it, if you work it long enough, 1014 00:55:27,454 --> 00:55:29,717 you can understand the way they do things. 1015 00:55:29,717 --> 00:55:31,284 The way they state something, 1016 00:55:31,284 --> 00:55:34,461 the way they code a particular way, 1017 00:55:34,461 --> 00:55:39,901 the methodology of the attack, the step-by-step approaches. 1018 00:55:39,901 --> 00:55:42,904 It might be considered like Sherlock Holmesian 1019 00:55:42,904 --> 00:55:44,384 to come up with this idea. 1020 00:55:44,384 --> 00:55:46,778 "Because he walks with a gait this way, 1021 00:55:46,778 --> 00:55:48,954 and he does this..." But it is true. 1022 00:55:48,954 --> 00:55:53,262 We see those signatures. We see those patterns. 1023 00:55:54,220 --> 00:55:56,004 ERIC: What we discovered was, 1024 00:55:56,004 --> 00:55:59,443 by looking at the artefacts that these attackers had used, 1025 00:55:59,443 --> 00:56:01,880 the malicious binaries they had used, 1026 00:56:01,880 --> 00:56:03,185 the code inside of it, 1027 00:56:03,185 --> 00:56:05,753 as well as the email accounts that they used 1028 00:56:05,753 --> 00:56:07,929 to send the initial spear-phishing messages, 1029 00:56:07,929 --> 00:56:12,499 we were able to map this back to an attacker back in 2014. 1030 00:56:15,415 --> 00:56:18,505 Sony Pictures is mainly housed in Culver City. 1031 00:56:18,505 --> 00:56:20,507 And in 2014, 1032 00:56:20,507 --> 00:56:24,598 Sony Pictures went down, which was unheard of. 1033 00:56:24,598 --> 00:56:26,078 On that day in November, 1034 00:56:26,078 --> 00:56:28,559 people would have come in, tried to swipe their badge 1035 00:56:28,559 --> 00:56:30,778 and not even be able to get into the office. 1036 00:56:30,778 --> 00:56:32,780 MISHA: They get into the building finally 1037 00:56:32,780 --> 00:56:35,957 and then they discover that nothing else is working either. 1038 00:56:35,957 --> 00:56:40,005 Printers aren't working, computers aren't working. 1039 00:56:40,005 --> 00:56:43,225 ERIC: People who had laptops connected to the network 1040 00:56:43,225 --> 00:56:44,966 would have immediately seen 1041 00:56:44,966 --> 00:56:47,926 skulls and crossbones show up on their screens, 1042 00:56:47,926 --> 00:56:51,016 scrolling with scary Halloween-type music 1043 00:56:51,016 --> 00:56:52,496 playing in the background. 1044 00:56:52,496 --> 00:56:55,716 And it said, "Hacked by the GOP." 1045 00:56:55,716 --> 00:56:58,980 MISHA: Guardians of the Peace. 1046 00:56:58,980 --> 00:57:02,027 A mysterious crew of hackers, 1047 00:57:02,027 --> 00:57:05,987 also known as the Lazarus Group. 1048 00:57:05,987 --> 00:57:08,120 We'd call them the Lazarus Group. 1049 00:57:08,120 --> 00:57:09,251 They've been responsible 1050 00:57:09,251 --> 00:57:11,123 for many, many attacks over the years. 1051 00:57:11,123 --> 00:57:13,342 You know, political statements 1052 00:57:13,342 --> 00:57:15,954 and bringing down some websites in South Korea 1053 00:57:15,954 --> 00:57:20,306 and also the White House in the United States and the Pentagon. 1054 00:57:20,306 --> 00:57:23,875 MISHA: Now, at this point, the penny has dropped. 1055 00:57:23,875 --> 00:57:26,007 Sony has been hacked. 1056 00:57:26,007 --> 00:57:28,662 REPORTER: The hack attack has had a devastating effect 1057 00:57:28,662 --> 00:57:31,491 on the entertainment company, with an avalanche of leaks 1058 00:57:31,491 --> 00:57:34,189 revealing personal information of employees 1059 00:57:34,189 --> 00:57:37,497 and salacious email exchanges of A-list celebrities. 1060 00:57:37,497 --> 00:57:40,500 They ultimately compromised Sony Pictures Network, 1061 00:57:40,500 --> 00:57:43,851 got inside and wiped 10,000 computers. 1062 00:57:43,851 --> 00:57:45,592 On top of that, they actually stole 1063 00:57:45,592 --> 00:57:48,682 all kinds of documents and emails from Sony Pictures. 1064 00:57:48,682 --> 00:57:50,815 REPORTER: The hack on Sony Pictures 1065 00:57:50,815 --> 00:57:53,382 is rocking Hollywood's very foundation; 1066 00:57:53,382 --> 00:57:56,037 the industry, warts and all, exposed. 1067 00:57:56,037 --> 00:57:59,258 Initially, we had no link between the SWIFT attack 1068 00:57:59,258 --> 00:58:01,956 and the Sony Pictures attack. 1069 00:58:01,956 --> 00:58:04,481 But when we were looking at the malware, 1070 00:58:04,481 --> 00:58:06,395 we found an interesting detail. 1071 00:58:06,395 --> 00:58:09,573 There was a component called an indexing manager, 1072 00:58:09,573 --> 00:58:13,011 which was saving the logs during the SWIFT attack 1073 00:58:13,011 --> 00:58:15,492 into an encrypted file. 1074 00:58:15,492 --> 00:58:18,538 The file was encrypted with a really long key, 1075 00:58:18,538 --> 00:58:22,063 and when we just googled for the key, 1076 00:58:22,063 --> 00:58:25,284 we found that the same key, exactly, 1077 00:58:25,284 --> 00:58:30,594 was used 18 months earlier in the Sony Pictures attack. 