Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:02,000 --> 00:00:07,000 Downloaded from YTS.MX 2 00:00:08,000 --> 00:00:13,000 Official YIFY movies site: YTS.MX 3 00:01:10,809 --> 00:01:12,115 It's Friday, 4 00:01:12,115 --> 00:01:15,423 and it is, of course, the Muslim prayer day. 5 00:01:15,423 --> 00:01:18,513 Everyone's off, except for the skeleton staff 6 00:01:18,513 --> 00:01:20,645 at the Bangladeshi Bank, 7 00:01:20,645 --> 00:01:24,562 including Zubair Bin Huda, who is the duty manager. 8 00:01:27,870 --> 00:01:31,395 He's part of the elite team of employees 9 00:01:31,395 --> 00:01:35,095 who run the SWIFT banking system, 10 00:01:35,095 --> 00:01:38,663 which is a highly secure banking system 11 00:01:38,663 --> 00:01:41,318 that sends money around the world. 12 00:01:43,538 --> 00:01:47,281 Now, Bin Huda goes, as he does every day, 13 00:01:47,281 --> 00:01:49,152 to the SWIFT printer 14 00:01:49,152 --> 00:01:53,374 to check up on the transactions from the day before. 15 00:01:53,374 --> 00:01:56,159 There are usually printouts 16 00:01:56,159 --> 00:01:58,422 of transactions that came in overnight. 17 00:01:58,422 --> 00:02:02,774 The SWIFT software would print out a ledger every single day, 18 00:02:02,774 --> 00:02:06,952 an audit trace of every single transaction that occurred 19 00:02:06,952 --> 00:02:08,693 on paper. 20 00:02:08,693 --> 00:02:11,392 But when they came in on February 5th morning, 21 00:02:11,392 --> 00:02:12,871 as they usually do, 22 00:02:12,871 --> 00:02:15,744 they found there were no SWIFT messages at all. 23 00:02:15,744 --> 00:02:20,009 In fact, the printer's shut down. It won't work. 24 00:02:20,009 --> 00:02:21,358 They try and turn it on. 25 00:02:21,358 --> 00:02:25,188 Nothing will kick it back into life. 26 00:02:25,188 --> 00:02:28,148 He assumes it was simply a technical error, 27 00:02:28,148 --> 00:02:30,193 shrugs, goes home for the night, 28 00:02:30,193 --> 00:02:32,282 comes back in on Saturday morning 29 00:02:32,282 --> 00:02:34,502 to check the system again. 30 00:02:35,677 --> 00:02:36,939 The next day, 31 00:02:36,939 --> 00:02:40,160 they somehow manually get the printer to work. 32 00:02:40,160 --> 00:02:42,466 This deputy head manager walks in the room, 33 00:02:42,466 --> 00:02:46,122 the printer starts working, and these weird messages come out. 34 00:02:46,122 --> 00:02:49,560 The printer starts spewing out 35 00:02:49,560 --> 00:02:51,736 all of these transactions, 36 00:02:51,736 --> 00:02:56,306 including individual requests to the Fed in New York 37 00:02:56,306 --> 00:02:59,353 for $1 billion. 38 00:03:01,268 --> 00:03:04,880 At that moment, it's panic stations. 39 00:03:44,789 --> 00:03:50,230 When I was growing up, the biggest crime in Britain 40 00:03:50,230 --> 00:03:52,319 ever recorded was the Great Train Robbery. 41 00:03:52,319 --> 00:03:56,366 It was an extraordinary thing. They stole about £2.5 million. 42 00:03:56,366 --> 00:03:58,760 That's about $4 million. 43 00:03:58,760 --> 00:04:04,244 And that story ran literally for 30 years. 44 00:04:05,245 --> 00:04:06,768 Four million dollars. 45 00:04:07,856 --> 00:04:10,293 What you're about to hear 46 00:04:10,293 --> 00:04:14,036 is the story of an attempt to steal... 47 00:04:15,037 --> 00:04:17,518 a billion dollars 48 00:04:18,475 --> 00:04:20,434 It's told by world-leading 49 00:04:20,434 --> 00:04:23,959 cybersecurity and legal experts and journalists: 50 00:04:23,959 --> 00:04:26,309 the very people who uncovered the facts 51 00:04:26,309 --> 00:04:27,919 and threaded them together 52 00:04:27,919 --> 00:04:32,489 to reveal how dangerous the world of cybercrime is today. 53 00:04:49,898 --> 00:04:53,336 So, there are four big threats 54 00:04:53,336 --> 00:04:57,471 to the world and to the human race. 55 00:04:57,471 --> 00:04:59,603 One of them we've just experienced, 56 00:04:59,603 --> 00:05:01,736 that's the pandemic. 57 00:05:01,736 --> 00:05:04,826 Then you've got weapons of mass destruction. 58 00:05:04,826 --> 00:05:08,220 You've got climate change. 59 00:05:08,220 --> 00:05:13,965 But barrelling down towards us before those is cyber. 60 00:05:24,498 --> 00:05:25,934 This is the possibility 61 00:05:25,934 --> 00:05:30,068 of our overdependency on network technologies 62 00:05:30,068 --> 00:05:34,943 being undermined, either by malfunctioning of the system... 63 00:05:34,943 --> 00:05:36,597 New problems are emerging 64 00:05:36,597 --> 00:05:39,164 the day after an Amazon web service outage. 65 00:05:39,164 --> 00:05:42,254 Massive and mysterious, a global outage... 66 00:05:42,254 --> 00:05:45,214 ...or by a targeted attack. 67 00:05:45,214 --> 00:05:47,129 More than a thousand companies 68 00:05:47,129 --> 00:05:49,305 have been crippled by this attack so far. 69 00:05:49,305 --> 00:05:52,264 Sounds like we're looking at a 2022 with more hacks, 70 00:05:52,264 --> 00:05:53,570 more lost money. 71 00:05:59,924 --> 00:06:04,233 So, when I started hunting hackers in the early 1990s... 72 00:06:05,452 --> 00:06:07,671 our enemy was really simple. 73 00:06:07,671 --> 00:06:10,152 All the malware, all the viruses, 74 00:06:10,152 --> 00:06:13,111 all the attacks were done by teenage boys. 75 00:06:13,111 --> 00:06:15,462 What will your parents think? 76 00:06:17,594 --> 00:06:20,815 I've been doing this job for two decades now. 77 00:06:24,253 --> 00:06:25,472 When we first started, 78 00:06:25,472 --> 00:06:27,909 the people writing viruses and malware 79 00:06:27,909 --> 00:06:29,476 were doing it for fun, 80 00:06:29,476 --> 00:06:32,392 to get their name in lights, to say, "Look what I can do." 81 00:06:32,392 --> 00:06:34,655 No flash, please. 82 00:06:34,655 --> 00:06:37,788 When I started analysing viruses, they looked like this. 83 00:06:37,788 --> 00:06:41,052 Malware was still spread on floppy disks. 84 00:06:41,052 --> 00:06:44,708 They were spreading at the speed of people travelling the world 85 00:06:44,708 --> 00:06:47,102 and carrying the viruses with them. 86 00:06:47,102 --> 00:06:50,540 Michelangelo has proven less harmful than feared. 87 00:06:50,540 --> 00:06:53,108 All the stuff you've got in there you may really want, 88 00:06:53,108 --> 00:06:54,414 it's just gone? 89 00:06:54,414 --> 00:06:56,459 Then the internet came around, and suddenly, 90 00:06:56,459 --> 00:06:59,331 malware outbreaks could go around the world in seconds. 91 00:06:59,331 --> 00:07:00,942 For the last 36 hours, 92 00:07:00,942 --> 00:07:04,685 the ILOVEYOU virus has been creating havoc around the world. 93 00:07:04,685 --> 00:07:08,166 Experts have reason to worry. The first attack, July 19th, 94 00:07:08,166 --> 00:07:11,648 infected about 300,000 systems in nine hours. 95 00:07:11,648 --> 00:07:14,129 First of all, the guys who make a living doing security 96 00:07:14,129 --> 00:07:16,044 and are trying to protect themselves 97 00:07:16,044 --> 00:07:19,569 are scared shitless of you, because you can just ruin 'em. 98 00:07:19,569 --> 00:07:20,875 After the period of time 99 00:07:20,875 --> 00:07:22,529 where hackers were just doing things for fun, 100 00:07:22,529 --> 00:07:26,010 some of them realised that they could use it to make money. 