You are listening to: The Evidence Locker.
Thank you for choosing our independent podcast. Our sponsors make it possible for us to keep bringing you new episodes – please support them as they have some great deals, just for you, our listeners. If you prefer to listen to ad-free content, simply find us on Patreon, where plans start from as little as $2 a month. 25% of these proceeds are donated to The Doe Network – working to bring closure to international cold cases. For more information, follow the link in the show notes.
Our cases deal with true crimes and real people. Some parts are graphic in nature and listener discretion is advised. Each episode is produced with the utmost respect to the victims, their families and loved ones.
In February 2016, the Lazarus Group attempted to steal one billion Dollars from the central bank of Bangladesh. The heist was meticulously planned and involved both computer hackers behind their monitors and people on the ground. It spanned multiple countries, making use of different time zones, and leveraging public holidays and loopholes in country specific laws.
This is the story about North Korea’s Lazarus Group: how a country robbed a bank, and how if it wasn’t for a spelling mistake, and a street name in Manila, they may just have gotten away with one billion Dollars. What they did get away with makes this the largest bank heist in history. What they could have gotten away with makes it the most audacious bank heist (in history).
The Bangladesh central bank looks like any typical grey government building and stands amid the hustle and bustle in the middle of the city of Dhaka, on the edge of a large traffic circle, overlooking the statue of the national emblem of Bangladesh, the water lily. The building is surrounded by palm trees with a stately looking sign containing the words ‘Bangladesh Bank’ adorning the entrance to the government owned bank.
A small room, with restricted access to only a few high-level staff sits on the floor of the building. Inside this room are computers loaded with SWIFT software, which stands for the Society for Worldwide Interbank Financial Telecommunications. It is responsible for transactions worldwide, acting as a secure message service between banks – the messages contain specific payment instructions. In 2015, SWIFT linked more than 11,000 financial institutions in over 200 countries and territories. It exchanges an average of over 32 million messages each day which in turn accounts for about half of all high value cross-border payments.
Inside the small room on the 10 floor of the Bangladesh central bank, computers send and receive these secure SWIFT messages, and are responsible for transferring money in and out of Bangladesh. Each SWIFT message is printed out on a printer located inside the room – giving the bank a hardcopy backup of all SWIFT messages sent and received by all banks in the country.
In Bangladesh, weekends fall on a Friday and Saturday, with Sunday being a normal workday, the start of the new week. So, 8:45am on Friday February 5 2016 was not considered ‘normal’ business hours. The manager on duty noticed that the printer wasn’t working but didn’t think much of it. It wasn’t the first time the printer had given up the ghost and it would probably not be the last, he thought. So, he carried on, rushing through his tasks for the day, so he could leave in time to attend Friday prayers.
When he returned to the office the next morning – working the weekend shift – the printer on the 10 floor was still out of order. He knew he had to resolve the issue before the work week commenced and received authorisation to reboot the computer. As soon as the reboot was done, the printer started up again and began spitting out all the SWIFT messages from the day before, that had been piling up in the printer spool. Amongst the messages were urgent requests from the New York Federal Reserve Bank, asking for clarification.
The Bangladesh central bank, like most nation’s central banks, maintains a foreign currency account with the Federal Reserve to facilitate international transfers and payments. The first urgent requests for clarification had been sent on the Friday morning (Bangladesh time) when the printer wasn’t working. The requests were for the Bangladesh Bank to confirm an unusual number of large payment instructions received by the Federal Reserve, enough to completely empty the Bangladesh foreign bank account of its entire balance, which totalled one billion Dollars.
Staff at Bangladesh Bank were initially confused by the messages landing in the printer tray that Saturday morning, as the printer continued printing the backlog of pages from the day before. They weren’t too worried though, as they knew they hadn’t sent the payment messages, without which, transactions could not be processed. Staff members assumed that it was an error on the Federal Reserve’s side. They tried contacting the Federal Reserve, but by this time, it was the weekend in New York and nobody was answering their calls, emails or faxes.
Their hands were tied, and all staff at Bangladesh Bank could do was to wait for the Federal Reserve to open for business on Monday morning (New York time). What they didn’t realise, was that they had been hacked – and the consequences would be catastrophic.
35 instructions had been sent by the Bangladesh Bank via the international SWIFT network to the New York Federal Reserve, to transfer a total of one billion dollars to nominated bank accounts in Sri Lanka and the Philippines.