1078 00:58:31,769 --> 00:58:34,119 MISHA: This was the moment we realised 1079 00:58:34,119 --> 00:58:36,077 the Bangladeshi SWIFT attack 1080 00:58:36,077 --> 00:58:39,733 was probably perpetrated by the Lazarus Group. 1081 00:58:40,691 --> 00:58:42,301 So, who is Lazarus? 1082 00:58:42,301 --> 00:58:43,781 Well, from what we know, 1083 00:58:43,781 --> 00:58:46,740 they're a trans-global criminal organisation 1084 00:58:46,740 --> 00:58:51,571 that's been trained at a nation-state level. 1085 00:58:51,571 --> 00:58:55,444 The nation states really started coming in on a criminal side... 1086 00:58:57,055 --> 00:58:59,231 when sanctions started. 1087 00:58:59,231 --> 00:59:02,277 When we start limiting the capability of a nation 1088 00:59:02,277 --> 00:59:05,411 to get cash, and we up the methodology 1089 00:59:05,411 --> 00:59:07,979 to monitor the way they're getting cash, 1090 00:59:07,979 --> 00:59:11,025 they turn to different approaches. 1091 00:59:11,025 --> 00:59:13,898 MISHA: So if you're a country that's under sanction 1092 00:59:13,898 --> 00:59:17,162 and your ability to get funds has been compromised, 1093 00:59:17,162 --> 00:59:20,121 you may be motivated to go to the Lazarus Group 1094 00:59:20,121 --> 00:59:23,429 to fix your problem. 1095 00:59:23,429 --> 00:59:25,649 It's like a job for them. It is a job for them. 1096 00:59:25,649 --> 00:59:27,694 They get recruited. It's a nine-to-five job. 1097 00:59:27,694 --> 00:59:30,958 They come in, and each of them has their specialties. 1098 00:59:30,958 --> 00:59:32,351 They have managers, 1099 00:59:32,351 --> 00:59:35,223 they have targets that they're told to go after. 1100 00:59:35,223 --> 00:59:37,356 When you talk about nation states, 1101 00:59:37,356 --> 00:59:39,619 obviously, for your average nation state, 1102 00:59:39,619 --> 00:59:42,927 most cyber offensive campaigns are under the military. 1103 00:59:42,927 --> 00:59:45,712 It's very similar to how a military organisation 1104 00:59:45,712 --> 00:59:49,020 would be organised for their cyber offensive campaigns. 1105 00:59:49,020 --> 00:59:51,457 There is a hotel, for example, in China 1106 00:59:51,457 --> 00:59:53,590 where they've taken over multiple floors 1107 00:59:53,590 --> 00:59:55,635 where they essentially have dormitories. 1108 00:59:55,635 --> 00:59:59,073 They go to sleep in that hotel, they eat in that hotel, 1109 00:59:59,073 --> 01:00:01,423 and they don't come out of that hotel. 1110 01:00:01,423 --> 01:00:04,078 They just move from one room to another, 1111 01:00:04,078 --> 01:00:05,863 hack all day and night. 1112 01:00:08,039 --> 01:00:10,650 MISHA: And the Lazarus Group is thought to be made up 1113 01:00:10,650 --> 01:00:13,392 of these state-trained hackers. 1114 01:00:18,745 --> 01:00:21,226 What's amazing about cyber, 1115 01:00:21,226 --> 01:00:23,794 when you talk about nation states, 1116 01:00:23,794 --> 01:00:27,319 is the cost to entry is extremely low. 1117 01:00:27,319 --> 01:00:29,713 We have nation states who have been 1118 01:00:29,713 --> 01:00:33,194 trying to create nuclear missiles, 1119 01:00:33,194 --> 01:00:35,066 tried to create a nuclear programme. 1120 01:00:35,066 --> 01:00:36,981 Places like Iran, for example. 1121 01:00:36,981 --> 01:00:41,507 The dollars it costs to do so, it's extraordinary. 1122 01:00:41,507 --> 01:00:44,684 But if you want to build a cyber offensive campaign, 1123 01:00:44,684 --> 01:00:46,991 you get two, three, four, five guys 1124 01:00:46,991 --> 01:00:50,472 and potentially threaten to disable the power grid 1125 01:00:50,472 --> 01:00:52,039 in some country. 1126 01:00:52,039 --> 01:00:54,476 When you talk about trying to rob a bank 1127 01:00:54,476 --> 01:00:57,175 or produce illicit drugs and sell them, 1128 01:00:57,175 --> 01:00:59,830 the amount of people required on the ground, 1129 01:00:59,830 --> 01:01:01,266 the amount of connections, 1130 01:01:01,266 --> 01:01:03,442 and for the dollars that you would receive, 1131 01:01:03,442 --> 01:01:04,922 is nothing compared to, 1132 01:01:04,922 --> 01:01:07,446 "Let's get three guys, break into a bank 1133 01:01:07,446 --> 01:01:10,667 and potentially transfer $1 billion." 1134 01:01:16,063 --> 01:01:20,502 MISHA: Back in the VIP room of the Solaire Casino in Manila, 1135 01:01:20,502 --> 01:01:24,942 the money-laundering operation is in full flight. 