101 00:07:28,535 --> 00:07:31,668 Prior to, like, the 2000s... 102 00:07:31,668 --> 00:07:35,716 cyber was primarily around a disruption of websites... 103 00:07:36,630 --> 00:07:38,893 defacement of a webpage. 104 00:07:38,893 --> 00:07:42,505 Just as we got around 2000, the dot-com boom, the explosion, 105 00:07:42,505 --> 00:07:44,376 we started into what would become 106 00:07:44,376 --> 00:07:46,161 financially motivated hackers. 107 00:07:46,161 --> 00:07:49,033 This really flourished, especially in Eastern European, 108 00:07:49,033 --> 00:07:53,124 Russia, CIS bloc countries. 109 00:07:53,124 --> 00:07:55,953 This was the time of gangster capitalism, 110 00:07:55,953 --> 00:08:00,001 when everyone's world in Eastern Europe was falling apart, 111 00:08:00,001 --> 00:08:02,612 where organised crime and... 112 00:08:02,612 --> 00:08:05,528 former members of the intelligence services 113 00:08:05,528 --> 00:08:09,314 were taking hold of the economy. 114 00:08:10,881 --> 00:08:14,276 So you had a lot of young people in the 1990s 115 00:08:14,276 --> 00:08:17,932 who were very good mathematicians, physicists, 116 00:08:17,932 --> 00:08:20,282 computer scientists, 117 00:08:20,282 --> 00:08:23,503 who simply took the logic and the morality 118 00:08:23,503 --> 00:08:26,593 of gangster capitalism online. 119 00:08:30,074 --> 00:08:32,163 Virus writers were writing viruses 120 00:08:32,163 --> 00:08:33,817 to infect Windows computers, 121 00:08:33,817 --> 00:08:36,951 and those computers were then sold to email spammers, 122 00:08:36,951 --> 00:08:39,954 who were using those machines to send Viagra spam 123 00:08:39,954 --> 00:08:42,652 or what have you, basically making money. 124 00:08:42,652 --> 00:08:44,436 And that changed everything. 125 00:08:48,789 --> 00:08:51,574 People at that time began to use online banking, 126 00:08:51,574 --> 00:08:54,621 and they began to steal people's online banking credentials, 127 00:08:54,621 --> 00:08:57,275 from there, also get credit card numbers, 128 00:08:57,275 --> 00:08:59,408 and use that to basically transfer funds. 129 00:08:59,408 --> 00:09:02,672 Just in hundreds of dollars at a time from these individuals. 130 00:09:02,672 --> 00:09:05,893 They eventually realised that going after individuals 131 00:09:05,893 --> 00:09:07,198 was much more difficult 132 00:09:07,198 --> 00:09:10,288 than just going after the banks themselves. 133 00:09:10,288 --> 00:09:11,942 Get into databases, 134 00:09:11,942 --> 00:09:14,423 those databases held credit card numbers. 135 00:09:14,423 --> 00:09:17,600 Take those numbers and then sell them on the black market. 136 00:09:19,341 --> 00:09:23,345 Originally, the internet was set up at the Pentagon... 137 00:09:25,042 --> 00:09:29,003 just to be able to share resources between computers. 138 00:09:32,136 --> 00:09:35,226 And it was really never designed to have 139 00:09:35,226 --> 00:09:38,490 banking attached to it, 140 00:09:38,490 --> 00:09:41,711 critical infrastructure attached to it. 141 00:09:41,711 --> 00:09:44,366 It was really designed for availability. 142 00:09:44,366 --> 00:09:47,108 It was never designed for security. 143 00:09:48,500 --> 00:09:50,502 Whereas in the early 1990s 144 00:09:50,502 --> 00:09:53,505 when there was only 30,000 people connected to it 145 00:09:53,505 --> 00:09:56,813 and several hundred systems, we've moved to a system 146 00:09:56,813 --> 00:09:59,947 which essentially is the backbone of global finance. 147 00:10:01,339 --> 00:10:04,560 The fact that it's able to do that... 148 00:10:04,560 --> 00:10:07,432 the fact that it's able to sustain currently between 149 00:10:07,432 --> 00:10:10,392 15 and 20 percent of GDP globally 150 00:10:10,392 --> 00:10:12,742 tells us something about just how important 151 00:10:12,742 --> 00:10:14,918 this infrastructure is. 152 00:10:14,918 --> 00:10:17,094 Why did people move into the internet 153 00:10:17,094 --> 00:10:18,661 to seek economic opportunity? 154 00:10:18,661 --> 00:10:21,621 Because that's where the economic opportunity was, 155 00:10:21,621 --> 00:10:23,579 untethered by norms, 156 00:10:23,579 --> 00:10:25,799 untethered by national boundaries, 157 00:10:25,799 --> 00:10:28,497 and essentially limited only by the creativity 158 00:10:28,497 --> 00:10:30,194 that these individuals had. 159 00:10:40,814 --> 00:10:43,817 The user nagged the Federal Reserve Bank 160 00:10:43,817 --> 00:10:48,386 with 35 payment instructions worth $951 million. 161 00:10:48,386 --> 00:10:50,867 We'd just never heard of such a thing before. 162 00:10:50,867 --> 00:10:53,043 We'd been investigating cybercrime 163 00:10:53,043 --> 00:10:55,567 for a couple of decades at that point. 164 00:10:55,567 --> 00:10:57,700 You see cyber criminals go in, 165 00:10:57,700 --> 00:11:01,748 and they try to transfer a few hundred thousands of dollars, 166 00:11:01,748 --> 00:11:05,055 maybe a million, a couple of million. 167 00:11:05,055 --> 00:11:09,059 But conducting a cyber-attack to try to steal one billion? 168 00:11:09,059 --> 00:11:13,020 That was an order of magnitude that we had never seen before. 169 00:11:13,020 --> 00:11:14,674 It was clear from early on 170 00:11:14,674 --> 00:11:18,112 that it was one of the biggest cyber heists in the world. 171 00:11:18,112 --> 00:11:20,505 When we first started hearing rumours 172 00:11:20,505 --> 00:11:23,813 about something affecting SWIFT network, 173 00:11:23,813 --> 00:11:26,424 I didn't understand how big it was. 174 00:11:26,424 --> 00:11:28,122 But when we started realising 175 00:11:28,122 --> 00:11:30,646 this is at a completely different scale, 176 00:11:30,646 --> 00:11:32,561 it just blew my mind. 177 00:11:46,314 --> 00:11:47,445 Once they realised 178 00:11:47,445 --> 00:11:49,578 that the money actually was really gone, 179 00:11:49,578 --> 00:11:51,623 then the panic began to set in. 180 00:11:51,623 --> 00:11:56,890 They lost $81 million instantly to a bank in the Philippines. 181 00:11:56,890 --> 00:11:59,980 They see the $81 million has already gone 182 00:11:59,980 --> 00:12:05,855 and that nearly $900 million extra has been requested. 183 00:12:08,815 --> 00:12:13,254 They basically try to figure out what to do next. 184 00:12:13,254 --> 00:12:15,865 They have no idea what to do. 185 00:12:15,865 --> 00:12:19,129 They hunted for ways to contact the New York Fed. 186 00:12:20,957 --> 00:12:23,655 Desperate calls are made by them. 187 00:12:27,834 --> 00:12:29,749 And it goes to an answering machine. 188 00:12:29,749 --> 00:12:31,751 You've reached the Federal Reserve Bank... 189 00:12:31,751 --> 00:12:33,622 Because it's Saturday in New York, 190 00:12:33,622 --> 00:12:36,016 and nobody's picking up the phone. 191 00:12:36,016 --> 00:12:39,106 - Please call back... - It's a complete shitshow. 192 00:12:39,106 --> 00:12:43,153 Total disorganisation, at both ends, I would stress. 