The issue was raised with the governor of the Bangladesh central bank who also believed the transfers were erroneous. However, it was evident that the money had been transferred out of their foreign bank account at the Federal Reserve. Mistakes occur from time to time, and payments could be reversed, so the governor remained calm and instructed the bank to investigate further.
When the Bangladesh Bank finally managed to discuss the issue with the New York Federal Reserve Bank, they realised that something had gone terribly wrong. There had been no error, it was all legit – transactions were initiated from inside the small room on the floor of the Bangladesh central bank in Dhaka.
The news spread through the bank like wildfire, and a wave of shock, disbelief and chaos followed. Suspicions immediately turned to the staff at the bank, believing it was an inside job by someone with access to the small room. There was only one room from which the fraudulent SWIFT messages could have been sent. And so, the hunt began, security tapes were reviewed to narrow down the suspects who had accessed the secured room on the 10 floor – but not one single person had entered or exited the room during the specified eight-hour window during which the 35 SWIFT messages were sent.
Fearing that they had been hacked, focus quickly turned to the computers in the small room. With help from external cyber experts, evidence that the computer system containing the SWIFT software had been hacked came to light: on January 29, 2015, several employees of the Bangladesh central bank received an email containing a resume from a graduate enquiring about working for the Bangladesh Bank. The wording in the email was sincere and the email itself looked legitimate. It contained a link to the sender’s resume – a link which contained malware.
Hackers often hacked into systems, hoping to steal data or cause reputational damage. But in this case, hacking the Bangladesh central bank was for no other reason than to steal money, and lots of it: one billion Dollars to be exact. All it took was for one person, curious about the sender’s resume, to click on the link and the hackers were in. They managed to gain access to the bank’s computer network and retrieve the bank’s credentials for the SWIFT payment system. They then observed how SWIFT transfers were made and proceeded to wait for the right time to set their plan into motion.
The hackers knew that Bangladesh’s central bank had a printer that recorded a physical copy for each transaction, recording each SWIFT message sent. The SWIFT software would print each transaction to the printer automatically. Therefore, disabling the printer was an essential part of their plan.
And, of course, timing was everything… The hackers waited until after close of business on Thursday 4 February 2016, just before the Bangladeshi weekend. Between 8 that evening and 4 the next morning, all 35 transfer requests were sent to the Federal Reserve Bank in New York, where the local time was Thursday morning. This was extremely clever on the part of the hackers, as it gave the Federal Reserve two days to process the payments: Thursday and Friday, before their weekend. And while these transfers were being processed, it was the weekend in Bangladesh, and their printer was not printing out any proof of the requests, or SWIFT transfer messages.
By the time the printer was back online, and staff at the Bangladesh Bank finally saw the messages for urgent clarification coming through, it was already the weekend in New York. The time difference between New York and Bangladesh, along with the misaligned weekends, resulted in three days passing before the transfers were discovered. This time lapse was crucial to the hacker’s plan, and it was certainly no coincidence. The more time that elapsed between the transactions being processed and the fraud being detected, the less likely the various banks were to be able to reverse the transactions, and the more likely the hackers were to succeed with their theft.
The recipient accounts for the transfers were in both Sri Lanka and the Philippines. Showing yet again the extent of the hackers’ meticulous planning, Monday, 8 February 2016 was the first day of the Lunar New Year, a major public holiday in the Philippines. The Bangladesh Bank wouldn’t be able to contact the recipient bank in the Philippines before the Tuesday.
The five days between the transfers to the Philippines being initiated and the Bangladesh Bank contacting them to reverse the payment was too long; the Bangladesh Bank needed a court order to try and get their money back. This legal action also meant that the heist became public and began appearing as front-page news around the world. The question on everyone’s mind was: How did this happen?
Investigators set out to follow the money trail and learnt that one of the transfers were made to the account of a charity, based in Sri Lanka. Shalika Perera was the principle of the Shalika Foundation in Colombo, a newly established charity which planned to build houses and provide social services for the impoverished community. She had been speaking to a Japanese middleman about a potential donation of 20 million dollars. The man told Shalika that for their fee, he and his associates would receive 85% of the investment and the Shalika Foundation would only get 15%. No doubt, this 85% was intended for the hackers. For Shalika, this was better than nothing, and she opened an account at the Colombo branch of the Pan Asian bank to receive the funds. 20 million dollars is a lot of money, especially in Sri Lanka, and Shalika notified the bank that she was expecting the large deposit.