1136 01:01:26,683 --> 01:01:29,729 They just spend hours upon hours gambling away, 1137 01:01:29,729 --> 01:01:31,296 collecting chips. 1138 01:01:31,296 --> 01:01:33,733 They transfer those chips back into cold, hard currency. 1139 01:01:33,733 --> 01:01:36,693 JOSHUA: You put a hundred gamblers into the VIP lounge 1140 01:01:36,693 --> 01:01:40,784 playing cash, so maybe the house has a one or two percent margin. 1141 01:01:40,784 --> 01:01:43,743 But all the rest is untraceable money that they walk out with. 1142 01:01:43,743 --> 01:01:46,006 ERIC: What's interesting about these individuals, 1143 01:01:46,006 --> 01:01:47,704 they weren't interested in winning. 1144 01:01:47,704 --> 01:01:50,184 They were just interested in playing. 1145 01:01:50,184 --> 01:01:51,620 MIKKO: If you lose the money, 1146 01:01:51,620 --> 01:01:53,405 the money doesn't go to the casino, 1147 01:01:53,405 --> 01:01:54,928 it goes to the other players. 1148 01:01:54,928 --> 01:01:58,410 So you can play the table where the other players are, 1149 01:01:58,410 --> 01:01:59,846 your partners. 1150 01:01:59,846 --> 01:02:02,196 Then you can lose the dirty money on purpose, 1151 01:02:02,196 --> 01:02:04,024 moving the money to your partners. 1152 01:02:04,024 --> 01:02:05,678 Now it's cashed out. 1153 01:02:05,678 --> 01:02:09,073 Now it looks like it came from a great win in a poker tournament 1154 01:02:09,073 --> 01:02:11,640 instead of being stolen from somewhere. 1155 01:02:11,640 --> 01:02:14,513 So, casinos are a good way of laundering money. 1156 01:02:14,513 --> 01:02:17,342 Real-world criminals have done that for decades. 1157 01:02:17,342 --> 01:02:20,606 Online criminals are doing it today. 1158 01:02:20,606 --> 01:02:23,740 They played for a whole week, that whole lunar week, 1159 01:02:23,740 --> 01:02:25,698 every day, like workers, 1160 01:02:25,698 --> 01:02:28,309 nine to five, essentially, in that casino. 1161 01:02:33,358 --> 01:02:36,361 MISHA: Finally, the Chinese New Year celebrations 1162 01:02:36,361 --> 01:02:37,884 have come to an end. 1163 01:02:37,884 --> 01:02:42,280 The staff at the RCBC bank in Manila are back at work. 1164 01:02:44,369 --> 01:02:47,328 Now, the Bangladesh Bank is still desperately trying 1165 01:02:47,328 --> 01:02:49,417 to put a stop on any further withdrawals 1166 01:02:49,417 --> 01:02:52,159 from those accounts in the Bank of the Philippines. 1167 01:02:52,159 --> 01:02:54,509 They've lost $22 million already, 1168 01:02:54,509 --> 01:02:58,818 but there's still $59 million left that they can save. 1169 01:02:58,818 --> 01:03:01,865 They're firing message after message to Manila, 1170 01:03:01,865 --> 01:03:04,737 "Hold all transactions." 1171 01:03:04,737 --> 01:03:07,087 In the Philippines, they got those messages. 1172 01:03:07,087 --> 01:03:08,567 They got those messages 1173 01:03:08,567 --> 01:03:10,830 as part of many other transaction messages they got 1174 01:03:10,830 --> 01:03:12,701 that were sitting in a printer queue 1175 01:03:12,701 --> 01:03:14,051 at the bottom of the stack, 1176 01:03:14,051 --> 01:03:16,357 and ultimately, they never saw those messages. 1177 01:03:16,357 --> 01:03:20,797 MISHA: At this point, the fence gets in touch with the manager 1178 01:03:20,797 --> 01:03:22,799 of the bank in Jupiter Street. 1179 01:03:22,799 --> 01:03:26,672 "Can you please authorise the transfer of $59 million?" 1180 01:03:26,672 --> 01:03:29,849 She authorises that $59 million. 1181 01:03:29,849 --> 01:03:34,114 It goes straight to the Solaire Casino. 1182 01:03:34,114 --> 01:03:36,029 More money laundering. 1183 01:03:37,901 --> 01:03:39,424 Five hours later, 1184 01:03:39,424 --> 01:03:44,037 after increasingly urgent calls from the Bangladesh Bank, 1185 01:03:44,037 --> 01:03:50,000 the manager finally puts a block on all of the accounts. 1186 01:03:50,000 --> 01:03:52,829 But, really, it's too late. 1187 01:03:52,829 --> 01:03:54,831 The money's gone. 1188 01:03:59,139 --> 01:04:02,273 It's incredible when you think what the Lazarus Group 1189 01:04:02,273 --> 01:04:05,885 was able to pull off with just some ones and zeros. 1190 01:04:05,885 --> 01:04:07,756 They guide their bespoke malware 1191 01:04:07,756 --> 01:04:10,020 into the computer network of a bank, 1192 01:04:10,020 --> 01:04:11,717 and then a year later, 1193 01:04:11,717 --> 01:04:15,025 they're literally washing $100 million 1194 01:04:15,025 --> 01:04:17,331 through a casino in the Philippines. 1195 01:04:17,331 --> 01:04:19,856 It's astonishing. 1196 01:04:19,856 --> 01:04:22,336 But what's really, really scary 1197 01:04:22,336 --> 01:04:25,687 is what happened just a year later. 