193 00:12:45,503 --> 00:12:49,246 The New York Times Magazine was planning a true-crime issue, 194 00:12:49,246 --> 00:12:50,421 and my editor came to me 195 00:12:50,421 --> 00:12:52,902 and asked I was interested in doing it. 196 00:12:54,251 --> 00:12:55,600 I looked into it a bit. 197 00:12:55,600 --> 00:12:58,125 There definitely were some intriguing elements, 198 00:12:58,125 --> 00:12:59,779 and made me pay attention. 199 00:13:02,129 --> 00:13:04,435 The Federal Reserve has pretty much 200 00:13:04,435 --> 00:13:07,177 depended on the SWIFT banking system, 201 00:13:07,177 --> 00:13:11,878 and since there has rarely been a hack, if ever, 202 00:13:11,878 --> 00:13:14,837 of the SWIFT banking system... 203 00:13:14,837 --> 00:13:18,058 the Federal Reserve has never instituted 204 00:13:18,058 --> 00:13:20,800 any sort of 24-7 hotline. 205 00:13:22,540 --> 00:13:26,501 Eventually, they get hold of somebody at SWIFT, 206 00:13:26,501 --> 00:13:28,155 and SWIFT says, 207 00:13:28,155 --> 00:13:29,765 "Just shut the whole lot down 208 00:13:29,765 --> 00:13:32,507 until we know what's going on here." 209 00:13:32,507 --> 00:13:36,163 Badrul Khan decides before he can actually make that decision, 210 00:13:36,163 --> 00:13:39,166 he has to talk to the deputy governor of the bank, 211 00:13:39,166 --> 00:13:40,820 which he does. 212 00:13:40,820 --> 00:13:43,823 Deputy governor doesn't want to take the decision upon himself, 213 00:13:43,823 --> 00:13:47,435 so he talks to the governor. And guess what. 214 00:13:47,435 --> 00:13:50,655 The governor says, "It's probably a mistake. 215 00:13:50,655 --> 00:13:52,614 We won't shut it down." 216 00:13:56,009 --> 00:13:58,750 Work week begins at the Bangladesh Bank 217 00:13:58,750 --> 00:14:00,187 on Sunday morning, 218 00:14:00,187 --> 00:14:02,972 and it's then that the general manager of the bank 219 00:14:02,972 --> 00:14:05,845 comes in and begins to take stock of what had happened. 220 00:14:05,845 --> 00:14:07,411 They're running out of options. 221 00:14:07,411 --> 00:14:11,111 They're not sure what to do. Fed is still closed in New York. 222 00:14:11,111 --> 00:14:13,200 They go through all the SWIFT material, 223 00:14:13,200 --> 00:14:16,072 discover that most of the money has gone 224 00:14:16,072 --> 00:14:18,205 to the bank in Manila. 225 00:14:18,205 --> 00:14:21,164 And these desperate messages are sent out: 226 00:14:21,164 --> 00:14:22,600 "Stop the transactions. 227 00:14:22,600 --> 00:14:25,168 Hold that money. Do not allow it to be withdrawn. 228 00:14:25,168 --> 00:14:27,127 It's our money. It's been stolen." 229 00:14:28,650 --> 00:14:30,260 But there's a problem. 230 00:14:30,260 --> 00:14:32,219 Five, four, 231 00:14:32,219 --> 00:14:35,135 three, two, one! 232 00:14:35,135 --> 00:14:37,920 Happy New Year! 233 00:14:41,924 --> 00:14:43,795 It's Chinese New Year, 234 00:14:43,795 --> 00:14:46,929 and the Rizal Commercial Bank is closed. 235 00:14:51,673 --> 00:14:56,199 The thieves chose a sequence of days... 236 00:14:56,199 --> 00:15:00,638 from Friday, Saturday, Sunday and Monday, 237 00:15:00,638 --> 00:15:03,815 when one or another of the three countries 238 00:15:03,815 --> 00:15:06,557 that would be communicating with one another 239 00:15:06,557 --> 00:15:09,169 was shut down for a holiday. 240 00:15:15,566 --> 00:15:17,612 You've got to hand it to these guys. 241 00:15:17,612 --> 00:15:19,005 They knew it. 242 00:15:19,005 --> 00:15:21,703 They knew that if they did it over that weekend, 243 00:15:21,703 --> 00:15:23,966 with the Friday, the Muslim holiday, 244 00:15:23,966 --> 00:15:27,187 the Sunday and the Saturday, everything closed in New York, 245 00:15:27,187 --> 00:15:30,538 and the Monday, Chinese New Year. 246 00:15:32,322 --> 00:15:37,110 They've got four days to get the heist done. 247 00:15:37,110 --> 00:15:39,373 This is really classy planning. 248 00:15:41,375 --> 00:15:45,422 In that respect, it was really an ingenious plan. 249 00:15:45,422 --> 00:15:49,426 It's kind of like a great film director in a malevolent way, 250 00:15:49,426 --> 00:15:53,082 planning out, you know, a very complex film. 251 00:15:56,433 --> 00:15:58,131 The country of Bangladesh 252 00:15:58,131 --> 00:16:01,873 is the 170th poorest country in the world. 253 00:16:01,873 --> 00:16:04,267 One billion dollars is huge to them. 254 00:16:04,267 --> 00:16:06,356 When we talk about cyber-attacks, 255 00:16:06,356 --> 00:16:08,054 they're not just zeros and ones. 256 00:16:08,054 --> 00:16:10,186 We're not just talking about people 257 00:16:10,186 --> 00:16:13,755 moving around zeros and ones, deleting zeros and ones. 258 00:16:15,539 --> 00:16:18,107 One billion dollars to Bangladesh 259 00:16:18,107 --> 00:16:21,545 potentially means that people starve in the country. 260 00:16:21,545 --> 00:16:25,245 These things have potential serious repercussions. 261 00:16:27,725 --> 00:16:30,206 The Bangladesh Bank heist was significant 262 00:16:30,206 --> 00:16:34,297 because it showed how fragile global banking was as a whole. 263 00:16:36,169 --> 00:16:40,260 Banks don't just operate as single isolated entities. 264 00:16:40,260 --> 00:16:42,784 They're part of a system. 265 00:16:42,784 --> 00:16:45,482 And that system is vulnerable. 266 00:16:47,702 --> 00:16:52,402 The US Federal Reserve holds trillions of dollars in accounts 267 00:16:52,402 --> 00:16:55,579 kept by central banks all around the world. 268 00:16:55,579 --> 00:16:59,279 Its computer security systems are state of the art, making it 269 00:16:59,279 --> 00:17:03,587 one of the most difficult financial institutions to hack. 270 00:17:07,287 --> 00:17:10,551 The criminals realise that it can't get into 271 00:17:10,551 --> 00:17:14,076 the network system of the Fed, 272 00:17:14,076 --> 00:17:17,906 but the Fed has to talk to other central banks 273 00:17:17,906 --> 00:17:19,777 around the world, 274 00:17:19,777 --> 00:17:23,390 and this is where they find a flaw. 275 00:17:25,305 --> 00:17:27,437 The criminals turn their attention 276 00:17:27,437 --> 00:17:30,440 to the banks' communication systems. 277 00:17:31,963 --> 00:17:35,402 Every day, the Fed places thousands of transactions 278 00:17:35,402 --> 00:17:39,058 on behalf of the central banks that hold US dollar reserves 279 00:17:39,058 --> 00:17:40,320 at the Fed. 280 00:17:40,320 --> 00:17:42,757 The Federal Reserve has pretty much depended 281 00:17:42,757 --> 00:17:45,107 on the SWIFT banking system 282 00:17:45,107 --> 00:17:48,067 to get its instructions about transfers. 283 00:17:48,067 --> 00:17:51,026 SWIFT sends money around the world 284 00:17:51,026 --> 00:17:52,941 to thousands of member banks. 285 00:17:52,941 --> 00:17:57,946 It's the main way that banks dispatch money to one another. 286 00:17:59,165 --> 00:18:01,602 SWIFT allows you to transfer money 287 00:18:01,602 --> 00:18:02,777 from one bank to another, 288 00:18:02,777 --> 00:18:04,561 no matter where you are in the world. 289 00:18:04,561 --> 00:18:07,347 Make international wire transfers. 