Once the money was transferred, a bank clerk noticed a word in the recipient’s name was misspelt. The hackers made a basic spelling mistake with the word Foundation – leaving out the letter “O” and spelling it as ‘Fundation’. When the Pan Asia bank investigated who had authorised the transfer, they realised that the funds hadn’t originated from Japan, but instead from Bangladesh. When they reached out to the Bangladesh Bank, they were requested NOT to release the funds, and the managed to retrieve the entire amount of 20 million dollars.
Investigating the scheme further, investigators found that the remainder of the funds in the Bangladesh Bank’s account, 931 million dollars, were sent to four separate bank accounts in The Philippines. All of the accounts had been opened at the Rizal Commercial Banking Corporation, or RCBC, Manila. Luckily for the Bangladesh Bank, and not so lucky for the cyber-hackers, 30 of the SWIFT transfers contained the bank branch’s address, which was on Jupiter Street. But “Jupiter Seaways Shipping” was also the name of a sanctioned Iranian company, and the SWIFT system automatically placed a hold on the payments, flagging them for manual release by staff at the Federal Reserve. A banking official noticed something untoward with the 30 payments and stopped them. But the automated system had already allowed five transactions worth 101 million dollars to go through. 20 Million was intended for the account we mentioned, in Sri Lanka; and the remaining 81 Million to four separate accounts in the Philippines.
The receiving bank accounts were later found to have been opened with $500 in each, using fake identity documents as early as May 2015, nine months prior to the cyber-attack.
The hackers didn’t just choose the Philippines by chance – it was also meticulously planned. As we’ve mentioned before, Monday the 8of February 2016 was the Chinese New Year, and that day was a public holiday in the Philippines. Bangladesh Bank sent a message to the RCBC to stop the payment and return the funds, but the message was only received the following day. The Governor of Bangladesh Bank also officially requested the Philippines central bank, ‘Bangko Sentral ng Pilipinas’ for their assistance in the recovery of the fraudulent transfers to RCBC. But, by this time, the funds had already been processed by RCBC’s Jupiter Street branch.
But the question remained: where had the money gone? A cyber bank heist requires computer hackers sitting behind computers, staring at code on monitors, but it also needs people in the physical world. Transferring the millions of dollars to bank accounts in The Philippines was only the beginning. The next step was to launder the money, and this is when the members on the ground came in.
Why the hackers The Philippines as the place to launder the money, soon become apparent… Although Phillipine financial institutions in the had to abide by Anti-Money Laundering legislation, at the time of the heist, casinos didn’t.
The money received by the little bank on Jupiter Street was laundered by pushing it through casinos for the next phase of the heist. To be considered ‘clean’ money, the stolen cash had to be gambled. Casinos had a two-chip system, one set of chips was money ‘to be gambled’ and another was winnings from the gamble. Only the ‘winning chips’ could be cashed out giving the gamblers new, clean, or ‘laundered’ money. To illustrate a simplified laundering technique, two members of a laundering team who sit around the roulette table, the one would bet on Black and the other would be on Red – therefore one would lose, and one would win, so the net effect was zero. But what would come out the other side was clean. The player who won took home legitimate money – laundered money.
In the days following the money transfers, several unremarkable, Chinese speaking men entered the VIP area of casino Solaire in Manila. Casino staff noticed that there was something different about these men. To gain access to the VIP room in Solaire, players were required to deposit a few hundred thousand dollars with the casino. Staff were used to demanding, cash-flaunting gamblers who loved showing off their money. But the group of men who entered the VIP area did not exude wealth, even though they were betting with such enormous amounts.
This group of men followed the same strict routine: they would come down from their rooms, entering the VIP room at 8:00am and gamble until lunch time. They’d then stop for lunch and continue on until 11:30 in the evening. This became their daily routine, as if they were reporting for work. Each evening, they would take their chips back to their hotel rooms, rather than cashing them in. But even stranger, the staff at the casino noted that they didn’t seem to be enjoying themselves in the same was gamblers usually do, especially when they won. Conversely, they didn’t show the usual emotion of disappointment when they lost.
This makes sense when you realise that these men weren’t gambling their own money, but rather the money stolen from the Bangladesh central bank. They were meticulously laundering the money so that it couldn’t be traced.