1198 01:04:27,428 --> 01:04:29,561 Now back to the major cyber-attack, 1199 01:04:29,561 --> 01:04:34,087 the ransomware crippling 200,000 computers in 150 countries. 1200 01:04:34,087 --> 01:04:37,699 The thousands of targets all received this ominous message 1201 01:04:37,699 --> 01:04:39,745 in English on their screens: 1202 01:04:49,276 --> 01:04:54,151 Everyone was basically locked up with this malware 1203 01:04:54,151 --> 01:04:58,329 that we discovered had been launched by the same attackers 1204 01:04:58,329 --> 01:05:01,158 as the Central Bank of Bangladesh. 1205 01:05:01,158 --> 01:05:03,377 MISHA: So they design this malware, 1206 01:05:03,377 --> 01:05:05,989 and then they lose control of it entirely. 1207 01:05:05,989 --> 01:05:08,121 And that caused chaos. 1208 01:05:08,121 --> 01:05:11,385 REPORTER: Ambulances were diverted to other hospitals. 1209 01:05:11,385 --> 01:05:14,823 Patients were turned away, their operations cancelled. 1210 01:05:14,823 --> 01:05:17,696 NICOLE: You know, the first sign that something 1211 01:05:17,696 --> 01:05:21,961 was seriously wrong was when hospitals in the United Kingdom 1212 01:05:21,961 --> 01:05:24,529 started telling patients, "Don't come." 1213 01:05:24,529 --> 01:05:28,533 That their systems had been locked up with ransomware. 1214 01:05:28,533 --> 01:05:33,625 It's unclear if it was accidentally released too early, 1215 01:05:33,625 --> 01:05:35,018 it appears so, 1216 01:05:35,018 --> 01:05:37,890 or if it was designed not to work 1217 01:05:37,890 --> 01:05:41,241 and just begin wiping computers, because it didn't matter. 1218 01:05:41,241 --> 01:05:44,157 Even if you paid them, you would not get the decryption key. 1219 01:05:44,157 --> 01:05:45,985 They didn't have the decryption key. 1220 01:05:45,985 --> 01:05:48,118 They couldn't decrypt your files anymore. 1221 01:05:48,118 --> 01:05:50,816 REPORTER: Japan, Turkey and the Philippines 1222 01:05:50,816 --> 01:05:54,733 were also affected. In the US, FedEx was hit. 1223 01:05:54,733 --> 01:05:59,694 MISHA: That virulent virus spiralled out of control. 1224 01:05:59,694 --> 01:06:04,047 In Germany, it attacked the network of the Deutsche Bahn, 1225 01:06:04,047 --> 01:06:05,439 German Railway. 1226 01:06:05,439 --> 01:06:09,400 In Spain, WannaCry hit Telefonica, 1227 01:06:09,400 --> 01:06:12,359 the biggest telecommunications company. 1228 01:06:12,359 --> 01:06:16,537 It hit the banking systems, and ATMs didn't work. 1229 01:06:16,537 --> 01:06:21,847 This thing was hitting companies in something like 150 countries. 1230 01:06:21,847 --> 01:06:23,588 REPORTER: Other targets in the US 1231 01:06:23,588 --> 01:06:26,025 include Merck Pharmaceutical in New Jersey. 1232 01:06:26,025 --> 01:06:28,810 Even the company that makes Oreo cookies may have been hit. 1233 01:06:28,810 --> 01:06:32,945 So, you had the health service, you had transport, 1234 01:06:32,945 --> 01:06:36,470 you had communications, you had the finance system, 1235 01:06:36,470 --> 01:06:37,906 and you had governance 1236 01:06:37,906 --> 01:06:42,824 all with one tiny piece of crappy malware, WannaCry. 1237 01:06:42,824 --> 01:06:44,130 ERIC: In other attacks, 1238 01:06:44,130 --> 01:06:46,002 they have to send you a spear-phishing email, 1239 01:06:46,002 --> 01:06:48,047 trick you into double-clicking on an attachment. 1240 01:06:48,047 --> 01:06:50,180 In this case, your computer just had to be on, 1241 01:06:50,180 --> 01:06:51,485 connected to the internet, 1242 01:06:51,485 --> 01:06:54,053 and it would have got infected by WannaCry. 1243 01:06:54,053 --> 01:06:57,274 MISHA: It succeeded because the crappy malware 1244 01:06:57,274 --> 01:07:00,407 was being infiltrated into the systems 1245 01:07:00,407 --> 01:07:03,193 on the back of a much more powerful tool 1246 01:07:03,193 --> 01:07:04,803 called EternalBlue, 1247 01:07:04,803 --> 01:07:08,459 which had been developed by the National Security Agency 1248 01:07:08,459 --> 01:07:10,417 in the United States. 1249 01:07:10,417 --> 01:07:12,637 The thing the NSA never wanted to talk about 1250 01:07:12,637 --> 01:07:15,640 was the fact that it was travelling on a digital missile 1251 01:07:15,640 --> 01:07:19,426 that had been built at its own intelligence agency. 1252 01:07:19,426 --> 01:07:22,560 They repurposed something created by the US government, 1253 01:07:22,560 --> 01:07:24,170 leaked by the Russian government, 1254 01:07:24,170 --> 01:07:26,825 put it into their ransomware that allowed it to spread 1255 01:07:26,825 --> 01:07:30,742 all over the world, any computer on at that time. 1256 01:07:30,742 --> 01:07:34,006 MISHA: So one crappy piece of malware 1257 01:07:34,006 --> 01:07:36,878 can hit every single aspect 1258 01:07:36,878 --> 01:07:39,142 of the critical national infrastructure 1259 01:07:39,142 --> 01:07:42,971 within the space of about ten days 1260 01:07:42,971 --> 01:07:44,886 in different countries. 