290 00:18:07,347 --> 00:18:11,568 The whole banking system is integrated, 291 00:18:11,568 --> 00:18:15,659 and they depend above all else on SWIFT, 292 00:18:15,659 --> 00:18:21,143 the international transaction mechanisms, to work. 293 00:18:21,143 --> 00:18:23,319 What it means is, all it takes 294 00:18:23,319 --> 00:18:28,803 is a single weak link to bring down the whole network. 295 00:18:30,370 --> 00:18:33,373 So although the target is the Fed, 296 00:18:33,373 --> 00:18:37,725 they are looking for a bank with which the Fed communicates, 297 00:18:37,725 --> 00:18:42,338 which holds a lot of its reserves in New York. 298 00:18:42,338 --> 00:18:44,123 But it's a long way away, 299 00:18:44,123 --> 00:18:48,562 in a distant time zone from the Fed, 300 00:18:48,562 --> 00:18:51,304 and it's likely to have 301 00:18:51,304 --> 00:18:56,396 patchy security systems in place in its computer network. 302 00:18:58,963 --> 00:19:00,791 My colleagues in Dhaka, 303 00:19:00,791 --> 00:19:04,012 they were chasing it for a long time. 304 00:19:04,012 --> 00:19:07,450 It was a robbery of a scale that we hadn't heard of. 305 00:19:09,235 --> 00:19:11,585 The first thought that came to my mind was, 306 00:19:11,585 --> 00:19:14,631 because it was the Bangladeshi Central Bank, 307 00:19:14,631 --> 00:19:17,243 I thought the hackers found it 308 00:19:17,243 --> 00:19:19,549 somehow easier to target it. 309 00:19:19,549 --> 00:19:21,377 Because it was Bangladesh, 310 00:19:21,377 --> 00:19:24,424 I suspected they would be more vulnerable 311 00:19:24,424 --> 00:19:26,774 to cyber-attacks as such. 312 00:19:28,515 --> 00:19:31,344 "Hmm. A Bangladeshi bank. 313 00:19:31,344 --> 00:19:33,998 Probably doesn't have the same level of security 314 00:19:33,998 --> 00:19:36,218 and if they do, it's probably one or two people, 315 00:19:36,218 --> 00:19:40,222 not a team of 6,000 working on it. 316 00:19:41,136 --> 00:19:42,355 Let's go for it." 317 00:19:42,355 --> 00:19:44,661 These attackers weren't just skilled 318 00:19:44,661 --> 00:19:45,923 in breaching networks, 319 00:19:45,923 --> 00:19:47,838 figuring out how to get into an organisation. 320 00:19:47,838 --> 00:19:52,016 They had to study that SWIFT software deeply. 321 00:19:52,016 --> 00:19:55,194 This attack happened well before that February 5th, 322 00:19:55,194 --> 00:19:56,847 when the bank employee walked in 323 00:19:56,847 --> 00:19:59,894 and saw that printer hadn't printed out the audit jobs 324 00:19:59,894 --> 00:20:01,939 and couldn't figure out what was going on. 325 00:20:01,939 --> 00:20:04,812 This attack started more than a year prior to that. 326 00:20:04,812 --> 00:20:07,293 These attackers had been working for months 327 00:20:07,293 --> 00:20:09,120 in the build-up until that day. 328 00:20:09,120 --> 00:20:11,253 It is a mistake for people to think 329 00:20:11,253 --> 00:20:13,560 that this was something that happened overnight. 330 00:20:13,560 --> 00:20:15,649 It is a mistake for people to think 331 00:20:15,649 --> 00:20:18,956 that this happened in a month, or two months or three months. 332 00:20:18,956 --> 00:20:21,394 It is a slow, methodical approach, 333 00:20:21,394 --> 00:20:25,528 because it's a business, all right? You build it. 334 00:20:32,274 --> 00:20:35,146 Bank robberies used to be something that happened 335 00:20:35,146 --> 00:20:37,497 in the real world. 336 00:20:37,497 --> 00:20:40,630 Now they only happen in the online world. 337 00:20:42,806 --> 00:20:46,767 If you would try to steal $100 million in banknotes, 338 00:20:46,767 --> 00:20:49,160 that would be, like, ten trucks full of notes. 339 00:20:49,160 --> 00:20:51,511 If you drive ten trucks full of notes out of the bank, 340 00:20:51,511 --> 00:20:54,035 someone would notice. 341 00:20:54,035 --> 00:20:57,299 But when you do the same thing online, no one notices anything. 342 00:20:57,299 --> 00:21:01,042 Every movie you've ever seen of them breaking into a bank 343 00:21:01,042 --> 00:21:03,436 is them doing it over a bank holiday 344 00:21:03,436 --> 00:21:05,394 or something of that nature. 345 00:21:05,394 --> 00:21:07,222 Same concept here. 346 00:21:12,096 --> 00:21:15,361 This isn't Matthew Broderick sitting in front of a computer, 347 00:21:15,361 --> 00:21:17,450 like War Games back in the 1980s, 348 00:21:17,450 --> 00:21:19,321 some kid in their basement. 349 00:21:21,105 --> 00:21:24,370 These are criminal organisations. 350 00:21:24,370 --> 00:21:26,023 Each person has a skill set. 351 00:21:26,023 --> 00:21:29,070 It's kind of like that Ocean's Eleven-type thing. 352 00:21:30,593 --> 00:21:33,074 You know, "This guy could crack the bank, 353 00:21:33,074 --> 00:21:35,337 this guy could do the surveillance cameras, 354 00:21:35,337 --> 00:21:37,774 this is the getaway, this is the conman." 355 00:21:37,774 --> 00:21:39,559 You all have a role to play, 356 00:21:39,559 --> 00:21:42,301 and you need everybody to execute their role 357 00:21:42,301 --> 00:21:44,085 to the best of their abilities 358 00:21:44,085 --> 00:21:46,870 for you to be successful and get it out. 359 00:21:48,742 --> 00:21:53,007 So how do you pull off a heist of this magnitude? 360 00:21:53,007 --> 00:21:58,317 It takes the right crew of highly skilled specialists. 361 00:21:58,317 --> 00:22:03,191 And it all starts not with ones and zeros, but with people. 362 00:22:07,151 --> 00:22:10,590 Cybercrime is about gaining credentials 363 00:22:10,590 --> 00:22:12,635 to gain access, 364 00:22:12,635 --> 00:22:15,421 stealing the keys. 365 00:22:15,421 --> 00:22:19,816 The social engineer is critical to a hack. 366 00:22:19,816 --> 00:22:22,253 It's how you get in, and you get in 367 00:22:22,253 --> 00:22:26,388 not through digital means, you get in through human means. 368 00:22:26,388 --> 00:22:28,956 It's to do with psychology. 369 00:22:31,306 --> 00:22:35,528 The criminals have to ensnare one of the employees 370 00:22:35,528 --> 00:22:38,052 of the Bangladeshi Bank, 371 00:22:38,052 --> 00:22:41,882 beginning by going through their social media profiles 372 00:22:41,882 --> 00:22:44,711 and looking for suitable targets. 373 00:22:45,929 --> 00:22:48,932 Our relationship with the computer 374 00:22:48,932 --> 00:22:51,848 is one of perceived intimacy; 375 00:22:51,848 --> 00:22:54,373 that when we're using a computer, 376 00:22:54,373 --> 00:22:57,767 no one else can see what we're doing, we believe, 377 00:22:57,767 --> 00:23:00,379 and it's just us and the screen. 378 00:23:02,119 --> 00:23:05,819 And if we were to read an email from a friend, 379 00:23:05,819 --> 00:23:08,909 we tend to believe it at face value. 380 00:23:12,216 --> 00:23:15,219 They found close to three dozen employees. 381 00:23:15,219 --> 00:23:18,832 And they constructed a simple spear-phish email: 382 00:23:18,832 --> 00:23:21,748 an email message that pretended to be from a guy 383 00:23:21,748 --> 00:23:24,446 named Rasal Alam. 384 00:23:24,446 --> 00:23:26,056 And Rasal Alam said, 385 00:23:26,056 --> 00:23:28,581 "Hey, I just wanna work at your company. 