The same Chinese national who helped open the accounts, left the Philippines for China in a private plane, with 30 million dollars in cash. The remaining funds were transferred to various accounts, set up at the two casinos. Of the 51 million dollars left, 31 ended up being laundered through the casino Solarie and 20 through The Midas casino.
It would later be claimed that the RCBC branch manager received death threats and was instructed to ignore the large transfers. Suspicion around the branch manager’s involvement was also later raised when it was realised that the bank’s CCTV was disabled at the RCBC branch in Jupiter Street around the time of the heist. The bank manager had always denied any involvement, but she was accused of assisting in laundering the eventual 81 million dollars taken in the heist, convicted of 56 years in prison and fined 109 million. Many legal experts say that this was done of purpose, to make the bank look like the victim of a rogue employee.
The Philippines National Bureau of Investigation launched an investigation into the Chinese-Filipino businessman and the other four individuals who opened the bank accounts and the RCBC was fined by the Central Bank of the Philippines due to its Anti-Money Laundering shortcomings.
Be that as it may, this heist was not the work of one solo, rogue bank manager and one client. The crime was so audacious, that initially no one believed hackers were involved. It took several weeks to convince the various role-players, such as the Federal Reserve and SWIFT, that it was indeed a group of hackers who had initiated the 35 transactions.
The governor of Bangladesh Bank engaged a US-based cyber security firm, World Informatix Cyber Security, to investigate and lead the security incident response. Cyber security experts quickly found traces of malware and other evidence that the bank’s system had been compromised.
The Bangladesh Bank immediately launched an internal investigation which found that the malware had been installed on the bank’s computer system a month prior when a staff member clicked on the resume link of a prospective employee. From this point, the hackers had access and started gathering information about the operational procedures around international payments and fund transfers.
In the Philippines, a senate committee hearing was held, during which the casino operator at Midas Hotel and Casino, testified. If you recall, Kim Wong was the one who returned 16 million dollars, which the men had attempted to launder at his casino. Wong was able to provide names, specifically: Gao and Ding. These were the main men on the ground, working as a vital part of the hacker’s scheme. Their job was to launder the cash in The Philippines. Gao was a prominent figure in illegal casinos throughout China. Gao and Ding managed to leave the Philippines with the laundered money and ended up in Macau, the casino capital of China.
There is no legal recourse for collecting gambling debt in Macau, making Macau a Mecca for organised crime. It is the biggest casino market in the world, five times larger than the Vegas strip. Macau’s underground crime is well known with Triad gangsters being very active in the city. Nobody knows what happened to the money once it touched down in China. Gao and Ding ended up being arrested, but it isn’t clear why.
In the wake of the heist, US based banks also grew concerned, worrying that their systems were vulnerable to attack from faceless hackers. Cyber security companies concluded that the attacker’s familiarity with the operations and procedures of the Bangladesh Bank was gained by spying on its employees in the time leading up to the heist.
Although no one was physically harmed, this was not a victimless crime. The president of the Philippine RCBC bank, Lorenzo V. Tan was cleared of any wrongdoing however resigned as to ‘take full moral responsibility’ for the incident. The Bangladesh bank chief, governor Atiur Rahman resigned from his post, stating that he was doing so for the sake of the country. He however defended himself by stating that he had raised cyber-security concerns a year prior to the attack.
The Federal Reserve, as well as SWIFT pledged its assistance to Bangladesh Bank, to rebuild its IT infrastructure. SWIFT advised all banks using the SWIFT Alliance Access system to strengthen their cyber security and provided new guidelines.
This attack not only shook the foundations of the Bangladesh’s banking system, but worldwide. In total, 81 million dollars were stolen by the hackers, making this the largest bank heist in history, and the robbers never even set a foot in a bank.
But what if…. What if they never chose the bank branch on Jupiter Street, with the same name as a sanctioned Iranian shipping company, and what if the word Foundation was never misspelt, would this have been a billion-dollar heist?
The scary part is… The hackers have not as yet been identified. Some names made it onto a suspect list, but by residing in North Korea, they are out of reach for the rest of the world. Federal prosecutors in the United States suspected links to the North Korean government with the Chinese middlemen assisting with laundering the money in the Philippines, then taking the money to Macau.