1261 01:07:57,508 --> 01:08:00,728 Eventually, there's a court case after about a month. 1262 01:08:00,728 --> 01:08:03,601 There's a court case in Manila. 1263 01:08:03,601 --> 01:08:06,908 Ultimately, the bank manager didn't want anyone to find out. 1264 01:08:06,908 --> 01:08:08,388 But when he finally got in touch 1265 01:08:08,388 --> 01:08:10,825 with the Bank of the Philippines, they said, 1266 01:08:10,825 --> 01:08:12,827 "If you need this money returned, 1267 01:08:12,827 --> 01:08:15,700 you need to get a court order." So he files a court order, 1268 01:08:15,700 --> 01:08:18,006 but court orders are public in the Philippines, 1269 01:08:18,006 --> 01:08:19,573 like in many other countries. 1270 01:08:19,573 --> 01:08:22,576 A reporter spots it and realised that this has happened, 1271 01:08:22,576 --> 01:08:25,101 publishes it in a newspaper, and it all comes out. 1272 01:08:25,101 --> 01:08:28,016 REPORTER: The $81 million money-laundering scandal 1273 01:08:28,016 --> 01:08:31,672 is now considered one of the biggest bank heists in Asia. 1274 01:08:31,672 --> 01:08:33,805 But how exactly did thieves steal 1275 01:08:33,805 --> 01:08:35,981 such a huge amount of money? 1276 01:08:35,981 --> 01:08:37,461 Not just known in the Philippines 1277 01:08:37,461 --> 01:08:38,679 and the Bank of Bangladesh, 1278 01:08:38,679 --> 01:08:40,377 when the Bangladesh government finds out 1279 01:08:40,377 --> 01:08:42,901 the bank manager has been doing this behind the scenes, 1280 01:08:42,901 --> 01:08:44,337 but the whole world finds out. 1281 01:08:44,337 --> 01:08:46,774 And ultimately, the Bangladesh Bank 1282 01:08:46,774 --> 01:08:48,863 needs to get assistance from the FBI. 1283 01:08:48,863 --> 01:08:52,171 The New York Fed is involved. The United States is involved. 1284 01:08:52,171 --> 01:08:54,304 This becomes a whole worldwide issue 1285 01:08:54,304 --> 01:08:57,220 and begins to ripple across the financial industry 1286 01:08:57,220 --> 01:08:58,743 that this was even possible. 1287 01:08:58,743 --> 01:09:00,527 Experts believe that hackers 1288 01:09:00,527 --> 01:09:04,183 were able to break into the New York Federal Reserve's 1289 01:09:04,183 --> 01:09:06,403 special account for Bangladesh, 1290 01:09:06,403 --> 01:09:09,754 getting away with $81 million. 1291 01:09:09,754 --> 01:09:13,236 Now, Bangladesh's Central Bank governor, Atiur Rahman, 1292 01:09:13,236 --> 01:09:16,935 has resigned after hackers stole tens of millions of dollars 1293 01:09:16,935 --> 01:09:19,198 from the nation's foreign reserves. 1294 01:09:19,198 --> 01:09:23,159 The bank was criticised for its handling of the breach... 1295 01:09:23,159 --> 01:09:26,162 RAKESH: The governor was an excellent central banker. 1296 01:09:26,162 --> 01:09:27,902 I have a lot of respect for him. 1297 01:09:27,902 --> 01:09:32,298 He was deemed one of the top bankers by the Asia MoneyWeek. 1298 01:09:32,298 --> 01:09:34,126 And poor fellow, that time, 1299 01:09:34,126 --> 01:09:36,737 he was faced with this sort of scenario 1300 01:09:36,737 --> 01:09:39,827 which he honestly didn't understand. 1301 01:09:39,827 --> 01:09:42,787 JOSHUA: He had really pushed the financial system 1302 01:09:42,787 --> 01:09:45,529 in Bangladesh into the 21st century. 1303 01:09:45,529 --> 01:09:48,575 He had to essentially fall on his sword and resign 1304 01:09:48,575 --> 01:09:51,404 in disgrace, and his career was ruined. 1305 01:09:51,404 --> 01:09:54,190 Many others at the bank had to resign as well. 1306 01:09:54,190 --> 01:09:57,758 An emotional Maia Deguito, the manager of the RCBC branch 1307 01:09:57,758 --> 01:10:01,153 in Jupiter Street in Makati, insists she is innocent 1308 01:10:01,153 --> 01:10:02,763 in the face of accusations 1309 01:10:02,763 --> 01:10:05,636 she is involved in the money-laundering scheme. 1310 01:10:05,636 --> 01:10:08,247 REPORTER: So far, only the branch manager 1311 01:10:08,247 --> 01:10:11,468 has been charged by the Anti-Money Laundering Council. 1312 01:10:11,468 --> 01:10:14,384 MISHA: One of the great injustices of this whole scandal 1313 01:10:14,384 --> 01:10:17,343 is that the only person who got convicted of anything 1314 01:10:17,343 --> 01:10:18,953 was Maia Deguito, 1315 01:10:18,953 --> 01:10:22,696 and she was just the mid-level branch manager of the RCBC, 1316 01:10:22,696 --> 01:10:26,874 the bank in the Philippines that received the actual funds. 