386 00:23:28,581 --> 00:23:31,410 Here's a résumé attached. Have a look." 387 00:23:31,410 --> 00:23:34,108 And it turned out that they mailed that 388 00:23:34,108 --> 00:23:36,893 to about 36 different employees, and three of them 389 00:23:36,893 --> 00:23:39,722 opened that attachment connected to that email. 390 00:23:40,984 --> 00:23:42,333 It was a zip file, 391 00:23:42,333 --> 00:23:44,640 and the zip file contained just a document inside. 392 00:23:44,640 --> 00:23:47,295 They opened up the document and it was his résumé. 393 00:23:47,295 --> 00:23:50,733 It was a résumé for Rasel Ahlam, who wanted to work at the bank, 394 00:23:50,733 --> 00:23:52,996 but unbeknownst to those individuals, 395 00:23:52,996 --> 00:23:56,826 also contained malicious code inside. 396 00:23:56,826 --> 00:23:58,741 We can look at any data breach, 397 00:23:58,741 --> 00:24:01,222 and the root cause has either been 398 00:24:01,222 --> 00:24:03,311 a technical problem 399 00:24:03,311 --> 00:24:05,400 or a people problem. 400 00:24:05,400 --> 00:24:08,229 And the technical problems can be really hard 401 00:24:08,229 --> 00:24:10,536 and really expensive and really slow to fix, 402 00:24:10,536 --> 00:24:12,581 but at least we can fix them. 403 00:24:12,581 --> 00:24:16,150 But in the end, we have no patch for human brains. 404 00:24:17,804 --> 00:24:22,243 There's no way to fix the people who do stupid mistakes. 405 00:24:22,243 --> 00:24:23,723 When attackers try to send 406 00:24:23,723 --> 00:24:27,030 these spear-phishing emails, they try to do two things. 407 00:24:27,030 --> 00:24:30,512 They try to look very normal. It was just a résumé. 408 00:24:30,512 --> 00:24:31,818 They try to fly under the radar, 409 00:24:31,818 --> 00:24:33,515 to look as legitimate as possible. 410 00:24:33,515 --> 00:24:37,476 And the second is they often try to use enticing techniques. 411 00:24:43,612 --> 00:24:47,050 New dangers tonight from the Love Bug computer virus, 412 00:24:47,050 --> 00:24:49,966 this time disguised as a friendlier email. 413 00:24:49,966 --> 00:24:53,579 The first internet virus that went around the world 414 00:24:53,579 --> 00:24:57,887 in less than 48 hours was called the ILOVEYOU virus. 415 00:24:57,887 --> 00:25:00,499 And already, business interruption costs 416 00:25:00,499 --> 00:25:03,676 are estimated at more than a billion dollars. 417 00:25:03,676 --> 00:25:06,592 You would be sitting there working away, 418 00:25:06,592 --> 00:25:08,507 and then suddenly, in your inbox, 419 00:25:08,507 --> 00:25:12,554 you get an email which says, "I love you." 420 00:25:12,554 --> 00:25:15,252 And it could well be that this is a person 421 00:25:15,252 --> 00:25:17,820 who you've always held a torch for. 422 00:25:17,820 --> 00:25:20,344 And so, of course, you're very excited, 423 00:25:20,344 --> 00:25:24,087 and you press on the link, and then you're doomed. 424 00:25:24,087 --> 00:25:26,873 What happens is, the virus infects your machine 425 00:25:26,873 --> 00:25:29,963 and proceeds to email everyone you've ever emailed. 426 00:25:29,963 --> 00:25:32,618 The end result of that is the mail servers 427 00:25:32,618 --> 00:25:33,706 get bogged down, 428 00:25:33,706 --> 00:25:36,143 and the only way to solve the problem 429 00:25:36,143 --> 00:25:39,276 is to shut the servers down, hence the interruption. 430 00:25:39,276 --> 00:25:42,323 The ILOVEYOU virus was one of the first viruses 431 00:25:42,323 --> 00:25:45,065 that had really worldwide impact. 432 00:25:47,110 --> 00:25:49,722 It was still a virus written by a guy 433 00:25:49,722 --> 00:25:52,594 that just wanted to get his name in lights. 434 00:25:52,594 --> 00:25:53,813 He wanted to see his virus 435 00:25:53,813 --> 00:25:55,597 travel around the world a little bit 436 00:25:55,597 --> 00:25:57,381 and maybe get in the news somewhere, 437 00:25:57,381 --> 00:25:59,819 and then him be able to say, "Oh, I wrote that." 438 00:25:59,819 --> 00:26:03,083 Mr de Guzman hardly seemed to comprehend the chaos 439 00:26:03,083 --> 00:26:05,041 inflicted on the world's computers. 440 00:26:05,041 --> 00:26:08,610 But what happened was, it spread so quickly and so fast, 441 00:26:08,610 --> 00:26:11,265 it brought down email all over the world, 442 00:26:11,265 --> 00:26:13,920 and having email go down was monumental. 443 00:26:13,920 --> 00:26:17,358 Experts say that the ILOVEYOU virus could end up costing 444 00:26:17,358 --> 00:26:21,580 the world economy $10 billion in lost work time. 445 00:26:21,580 --> 00:26:25,627 It became the first sign to show that we relied on the internet. 446 00:26:25,627 --> 00:26:29,196 The internet was the basis for our financial transactions, 447 00:26:29,196 --> 00:26:31,154 for the way we do business. 448 00:26:32,460 --> 00:26:33,635 I would talk to people 449 00:26:33,635 --> 00:26:35,332 and remind them and educate them and say, 450 00:26:35,332 --> 00:26:36,899 "Look, you can't just click 451 00:26:36,899 --> 00:26:39,380 on any attachment that comes to you in an email." 452 00:26:39,380 --> 00:26:42,818 I remember talking to a guy about the Anna Kournikova virus 453 00:26:42,818 --> 00:26:45,995 that purported to be nude pictures of Anna Kournikova. 454 00:26:45,995 --> 00:26:48,955 And he told me, he said, "Yeah, I knew it was a virus. 455 00:26:48,955 --> 00:26:52,088 I thought it was probably a virus. But what if it wasn't? 456 00:26:52,088 --> 00:26:53,960 What if it really was nude pictures? 457 00:26:53,960 --> 00:26:55,788 So I double-clicked on it." 458 00:26:56,919 --> 00:26:58,399 People just don't realise 459 00:26:58,399 --> 00:27:02,055 what clicking on that attachment means. 460 00:27:02,055 --> 00:27:06,102 Cyber criminals and hackers realised a long time ago 461 00:27:06,102 --> 00:27:09,018 that your username and password, 462 00:27:09,018 --> 00:27:11,804 particularly to your email account, 463 00:27:11,804 --> 00:27:15,285 could get them into your stock brokerage account, 464 00:27:15,285 --> 00:27:18,201 to your online banking account, 465 00:27:18,201 --> 00:27:23,903 to send phishing emails to other contacts. 466 00:27:23,903 --> 00:27:27,994 If you protect yourself properly, 467 00:27:27,994 --> 00:27:31,214 the chances are you won't be a victim 468 00:27:31,214 --> 00:27:35,218 of what one would call "drive-by hacking". 469 00:27:35,218 --> 00:27:39,483 If, however, you're being specifically targeted 470 00:27:39,483 --> 00:27:42,965 by a hacking group, they will follow that trace. 471 00:27:43,879 --> 00:27:45,533 And they will get you. 472 00:27:48,449 --> 00:27:53,280 Now, we know that at least three members of the Bangladeshi Bank 473 00:27:53,280 --> 00:27:56,587 were targeted by this after the social engineer 474 00:27:56,587 --> 00:27:58,981 had scanned all of their social media, 475 00:27:58,981 --> 00:28:00,722 and at least three of them 476 00:28:00,722 --> 00:28:04,073 opened the letter and took the bait. 477 00:28:04,073 --> 00:28:06,249 Once that code began executing 478 00:28:06,249 --> 00:28:08,295 on those bank employees' computers, 479 00:28:08,295 --> 00:28:10,906 it would reach out back to the attackers 480 00:28:10,906 --> 00:28:13,866 and tell them that these machines are now infected 481 00:28:13,866 --> 00:28:15,302 and give them full control, 482 00:28:15,302 --> 00:28:18,044 as if they were sitting in front of the keyboard, 483 00:28:18,044 --> 00:28:21,134 just like those employees. 