Only two years before the Bangladesh Bank heist, a hacking similar in scale was perpetrated in the United States. In November 2014, Sony Pictures Entertainment was the target of a cyber-attack, designed to cause as much reputational damage as possible. Confidential information was leaked online for all to see, including senior executive emails, salary information and details on yet to be released films.
The FBI believed that a North Korean, state sponsored, hacking organisation called The Lazarus Group was responsible for this cyber-attack. While investigating the Bangladesh Bank Heist, the FBI searched about 1,000 Twitter and Facebook accounts that the hackers used to send messages to Sony Pictures employees in the hope that they may click on the malware link. Some accounts were used to target both Sony Pictures and Bangladesh Banks employees. This linked the Sony Pictures hack with the Bangladesh Bank heist, which in turn linked the Bangladesh Bank heist to North Korea.
Several cyber security companies claimed that the group responsible for the attack was the Lazarus Group, the most active state sponsored hacking group in the world. The US National Security Agency Deputy Director Richard Ledgett stated:
"If that linkage from the Sony actors to the Bangladeshi bank actors is accurate—that means that a nation state is robbing banks."
At his point, let’s take a moment to appreciate that in North Korea, the Supreme Leader is considered sacred. He is treated like a living god, well, because they believe he is one. According to Korean mythology, a figure called Tangun, is said to have founded North Korea around 5,000 years ago. Tangun was from the same area as the Kim family, Mount Paeku. The people of North Korea believe that because of this, the members of the Kim family have extraordinary abilities. Rumours abound that Kim Jong-un is a genius and drove a car from the age of three and that he hit a hole in one the very first time he played golf.
In North Korea, Kim Jong-un is not considered an ordinary person, he is a super-human. The Supreme Leader is so revered that desecrating an image of him, is considered a crime. Even crumpling up a newspaper with Jun-un’s photo in it could land a person in trouble – instead newspapers containing the leaders’ photo are left on top on rubbish bins for collection.
Actors aren’t allowed to portray the Supreme Leader, as no actor is considered worthy enough. So, just imagine how North Koreans would feel about an actor, in the country of their sworn enemy, the United States, not only portraying their Supreme Leader, but also depicting his assassination.
But all is fair in love and comedy… Or so thought the American producers of The Interview. This heist was in retaliation to Sony Pictures producing the film The Interview, starring Seth Rogen and James Franco – a comedy about a plot to assassinate the North Korean leader, Kim Jong-un.
Seth Rogan and childhood friend and creative partner, Evan Goldberg spoke to scriptwriter Dan Sterling about their idea for a movie, which was later titled, The Interview. Sterling was known for pushing the boundaries with his writing and was tasked with coming up with a draft script. At first, they used a name hinting at Kim Jong-un, while not using the leader’s actual name. However, in a bid to ruffle feathers, it was suggested that Kim Jong-un’s actual name was used. Everyone loved this idea.
Historically, film creators who believed that their movie may strike the wrong political cords, simply used a fake country name in order not to offend any state nation. Even if a real country’s name was used, if there was anything sensitive in the movie, and the assassination of the leader of a state nation may fall into this category, then at least the leaders name would be made up, so as not to offend. With The Interview, there was some hesitation from Sony executives before filming commenced, but in the end, production was given the green light.
The Interview is best described as an action-adventure comedy where James Franco plays a TV host and Seth Rogan his producer. When they hear that Kim Jong-un is a fan of their show, they successfully arrange an interview with him. When the CIA learns about the interview, they approach the men, proposing they assassinate the Supreme Leader.
It didn’t take long for the North Korean government to learn about the film. It was said to have “touched a nerve” with North Koreans, so much so, they likened the release of the film to be the “most blatant act of terrorism and war." The state news agency wrote to the then President of the United States Barack Obama, asking to have the film cancelled.
North Korea’s ambassador to the United Nations also sent a letter to the United Nations General Assembly, condemning the film and stating:
“To allow the production and distribution of such a film on the assassination of an incumbent Head of a sovereign State should be regarded as the most undisguised sponsoring of terrorism as well as an act of war. The United States authorities should take immediate and appropriate actions to ban the production and distribution of the aforementioned film; otherwise, it will be fully responsible for encouraging and sponsoring terrorism.”