1317 01:10:26,874 --> 01:10:28,180 Typical, isn't it? 1318 01:10:28,180 --> 01:10:30,965 A crime that was conceived and carried out 1319 01:10:30,965 --> 01:10:32,402 by a whole bunch of men, 1320 01:10:32,402 --> 01:10:35,535 and the only person who gets done for it is a woman 1321 01:10:35,535 --> 01:10:38,538 who probably wasn't that guilty in the first place. 1322 01:10:38,538 --> 01:10:41,802 But she received a sentence of 56 years in jail 1323 01:10:41,802 --> 01:10:44,979 and a fine of $109 million, 1324 01:10:44,979 --> 01:10:49,506 which is significantly more than the thieves actually stole. 1325 01:10:50,985 --> 01:10:52,291 JOSHUA: To my mind, 1326 01:10:52,291 --> 01:10:54,424 there's no question that she was a scapegoat. 1327 01:10:54,424 --> 01:10:58,297 I mean, the currency traders who turned that $81 million 1328 01:10:58,297 --> 01:11:01,300 into pesos got off scot-free. 1329 01:11:01,300 --> 01:11:03,737 There are a couple of Chinese operators 1330 01:11:03,737 --> 01:11:06,566 who brought these gamblers in from China. 1331 01:11:06,566 --> 01:11:10,396 We know that they received tens of millions of dollars in cash. 1332 01:11:10,396 --> 01:11:15,314 They vanished back to Macau. No trace of them was ever found. 1333 01:11:15,314 --> 01:11:17,751 We can't say for sure, but certainly it looks like 1334 01:11:17,751 --> 01:11:20,798 people at the Rizal Bank headquarters 1335 01:11:20,798 --> 01:11:23,888 buried these requests to stop these transactions. 1336 01:11:23,888 --> 01:11:27,239 But nobody else at the Rizal Bank was ever accused. 1337 01:11:27,239 --> 01:11:31,199 Oddly enough, in this giant scheme that involved 1338 01:11:31,199 --> 01:11:34,986 a half a dozen countries, nearly $1 billion, 1339 01:11:34,986 --> 01:11:40,208 only one bank employee in a small branch in Manila 1340 01:11:40,208 --> 01:11:42,646 was ever convicted of doing anything wrong. 1341 01:11:42,646 --> 01:11:46,040 It's incredible. Total impunity. 1342 01:11:52,395 --> 01:11:54,788 I think the most important lesson 1343 01:11:54,788 --> 01:11:57,878 of the Bangladesh Bank 1344 01:11:57,878 --> 01:11:59,880 is a lesson of scale. 1345 01:11:59,880 --> 01:12:01,882 The internet is a fantastic thing. 1346 01:12:01,882 --> 01:12:04,320 It's made our world much, much smaller. 1347 01:12:04,320 --> 01:12:07,061 You can do all sorts of things. It's fantastic. 1348 01:12:07,061 --> 01:12:08,933 But that interconnectivity, 1349 01:12:08,933 --> 01:12:11,805 where everything is linked to everything else, 1350 01:12:11,805 --> 01:12:15,418 means that if you get bad actors in that system, 1351 01:12:15,418 --> 01:12:17,245 then the damage 1352 01:12:17,245 --> 01:12:22,076 is infinitely more immense than it was before. 1353 01:12:23,687 --> 01:12:25,993 When I started this job two decades ago, 1354 01:12:25,993 --> 01:12:29,083 you had to explain to people, what is a virus? 1355 01:12:29,083 --> 01:12:31,042 What is a cyber-attack? 1356 01:12:31,042 --> 01:12:33,392 Today, we don't talk about 1357 01:12:33,392 --> 01:12:36,439 making sure this file doesn't get deleted any more. 1358 01:12:36,439 --> 01:12:40,573 We literally talk about making sure the supply chain is up, 1359 01:12:40,573 --> 01:12:42,619 food can reach people's tables. 1360 01:12:42,619 --> 01:12:45,665 Our job is not just to protect people's computers. 1361 01:12:45,665 --> 01:12:49,060 Our job is to ensure society is up and running. 1362 01:12:49,060 --> 01:12:52,063 MISHA: Everything that we use now, 1363 01:12:52,063 --> 01:12:53,978 water, electricity, 1364 01:12:53,978 --> 01:12:56,937 the financial system, the comms system, 1365 01:12:56,937 --> 01:12:58,548 depends on the integrity 1366 01:12:58,548 --> 01:13:03,683 of unbelievably complex networked computer systems. 1367 01:13:03,683 --> 01:13:07,992 And our dependence is becoming such 1368 01:13:07,992 --> 01:13:10,386 that, should anything go wrong, 1369 01:13:10,386 --> 01:13:13,171 be it a technical hitch or be it a hack, 1370 01:13:13,171 --> 01:13:17,131 it can actually lead to our lives grinding to a halt 1371 01:13:17,131 --> 01:13:19,525 in a very short space of time. 1372 01:13:20,483 --> 01:13:22,136 NICOLE: We're sort of in a state 1373 01:13:22,136 --> 01:13:24,617 where we're increasing our vulnerability 1374 01:13:24,617 --> 01:13:27,359 and our attack surface every single day. 1375 01:13:27,359 --> 01:13:29,796 And instead of pausing 1376 01:13:29,796 --> 01:13:32,799 and thinking about how to lock up our power grid, 1377 01:13:32,799 --> 01:13:37,848 really, where our energy has been focused is on escalation. 