484 00:28:21,134 --> 00:28:23,745 There was malware in the system 485 00:28:23,745 --> 00:28:26,574 that was actually copying screenshots, 486 00:28:28,358 --> 00:28:33,450 copying keystrokes of employees, and no one knew. 487 00:28:33,450 --> 00:28:35,801 They've got their foot in the door. 488 00:28:35,801 --> 00:28:38,760 This is the essential first step. 489 00:28:38,760 --> 00:28:42,677 The first layer of security has been breached. 490 00:28:48,639 --> 00:28:52,339 And the digger, the person who is getting deeper and deeper 491 00:28:52,339 --> 00:28:54,558 into the computer network, 492 00:28:54,558 --> 00:28:58,258 has to be a very advanced hacker. 493 00:28:58,258 --> 00:29:02,958 This is when you need a real professional. 494 00:29:02,958 --> 00:29:05,656 They're like ghosts. Nobody can see them, 495 00:29:05,656 --> 00:29:10,009 but they're mapping every single bit of that network. 496 00:29:11,967 --> 00:29:13,577 In the Bank of Bangladesh, 497 00:29:13,577 --> 00:29:16,145 you had computers that are all interconnected to each other, 498 00:29:16,145 --> 00:29:19,279 and they're connected using what's called a switch. 499 00:29:19,279 --> 00:29:23,022 In your average bank, that has a good security program, 500 00:29:23,022 --> 00:29:25,676 those switches are what's called segmented. 501 00:29:25,676 --> 00:29:27,591 So each of those switches only allow 502 00:29:27,591 --> 00:29:30,290 a certain number of computers to talk to each other 503 00:29:30,290 --> 00:29:32,814 rather than every computer to talk to each other. 504 00:29:32,814 --> 00:29:35,382 But in the case of the Bank of Bangladesh, 505 00:29:35,382 --> 00:29:38,559 in the back-office network, they were using these very cheap, 506 00:29:38,559 --> 00:29:42,084 literally $10 switches that didn't do any segmentation. 507 00:29:42,084 --> 00:29:45,348 Every computer was potentially connected to each other. 508 00:29:45,348 --> 00:29:48,308 Basically, it's a cost-cutting exercise. 509 00:29:48,308 --> 00:29:53,530 But that cost-cutting exercise was what the digger needed. 510 00:29:53,530 --> 00:29:55,489 Those attackers began to do 511 00:29:55,489 --> 00:29:58,231 what we call a lateral traverse across the network, 512 00:29:58,231 --> 00:30:01,147 search for other computers to infect, 513 00:30:01,147 --> 00:30:03,062 look for credentials. 514 00:30:04,585 --> 00:30:06,848 Whenever you log into a computer, 515 00:30:06,848 --> 00:30:08,676 your credentials are cached. 516 00:30:08,676 --> 00:30:11,331 They're put into the memory of the computer. 517 00:30:11,331 --> 00:30:14,290 Attackers are able to filter through that memory 518 00:30:14,290 --> 00:30:16,640 and find used usernames and passwords. 519 00:30:16,640 --> 00:30:19,469 They don't always know what they're for, 520 00:30:19,469 --> 00:30:22,385 so they try to collect as many credentials as they can 521 00:30:22,385 --> 00:30:25,432 and see, "What computers can I see from this computer?", 522 00:30:25,432 --> 00:30:27,608 and just begin to use them over and over again 523 00:30:27,608 --> 00:30:28,652 and just try them. 524 00:30:31,264 --> 00:30:32,613 Eventually, they hop on 525 00:30:32,613 --> 00:30:35,050 and are able to connect to another computer. 526 00:30:35,050 --> 00:30:36,312 They get onto that one. 527 00:30:36,312 --> 00:30:38,271 It's still not what they're interested in, 528 00:30:38,271 --> 00:30:40,664 but they're able to find more usernames and passwords 529 00:30:40,664 --> 00:30:42,405 and try those on all the other computers 530 00:30:42,405 --> 00:30:44,190 they can see from that advantage point. 531 00:30:44,190 --> 00:30:48,020 That's how they move across the network over and over again. 532 00:30:48,020 --> 00:30:50,544 They would delete all traces of themselves 533 00:30:50,544 --> 00:30:52,894 as they moved across the network, 534 00:30:52,894 --> 00:30:55,636 ultimately jumping from computer to computer 535 00:30:55,636 --> 00:30:57,681 until they found the SWIFT terminal, 536 00:30:57,681 --> 00:31:00,815 their ultimate goal in order to make wire transfers 537 00:31:00,815 --> 00:31:02,817 out of the Bank of Bangladesh. 538 00:31:04,993 --> 00:31:06,777 It takes a long time. 539 00:31:06,777 --> 00:31:10,172 They're there for months. This is an ongoing process. 540 00:31:10,172 --> 00:31:14,220 If at any moment they're discovered to be in there, 541 00:31:14,220 --> 00:31:18,137 then the whole operation is finished. 542 00:31:22,141 --> 00:31:24,056 With the Bangladeshi Bank heist, 543 00:31:24,056 --> 00:31:27,276 you basically have two operations running in parallel. 544 00:31:27,276 --> 00:31:29,670 You have an offline operation going on, 545 00:31:29,670 --> 00:31:32,238 which is to do with the money laundering. 546 00:31:36,895 --> 00:31:38,940 It's the fence's responsibility 547 00:31:38,940 --> 00:31:43,902 to set up the recipient accounts. 548 00:31:43,902 --> 00:31:46,382 They're gonna end up with cold, hard cash, 549 00:31:46,382 --> 00:31:48,080 and they need individuals on the ground 550 00:31:48,080 --> 00:31:50,909 to pick up that cash and move it. 551 00:31:53,172 --> 00:31:54,434 And so, in May of 2015, 552 00:31:54,434 --> 00:31:56,871 before they'd even got into the SWIFT terminal, 553 00:31:56,871 --> 00:31:59,656 they were able to recruit a Chinese individual 554 00:31:59,656 --> 00:32:03,312 to go to the Philippines and open up four bank accounts there 555 00:32:03,312 --> 00:32:05,227 at a bank called RCBC. 556 00:32:05,227 --> 00:32:08,883 You have to make sure those people inside the bank 557 00:32:08,883 --> 00:32:10,711 in the Philippines 558 00:32:10,711 --> 00:32:12,974 have been properly corrupted 559 00:32:12,974 --> 00:32:17,674 and properly instructed as to what their role is. 560 00:32:17,674 --> 00:32:20,068 The fence opens up these accounts, 561 00:32:20,068 --> 00:32:22,592 puts $500 in each of them, 562 00:32:22,592 --> 00:32:25,726 and then they just go to sleep for nine months. 563 00:32:28,598 --> 00:32:31,950 These attackers were inside the Bank of Bangladesh 564 00:32:31,950 --> 00:32:34,822 for a full year, which is incredible. 565 00:32:41,307 --> 00:32:43,265 They actually got onto that SWIFT terminal 566 00:32:43,265 --> 00:32:44,788 exactly one year later... 567 00:32:47,617 --> 00:32:50,229 on January 29th, 2016. 568 00:32:55,495 --> 00:32:58,019 In any bank, you have different employees. 569 00:32:58,019 --> 00:33:01,414 You have back-office employees, administrative employees, 570 00:33:01,414 --> 00:33:04,330 but you also have computers that are connected 571 00:33:04,330 --> 00:33:07,159 directly to financial transactions. 