Some in Hollywood thought that this was great publicity, but as the release date of 25 December 2014 grew closer, tensions grew stronger. A month before the planned release, on the 21 November 2014, several senior executives at Sony Pictures received an email from someone calling themselves Frank David. It read:
“We have got great damage by Sony Pictures. The compensation for it, monetary compensations we want. Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You’d better behave wisely.”
Then, three days later, on Monday 24 November 2014, staff trying to enter the MGM Studios at Sony Pictures Entertainment found that their access cards weren’t working and had to be signed in by security guards. Arriving at their desks, they found that their desk phones weren’t working either and that their computers were turned off. When they turned them on, an image akin to a B-grade horror film from the 1980’s appeared – it was a skeleton with glaring eyes, looking straight out of the screen. Large wording over the picture said: “Hacked By #GOP” – which presumably stood for Guardians of Peace. And then the following text:
We’ve already warned you, and this is just the beginning.
We continue till our request is met.
We’ve obtained all your internal data including your secrets and top secret
If you don’t obey us, we will release data shown below to the world.
Determine what will you do till November the 2 11:00 PM (GMT)”
A link took users to five folders containing some of the stolen data including 47,000 unique Social Security numbers, employees’ names, salaries, offer letters, work emails, medical information, other human resources data and as yet unreleased Sony Picture films.
Sony did not yield and refused to cancel the film. So, following the ignored deadline of November 24, hackers continued releasing more and more confidential information on the internet and social media.
Cyber experts knew the hackers must have had access to the Sony Pictures network for months prior to the day of the attack, to troll around and copy the nearly 100 terabytes of data stolen. The sensitivity of the information also seemed to increase with each release. The hackers even emailed reporters directly with links containing the information and urged them to write news stories about the data leak. It was a catch-22 for reporters, they wanted to report the leaks, but knew that by doing so, they were also doing the bidding of the hackers.
The media reports concentrated on the embarrassing details about Hollywood and the film industry. This included emails from Sony Pictures executives, containing embarrassing details of behind-the-scenes politics and personal opinions about A-list actors. Sony Pictures co-chairwoman Amy Pascal described the actress Angelia Jolie as “a minimally talented spoiled brat”. Tom Cruise was also mentioned as being difficult to work with and Adam Sandler’s movies were criticised. An email exchange involving Pascal’s meeting with Barack Obama was characterised as racist by the media, and Pascal ended up resigning from Sony Pictures.
Leading up to the film’s release date, test audiences really enjoyed the film. Test scores were high and all indications were that The Interview was going to be a blockbuster hit. Despite the threats, the film went ahead with its general premiere in Los Angeles on 11 December 2014, but both Seth Rogen and James Franco cancelled scheduled publicity appearances and Sony pulled all television advertising on the film. The premiere was a sombre event described as high on security and low on star power. Many of those who did attend the Los Angeles premier, arrived with bodyguards.
On 1December 2014, in an email to reporters with a link to text posted on Pastebin, the Lazarus Group mentioned The Interview by name and threatened to attack the big New York movie premiere on 25December 2014, and any other cinema that chose to screen the film. The message read:
“We will clearly show it to you at the very time and places The Interview be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to. Soon all the world will see what an awful movie Sony Pictures Entertainment has made. The world will be full of fear. Remember the 11th of September. We recommend you to keep yourself distant from the places at that time. (If your house is nearby, you'd better leave.) Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment. All the world will denounce the SONY.”
Cyber-crime had suddenly moved into the real world, with threats of actual physical violence. Citing safety concerns, Sony Pictures cancelled the New York premiere. Many cinemas also made the decision to delay or cancel screening the film. Sony later also cancelled the mainstream theatrical release altogether. Shopping malls where cinemas were often located were concerned that patrons staying away from the cinemas due to the threat of violence surrounding the film’s release, would inadvertently also stay away from other shops during the busiest time of the year. Also, Christmas time is peak movie release time, and other studios were applying pressure on Sony not to release The Interview at the same time as they were concerned that Christmas movie goers would stay away from the cinemas and not spend money on buying tickets to their movies.
Sony Pictures was forced to consider other ways to release the film, citing pressure from the film industry, theatre owners and even the White House. They later authorised a small release of about 300 mostly independent theatres to screen The Interview on Christmas Day and then released the film for rental or purchase in the United States through streaming services. Within hours, The Interview spread on file sharing sites with many illegally downloading the movie. It is estimated that The Interview was downloaded more than 1.5 million times in two days.