1378 01:13:37,848 --> 01:13:41,373 Countries like the United States, China and Russia 1379 01:13:41,373 --> 01:13:44,550 have already arrogated the right to themselves 1380 01:13:44,550 --> 01:13:47,335 to attack with full force, 1381 01:13:47,335 --> 01:13:50,034 whether cyber or conventional weapons, 1382 01:13:50,034 --> 01:13:51,905 against anyone who brings down 1383 01:13:51,905 --> 01:13:56,519 a serious piece of critical national infrastructure. 1384 01:13:56,519 --> 01:14:01,480 ERIC: We've had Stuxnet blowing up the Natanz centrifuge plant. 1385 01:14:01,480 --> 01:14:04,962 We've had ransomware attacks, which hit the Eastern Seaboard. 1386 01:14:04,962 --> 01:14:07,007 There was no gas to the Eastern Seaboard 1387 01:14:07,007 --> 01:14:09,619 for a whole week in the United States. 1388 01:14:09,619 --> 01:14:11,751 We had Russia against the Ukraine, 1389 01:14:11,751 --> 01:14:14,537 shutting out the power in the middle of winter. 1390 01:14:14,537 --> 01:14:17,453 We're talking about people losing their lives. 1391 01:14:17,453 --> 01:14:19,019 We've also had cyber-attacks 1392 01:14:19,019 --> 01:14:21,413 that potentially affected US elections. 1393 01:14:21,413 --> 01:14:23,763 We had the healthcare in the UK brought down, 1394 01:14:23,763 --> 01:14:25,939 dialysis machines no longer working. 1395 01:14:25,939 --> 01:14:29,421 MISHA: This is an extremely fragile situation, 1396 01:14:29,421 --> 01:14:33,599 much more fragile than the period of détente, 1397 01:14:33,599 --> 01:14:37,255 because so many more countries have these weapons. 1398 01:14:37,255 --> 01:14:41,389 Malware is much more difficult to control than nuclear weapons. 1399 01:14:41,389 --> 01:14:44,871 NICOLE: People always warn me of the cyber Pearl Harbor 1400 01:14:44,871 --> 01:14:47,091 or the cyber 9/11, 1401 01:14:47,091 --> 01:14:49,746 but it's almost worse than that. 1402 01:14:49,746 --> 01:14:53,619 Every day, there are thousands of cyber-attacks, 1403 01:14:53,619 --> 01:14:58,232 and we're just getting more and more and more inured to them. 1404 01:14:59,016 --> 01:15:00,887 It's like a plague. 1405 01:15:00,887 --> 01:15:05,152 MIKKO: I think we'll see much more hostile cyber activity, 1406 01:15:05,152 --> 01:15:07,851 much more cyber bank robberies, 1407 01:15:07,851 --> 01:15:09,983 much more cyber espionage. 1408 01:15:09,983 --> 01:15:13,030 We'll see much more cyber war. 1409 01:15:13,030 --> 01:15:15,815 In many ways, I think we've seen nothing yet. 1410 01:15:15,815 --> 01:15:19,253 MISHA: As attacks increase in their sophistication 1411 01:15:19,253 --> 01:15:21,386 and their range, 1412 01:15:21,386 --> 01:15:25,346 then the impact can be ever greater. 1413 01:15:25,346 --> 01:15:29,873 There is a cyber-attack on critical national infrastructure 1414 01:15:29,873 --> 01:15:31,744 coming to a place near you 1415 01:15:31,744 --> 01:15:35,269 within the next five to ten years. 1416 01:15:35,269 --> 01:15:38,708 If it's done well, and if it's really malicious, 1417 01:15:38,708 --> 01:15:41,232 that could be catastrophic. 1418 01:15:43,016 --> 01:15:47,586 What's amazing about the Bank of Bangladesh heist is... 1419 01:15:47,586 --> 01:15:51,285 they almost walked away with $1 billion. 1420 01:15:54,071 --> 01:15:56,203 The mistakes that they made 1421 01:15:56,203 --> 01:15:59,990 that led to them only walking with $81 million 1422 01:15:59,990 --> 01:16:02,862 were literally a typo in a name 1423 01:16:02,862 --> 01:16:05,082 and potentially not being patient enough, 1424 01:16:05,082 --> 01:16:06,562 waiting just one more hour. 1425 01:16:06,562 --> 01:16:09,913 We could be telling a completely different story. 1426 01:16:09,913 --> 01:16:11,828 JOSHUA: Presumably, these guys 1427 01:16:11,828 --> 01:16:15,309 kept perhaps 95 percent of that cash. 1428 01:16:15,309 --> 01:16:16,528 You could walk out 1429 01:16:16,528 --> 01:16:18,399 with 95 percent of what you came in with, 1430 01:16:18,399 --> 01:16:21,838 have nobody trace that money, no record of it whatsoever, 1431 01:16:21,838 --> 01:16:26,233 and get on a plane with it, and you're home free. 1432 01:16:26,233 --> 01:16:30,760 MISHA: Even if you had invested a year's work, 1433 01:16:30,760 --> 01:16:35,460 that you had recruited a really decent set of hackers, 1434 01:16:35,460 --> 01:16:39,899 that you had corrupted bank officials, 1435 01:16:39,899 --> 01:16:43,947 you'll be looking at a profit of about $75 million. 1436 01:16:43,947 --> 01:16:47,037 For a year's work, not a bad pay-off. 1437 01:16:49,126 --> 01:16:52,999 The Bank of Bangladesh heist showed them what was possible. 