572 00:33:07,159 --> 00:33:11,076 And only users who have specific access to those machines 573 00:33:11,076 --> 00:33:12,555 are allowed to use them. 574 00:33:12,555 --> 00:33:15,036 When we talk about the case of the Bank of Bangladesh, 575 00:33:15,036 --> 00:33:18,605 there was a single computer that had credentials 576 00:33:18,605 --> 00:33:20,085 from a shared employee. 577 00:33:20,085 --> 00:33:23,218 You had an employee that would use that SWIFT terminal, 578 00:33:23,218 --> 00:33:26,830 but also had their own computer in the normal back-office area. 579 00:33:26,830 --> 00:33:29,355 Once they got onto that employee's computer, 580 00:33:29,355 --> 00:33:31,052 they were able to jump across. 581 00:33:31,052 --> 00:33:34,969 They waited. They basically did a recon on the system. 582 00:33:34,969 --> 00:33:36,579 They crawled around. 583 00:33:36,579 --> 00:33:39,756 They looked and tried to fully understand how this worked, 584 00:33:39,756 --> 00:33:43,804 how SWIFT worked, how each bank employee would make a request 585 00:33:43,804 --> 00:33:47,155 into the SWIFT system, where it would go, 586 00:33:47,155 --> 00:33:49,244 how to direct that to branches 587 00:33:49,244 --> 00:33:52,117 where they had set up these accounts. 588 00:33:52,117 --> 00:33:55,729 And in this case, it was just very simple and very clever. 589 00:33:58,166 --> 00:34:00,342 The thief is not so much someone 590 00:34:00,342 --> 00:34:03,302 who is physically taking out the money 591 00:34:03,302 --> 00:34:05,695 and stuffing it into a bag. 592 00:34:05,695 --> 00:34:07,610 They're making sure 593 00:34:07,610 --> 00:34:12,572 that every bit on the system is coordinated. 594 00:34:12,572 --> 00:34:16,228 There are all sorts of things to get right 595 00:34:16,228 --> 00:34:21,494 before that fatal moment when the request is made. 596 00:34:21,494 --> 00:34:24,105 Everything has to be 597 00:34:24,105 --> 00:34:26,716 really, really precisely coordinated 598 00:34:26,716 --> 00:34:29,937 to get all the timing right. You've got four days. 599 00:34:29,937 --> 00:34:31,547 You can't afford a slip-up. 600 00:34:31,547 --> 00:34:34,333 When the attackers got into the SWIFT terminal 601 00:34:34,333 --> 00:34:38,728 on January 29th of 2016, they paused for about five days 602 00:34:38,728 --> 00:34:41,079 to get their malicious software ready 603 00:34:41,079 --> 00:34:43,168 that allowed them to cover their tracks 604 00:34:43,168 --> 00:34:45,257 when they were on that SWIFT terminal. 605 00:34:45,257 --> 00:34:48,173 They decided to wait until February 4th. 606 00:34:48,173 --> 00:34:49,826 And this is no accident. 607 00:34:52,960 --> 00:34:55,702 They have chosen a long weekend 608 00:34:55,702 --> 00:34:58,574 due to holidays in different parts of the world. 609 00:34:58,574 --> 00:35:01,186 That means, instead of the usual two days 610 00:35:01,186 --> 00:35:02,535 they have to get away with it 611 00:35:02,535 --> 00:35:04,841 before alarms start going off everywhere, 612 00:35:04,841 --> 00:35:07,931 they've got four days. It's brilliant. 613 00:35:09,498 --> 00:35:11,935 February 4th, 2016, was a Thursday. 614 00:35:11,935 --> 00:35:14,634 That's the last day of the working week in Bangladesh. 615 00:35:14,634 --> 00:35:16,940 In Bangladesh, they work from Sunday to Thursday. 616 00:35:16,940 --> 00:35:19,421 So, at some point late in the afternoon, 617 00:35:19,421 --> 00:35:22,685 the SWIFT transaction operator in the Bangladeshi Bank 618 00:35:22,685 --> 00:35:24,687 logs off his terminal. 619 00:35:28,778 --> 00:35:30,476 But three hours later, 620 00:35:30,476 --> 00:35:33,435 the thief logs into that terminal 621 00:35:33,435 --> 00:35:35,829 and starts to impersonate him. 622 00:35:35,829 --> 00:35:38,919 They logged into that SWIFT terminal at 8:36 p.m., 623 00:35:38,919 --> 00:35:41,051 after they believed, or really knew, 624 00:35:41,051 --> 00:35:44,403 that all the bank employees had gone home for the weekend. 625 00:35:44,403 --> 00:35:48,233 And they put forward 35 different wire transactions 626 00:35:48,233 --> 00:35:52,280 from that SWIFT terminal, totalling $951 million, 627 00:35:52,280 --> 00:35:55,631 almost $1 billion, completely unheard of. 628 00:35:58,678 --> 00:36:02,029 Ten hours behind Bangladesh, 629 00:36:02,029 --> 00:36:03,813 New York is waking up. 630 00:36:04,945 --> 00:36:07,252 The first thing that the Fed sees 631 00:36:07,252 --> 00:36:09,297 is 35 requests 632 00:36:09,297 --> 00:36:13,214 for almost the entire holdings of the Bangladeshi Bank. 633 00:36:13,214 --> 00:36:17,523 Usually, it's figures of sort of $300,000, $500,000. 634 00:36:17,523 --> 00:36:19,525 They want almost a billion! 635 00:36:19,525 --> 00:36:23,746 The operator, perhaps unsurprisingly, rejects it, 636 00:36:23,746 --> 00:36:26,488 sends it back to Bangladesh. 637 00:36:26,488 --> 00:36:28,751 But he rejects it not because 638 00:36:28,751 --> 00:36:32,581 this is an absolutely crazy amount of money, 639 00:36:32,581 --> 00:36:36,585 but because the requests are wrongly formatted. 640 00:36:36,585 --> 00:36:39,153 As much research that they had done, 641 00:36:39,153 --> 00:36:41,851 they didn't really understand how to fill out 642 00:36:41,851 --> 00:36:43,331 those SWIFT transfers. 643 00:36:43,331 --> 00:36:45,942 They were missing what's called an intermediate bank. 644 00:36:45,942 --> 00:36:48,162 New York Federal Reserve replied to them, 645 00:36:48,162 --> 00:36:50,469 via the SWIFT system, back to their computer 646 00:36:50,469 --> 00:36:52,688 that they were sitting in front of, virtually, 647 00:36:52,688 --> 00:36:56,475 saying, "Hey, these transactions are missing information." 648 00:36:56,475 --> 00:36:58,520 They think on their feet. 649 00:36:58,520 --> 00:37:02,829 They reformat the requests, send them back... 650 00:37:02,829 --> 00:37:06,006 and hold their breath to see what happens. 651 00:37:06,006 --> 00:37:08,574 They ultimately corrected 34 of them. 652 00:37:08,574 --> 00:37:09,879 They had forgotten one. 653 00:37:09,879 --> 00:37:12,230 The one did have the intermediate bank 654 00:37:12,230 --> 00:37:13,448 went to Deutsche Bank. 655 00:37:13,448 --> 00:37:15,581 That order was for $20 million 656 00:37:15,581 --> 00:37:19,802 to a charity called the Shalika Foundation in Sri Lanka. 657 00:37:19,802 --> 00:37:22,109 But they had made a typo as well, 658 00:37:22,109 --> 00:37:25,417 and they had misspelled "foundation" as "fandation". 659 00:37:25,417 --> 00:37:27,680 And so Deutsche Bank saw that typo 660 00:37:27,680 --> 00:37:29,856 and questioned it and, again, 661 00:37:29,856 --> 00:37:32,293 held that transaction due to that typo. 662 00:37:34,643 --> 00:37:36,863 We use that as the poster child 663 00:37:36,863 --> 00:37:40,083 for why you need to learn how to spell. 664 00:37:40,083 --> 00:37:43,783 Otherwise, you can lose $20 million. 665 00:37:43,783 --> 00:37:47,265 Ultimately, when they return the other 34... 666 00:37:48,570 --> 00:37:50,268 Bingo. 667 00:37:50,268 --> 00:37:52,487 The operator approves them. 668 00:37:52,487 --> 00:37:55,795 Four of them went through. 