No incidents of violence were recorded, however. Instead, the publicity surrounding the Sony Pictures hack and the threats from the hackers led to an increased interest in the film. Seth Rogen knew that the film would end up making its way into North Korea. He was quoted saying:
"We were told one of the reasons they're so against the movie is that they're afraid it'll actually get into North Korea. They do have bootlegs and stuff. Maybe the tapes will make their way to North Korea and cause a revolution."
Free North Korea Radio apparently reported a high demand of the film inside North Korea, where anyone caught with the film would no doubt have faced extreme punishment.
Kim Jong-un apparently watched the film and threatened "merciless" retaliation for his depiction. Seth Rogen responded:
"People don't usually wanna kill me for one of my movies until after they've paid 12 bucks for it."
In the midst of the controversy surrounding the film, authorities still had a crime to solve: to find the hackers responsible for the cyber-attack. The hackers had used malware, including a server message block worm to gain access to the network. Further tools used included a listening implant, a backdoor, proxy tools, a destructive hard drive tool and a hard drive cleaning tool. This showed investigators that the hackers intended to gain access to the network for a lengthy period so that they could copy information, be destructive and not leave any evidence behind.
The cyber-attack was being treated as a national security threat by the United States as it was suspected at that stage that a foreign national power was responsible for the attack, not mere individuals. As the FBI’s cyber team investigated, it became apparent that the hackers had attempted to cover their tracks with counter-forensic techniques. To make it difficult for anyone to retrace their steps, infected computers would not boot up – their master boot records, and file tables were deleted by the malware, and so investigators needed to apply other more manual cyber-investigation techniques.
The FBI found that in the months leading up to the attack, the hackers attempted catfishing techniques to connect with employees linked to The Interview. These included phishing messages sent via social media. One Facebook message read “Nude photos of many A-list celebrities!” The hackers also sent phishing emails to employees containing similar lures to those in the social media messages, trying to get them to click on links containing the malicious software.
They only needed one employee to click on one of the many different types of links they were sending. Eventually, in September 2014, an employee made the fatal error of clicking on a link containing the words “Adobe Flash” which they thought would open a media file – but instead, malware loaded itself on their computer. So, at a minimum, between September and November 2014, the hackers had free reign on Sony’s computer network – no one at Sony Pictures had any idea they were being watched and all their data and secrets were being copied.
It soon became clear to the FBI investigators that the attack had been planned and executed by a well-resourced group. They began looking more closely at the software, techniques and network sources used, including the programming code used by the hackers. Hacker’s code is almost like a fingerprint, it can be used by experts to link them to other cyber-attacks around the world.
One of the pieces of malware contained the hardcoded names of thousands of Sony Pictures computer workstations which the hackers were able to gather while they had access in the months leading up to the attack. This allowed the malware to attach itself to each of these computers on the network so that they could be individually disabled during the attack.
The FBI recognised the code in the malware used by the hackers of Sony Pictures and linked this attack to previous attacks which they knew originated out of North Korea.
In an unprecedented move, President Barack Obama of the United States publicly confirmed that it was North Korea who attacked Sony Pictures and denounced the dictatorship for attempting to impose their censorship within the United States. Concern was raised by many that the President of the United States, even by speaking about it, had played straight into the hands of Kim Jong-un, and raised fear around North Korea, and future cyber-attacks around the world.
Following their investigation, FBI forensic cyber experts concluded that a North Korean “state sponsored hacking organisation” who called themselves the Lazarus Group was responsible for the Sony Pictures cyber-attack. The Lazarus Group – also known as Guardians of Peace – was named after the biblical figure who was brought back from the dead.
But how did North Korea, through its Lazarus Group, become such a dominant presence in the world of cyber-crime? Very much like North Korea’s nuclear program, having a state sponsored elite hacking group like Lazarus under its control, gave this small country the upper hand to threaten and compete with much larger countries on the world stage.
Since Kim Jong-un took power from his late father, he has reportedly been investing heavily in technology, claiming it to be for the economic benefit of the people of North Korea. Although arguably true, the methods however are of a more sinister nature as North Korea became an incubator for cyber-warriors operating in the world of cyber-crime.
Internet access is limited in North Korea as a way of controlling information and ideologies amongst the people. It is estimated that only 300 people out of a population of 26 million have access to the internet. Even the mobile phones available in North Korea are designed to look like modern day smartphones, but they don’t have the ability to connect to the internet.