1438 01:16:54,392 --> 01:16:56,742 They proved that they could do it. 1439 01:17:01,617 --> 01:17:03,662 After that attack, it didn't stop. 1440 01:17:03,662 --> 01:17:07,840 We saw continued attacks on various banks across Asia, 1441 01:17:07,840 --> 01:17:10,451 I think in the Philippines again. 1442 01:17:10,451 --> 01:17:14,673 And also, they started hacking the cryptocurrency exchanges, 1443 01:17:14,673 --> 01:17:18,546 where people store their Bitcoin and Monero digital currency, 1444 01:17:18,546 --> 01:17:21,724 which has proved to be incredibly lucrative for them. 1445 01:17:23,726 --> 01:17:25,684 MISHA: In 2017, Lazarus was thought 1446 01:17:25,684 --> 01:17:27,338 to have successfully attacked 1447 01:17:27,338 --> 01:17:31,995 at least five Asian cryptocurrency exchanges. 1448 01:17:31,995 --> 01:17:37,827 That's a total of $571 million that was lost. 1449 01:17:37,827 --> 01:17:41,134 Cryptocurrency exchanges just have the bare minimum 1450 01:17:41,134 --> 01:17:43,659 of security, we're learning now. 1451 01:17:43,659 --> 01:17:46,923 MISHA: In 2020, as the global pandemic spiralled, 1452 01:17:46,923 --> 01:17:50,143 AstraZeneca, makers of one of the key vaccines, 1453 01:17:50,143 --> 01:17:53,538 was hit by an attack, extorting the company 1454 01:17:53,538 --> 01:17:56,846 and stealing sensitive information for profit. 1455 01:17:58,064 --> 01:18:00,632 The sums involved are astronomical, 1456 01:18:00,632 --> 01:18:03,940 and Lazarus is still very much at large. 1457 01:18:06,246 --> 01:18:11,774 They have been designated by the United States an APT; 1458 01:18:11,774 --> 01:18:13,863 that's an advanced persistent threat. 1459 01:18:13,863 --> 01:18:16,692 Now, the fundamental criteria 1460 01:18:16,692 --> 01:18:20,478 is that they represent a threat 1461 01:18:20,478 --> 01:18:24,612 to US national security and national infrastructure. 1462 01:18:24,612 --> 01:18:28,486 So, just by dint of it being called an APT 1463 01:18:28,486 --> 01:18:33,404 means that the Lazarus Group is serious stuff. 1464 01:18:33,404 --> 01:18:35,623 JOSHUA: Marvel fans, think HYDRA. 1465 01:18:35,623 --> 01:18:38,801 James Bond films, think of SPECTRE. 1466 01:18:38,801 --> 01:18:40,237 It's something like that. 1467 01:18:43,762 --> 01:18:47,635 MISHA: Now, it's tempting to think this comparison is absurd, 1468 01:18:47,635 --> 01:18:51,074 but this is the scale that Lazarus operates on. 1469 01:18:51,074 --> 01:18:54,294 Arguably, they're the most potent cyber criminals 1470 01:18:54,294 --> 01:18:56,427 in business today. 1471 01:18:56,427 --> 01:19:00,300 So the nation state's involvement in cybercrime 1472 01:19:00,300 --> 01:19:02,955 means that cybercrime has actually morphed 1473 01:19:02,955 --> 01:19:05,653 into cyber warfare. 1474 01:19:05,653 --> 01:19:08,613 NICOLE: You can have zero trust in these systems. 1475 01:19:08,613 --> 01:19:12,095 You need to assume that everything has been broken, 1476 01:19:12,095 --> 01:19:14,010 everything is being listened to, 1477 01:19:14,010 --> 01:19:17,274 that everything can be captured, and operate accordingly. 1478 01:19:19,580 --> 01:19:22,453 MISHA: If a small group can plan something 1479 01:19:22,453 --> 01:19:25,499 and get away with $81 million, 1480 01:19:25,499 --> 01:19:27,937 which involved the Fed in New York, 1481 01:19:27,937 --> 01:19:29,765 SWIFT in Brussels, 1482 01:19:29,765 --> 01:19:32,550 the Bangladeshi Bank in Dhaka, 1483 01:19:32,550 --> 01:19:36,032 and then all the peripherals in Manila, 1484 01:19:36,032 --> 01:19:40,427 just think about what one of the really professional operations 1485 01:19:40,427 --> 01:19:42,560 in China, Russia, 1486 01:19:42,560 --> 01:19:44,518 the NSA, GCHQ, 1487 01:19:44,518 --> 01:19:48,871 just think what havoc they could wreak. 1488 01:19:48,871 --> 01:19:52,613 And every year, the hacks get bigger, the damage greater, 1489 01:19:52,613 --> 01:19:54,702 the implications graver. 1490 01:19:56,139 --> 01:20:00,447 Armies literally have hackers hammering at the gates. 1491 01:20:00,447 --> 01:20:02,710 And it just takes a simple breach, 1492 01:20:02,710 --> 01:20:05,583 one person, one weak link, 1493 01:20:05,583 --> 01:20:08,238 and those armies will storm the defences 1494 01:20:08,238 --> 01:20:12,851 and bring down a network that our way of life depends on. 1495 01:20:12,851 --> 01:20:15,593 It happened in Bangladesh in 2016. 1496 01:20:15,593 --> 01:20:21,033 And believe you me, it's going to happen again very soon. 1497 01:20:24,515 --> 01:20:25,777 [CLICK] 1498 01:21:14,957 --> 01:21:17,916 Subtitles: Iyuno 114133