Kaspersky Labs, a Russian multinational cybersecurity firm and anti-virus provider identified an IP address, directly linking the Lazarus Group to North Korea. A hotel in Shenyang, China called the Chilbosan, also known as the ‘hacker hotel’ – is said to be owned by North Korea and is North Korea’s base in China. The hotel is run by North Koreans and is where the Lazarus Group developed their hacking skills and from where they carry out some of their cyber-attacks – all for the purpose of generating money for the North Korean state.
Students who were brilliant at mathematics were often sent to the ‘hacker hotel’ to learn the art of cyber-hacking, before continuing their education at local universities where they were put through six years of ‘special’ education.
From the time Kim Jong-un came to power in 2012, the attacks became more sophisticated and in 2013, Lazarus launched a cyberattack on three South Korean broadcast companies, financial institutes, and an ISP provider during operation ‘Dark Seoul’. It was only one year later when they attacked Sony Pictures. In 2015, they stole US$12 million from the Banco del Austro in Ecuador and US$1 million from Vietnam's Tien Phong Bank. In February 2016 they attempted the most audacious bank heist in world history against Bangladesh central bank and stole $81 million Dollars.
And the onslaught continued… In May 2017, they launched a large-scale ransomware cyber-attack called WannaCry which made headlines for devastating organisations around the world. WannaCry attacked companies, from Boeing, to the NHS in Britain. It is estimated that 200,000 computers in 150 countries were affected for over seven hours during the cyber-attack. WannaCry used a new and advance form of cyber-attack: a crypto worm which exploited network ports. WannaCry spread extremely quickly and encrypted the user’s data. A message which appeared, requesting $300 from each user for the key to unencrypt their computer’s data. If payment was not made within three days, the amount would double to $600 per computer, and if they did not respond, the data would be deleted after seven days.
The hackers only made an estimated USD160,000 from users paying their $300, perhaps not as much as the cyber-attackers had hoped for. Interestingly, those who paid the $300 never did received the key to unencrypt their files.
During the COVID-19 pandemic in 2020, the Lazarus Group turned their attention to pharmaceutical companies. Members of the Group posed as health officials and targeted pharmaceutical company employees with phishing emails containing ransomware links. It’s not fully understood what the Lazarus Group’s intentions were other than to steal sensitive information – perhaps so that they could develop their own vaccine. A hacking attempt was made on Pfizer. AstraZeneca confirmed that they were hacked, although no data is believed to have been taken.
Forbes magazine estimated in February 2021, that after the 2020 the hack of Singapore based KuCoin, a cryptocurrency exchange, that the Lazarus Group’s total taking to date had increased to an estimated $1.75 billion Dollars.
In 2022, the United stated place the Lazarus Group on the Specially Designated Nationals and Blocked Persons List under North Korean Sanctions Regulations.
So, what is being done to stop Lazarus? During the Sony Pictures investigation, the FBI came across an email from a company in China which they suspected operated as a front for hackers. One of the clues was that this company’s emails were accessed from within North Korea. The FBI then found an email from someone senior in a Chinese front company, discussing software developers, and a new employee called Park Jin Hyok, attaching his resume. It included his name, where he went to school, the languages he spoke, computer language proficiency, his birthday, and a photo.
The name Park Jin Hyok was also used to register many of the social media accounts involved in the Sony Pictures hack. Email addresses associated with this name had also sent out the phishing emails to both Sony Pictures and the Bangladesh Bank. The FBI believed that Park Jin Hyok was in fact a real person and that they had intercepted and identified a member of the Lazarus Group.
A United States military report from 2020 claims that North Korea's hacking programme dates back to at least the mid-1990. It further claimed that The Lazarus Group had grown to a 6,000-strong cyber warfare army, and operates from different countries including China, India, Malaysia, Russia, and Belarus.
The Lazarus Group highlighted the ability of cyber criminals to commit fraud in the real world. Which leaves us with the unsettling question: are our online lives safe? And if not, what are the hackers doing with all of our information? All we can do for now is to avoid suspicious emails and NOT click on links. But will that be enough?
©2022 Evidence Locker Podcast
All rights reserved. This podcast or any portion thereof may not be reproduced or used in any manner whatsoever without the express written permission of the publisher except for the use of brief quotations in a podcast review.