669 00:37:55,795 --> 00:38:00,495 The green light is given. The heist is on. 670 00:38:00,495 --> 00:38:03,629 Those four went through to those bank accounts 671 00:38:03,629 --> 00:38:06,066 in the Philippines that had been opened 672 00:38:06,066 --> 00:38:07,589 more than six months earlier. 673 00:38:07,589 --> 00:38:10,636 And they were able to transfer out $81 million 674 00:38:10,636 --> 00:38:12,638 to the bank in the Philippines. 675 00:38:34,181 --> 00:38:37,837 Ultimately, they were about to transfer $1 billion 676 00:38:37,837 --> 00:38:39,534 from the Bank of Bangladesh, 677 00:38:39,534 --> 00:38:42,494 but they didn't want anyone to find out. 678 00:38:47,847 --> 00:38:51,459 They began to cover their tracks. 679 00:38:51,459 --> 00:38:53,200 Normally, as a bank employee, 680 00:38:53,200 --> 00:38:55,071 you'll load up the SWIFT software, 681 00:38:55,071 --> 00:38:57,944 you'll see on the screen all the latest transactions, 682 00:38:57,944 --> 00:38:59,598 you can make transactions. 683 00:38:59,598 --> 00:39:04,342 And so the attackers deleted all records of those transactions. 684 00:39:07,083 --> 00:39:08,563 But it's not just digital. 685 00:39:08,563 --> 00:39:13,002 In the world of finance, everything must be a hard copy. 686 00:39:13,002 --> 00:39:16,005 And the attackers knew that as well. 687 00:39:20,575 --> 00:39:23,622 Every SWIFT transaction that takes place 688 00:39:23,622 --> 00:39:28,975 is immediately printed out locally in the Bangladeshi Bank. 689 00:39:28,975 --> 00:39:31,978 So that printer cannot be working 690 00:39:31,978 --> 00:39:34,676 when the heist is going on. 691 00:39:34,676 --> 00:39:37,549 The attackers hijacked all of those print jobs, 692 00:39:37,549 --> 00:39:40,421 replaced all of those print jobs with zeros 693 00:39:40,421 --> 00:39:43,555 so that nothing would come out of the printer. 694 00:39:43,555 --> 00:39:48,516 Now, the other 30 wire transactions sat around. 695 00:39:48,516 --> 00:39:51,867 And, ultimately, the attackers waited, 696 00:39:51,867 --> 00:39:54,261 and they waited... 697 00:39:54,261 --> 00:39:58,874 And they logged out at 3:59 a.m. Bangladesh time. 698 00:39:58,874 --> 00:40:01,442 Potentially, they thought that in New York, 699 00:40:01,442 --> 00:40:03,096 the business day ended at five p.m., 700 00:40:03,096 --> 00:40:04,924 and they weren't gonna hear any more. 701 00:40:04,924 --> 00:40:06,882 The New York Fed had actually stopped 702 00:40:06,882 --> 00:40:08,449 the rest of the transactions, 703 00:40:08,449 --> 00:40:11,931 because the address for the bank in the Philippines 704 00:40:11,931 --> 00:40:15,804 was on Jupiter Street. J-U-P-I-T-E-R. 705 00:40:15,804 --> 00:40:20,853 Right, now this is when the story gets really weird. 706 00:40:20,853 --> 00:40:24,857 In a totally unrelated incident two years earlier, 707 00:40:24,857 --> 00:40:28,469 we have a Greek shipping magnate, Dimitris Cambis, 708 00:40:28,469 --> 00:40:32,038 and he is buying eight tankers. 709 00:40:32,038 --> 00:40:35,258 What Dimitris knew, but not many other people, 710 00:40:35,258 --> 00:40:39,872 was that the money for these eight oil tankers 711 00:40:39,872 --> 00:40:41,917 came from Iran, 712 00:40:41,917 --> 00:40:45,660 and Iran was under US sanctions. 713 00:40:45,660 --> 00:40:48,358 Someone in the US caught wind of the fact 714 00:40:48,358 --> 00:40:51,710 that the Iranians were financing Mr Cambis. 715 00:40:51,710 --> 00:40:55,017 His company was put on the sanctions watch list, 716 00:40:55,017 --> 00:40:58,325 and his company was called Jupiter Seaways. 717 00:41:00,675 --> 00:41:02,590 It was just their bad luck 718 00:41:02,590 --> 00:41:05,201 that they designated the money transfers 719 00:41:05,201 --> 00:41:11,338 to go to the Jupiter branch of the Rizal Bank in Manila. 720 00:41:11,338 --> 00:41:15,211 As the transfers were being sent out from the New York Reserve 721 00:41:15,211 --> 00:41:16,996 to the Philippines, 722 00:41:16,996 --> 00:41:20,956 the Jupiter name was caught by the computer system. 723 00:41:20,956 --> 00:41:23,916 It halted these transactions. 724 00:41:23,916 --> 00:41:26,484 The Fed had to take a second look. 725 00:41:26,484 --> 00:41:28,790 They stopped it because they realised, 726 00:41:28,790 --> 00:41:31,184 "Wait, we have somewhere in the order 35 transactions 727 00:41:31,184 --> 00:41:33,229 coming from the Bank of Bangladesh, 728 00:41:33,229 --> 00:41:37,407 adding up to $1 billion? You know, this isn't usual." 729 00:41:37,407 --> 00:41:40,062 So they held them and sent a message back, 730 00:41:40,062 --> 00:41:41,890 asking for confirmation. 731 00:41:44,589 --> 00:41:47,766 Had the attackers waited just one more hour, 732 00:41:47,766 --> 00:41:50,595 they could have replied to them via the SWIFT system, 733 00:41:50,595 --> 00:41:53,206 saying these transactions were not a mistake. 734 00:41:53,206 --> 00:41:55,295 Ultimately, the Bank of Bangladesh 735 00:41:55,295 --> 00:41:57,253 might have lost much, much more. 736 00:41:57,253 --> 00:42:01,344 So far, they managed to get $81 million. 737 00:42:01,344 --> 00:42:05,435 But, boy, did they come close to hitting the jackpot. 738 00:42:05,435 --> 00:42:07,655 Just under $1 billion 739 00:42:07,655 --> 00:42:11,572 was very, very nearly stolen from this bank. 740 00:42:22,061 --> 00:42:25,194 The next day, the bank employees came in, 741 00:42:25,194 --> 00:42:26,587 and the printer wasn't working, 742 00:42:26,587 --> 00:42:28,937 because they installed their malicious code 743 00:42:28,937 --> 00:42:30,722 to prevent that from happening. 744 00:42:30,722 --> 00:42:32,637 Ultimately, those bank employees 745 00:42:32,637 --> 00:42:34,900 didn't get it fixed until February 6, 746 00:42:34,900 --> 00:42:36,554 which would have been a Sunday. 747 00:42:38,251 --> 00:42:41,297 When the printer started, all these messages came out, 748 00:42:41,297 --> 00:42:42,908 messages from the Fed asking, 749 00:42:42,908 --> 00:42:46,041 "What are these 30 transactions? Did you mean to make these?" 750 00:42:46,041 --> 00:42:48,304 That triggered the Bank of Bangladesh 751 00:42:48,304 --> 00:42:51,003 to realise something had gone wrong. 752 00:42:51,003 --> 00:42:53,658 It was very clear that they were in deep, 753 00:42:53,658 --> 00:42:57,357 such that the bank manager... This is the Bank of Bangladesh, 754 00:42:57,357 --> 00:43:00,534 the federal bank, the national bank of the country, 755 00:43:00,534 --> 00:43:04,103 did not notify the leaders, 756 00:43:04,103 --> 00:43:07,236 the government of Bangladesh. He kept it under wraps. 757 00:43:07,236 --> 00:43:10,544 He notified someone he knew who knew about security. 758 00:43:10,544 --> 00:43:12,372 "Get on a plane, get to Bangladesh. 759 00:43:12,372 --> 00:43:14,940 I need you to look at these computer systems." 760 00:43:20,467 --> 00:43:22,948 Initially, the governor and his whole team 761 00:43:22,948 --> 00:43:24,166 were quite perplexed. 762 00:43:24,166 --> 00:43:27,343 They didn't quite know what had happened. 763 00:43:27,343 --> 00:43:30,216 So they thought that some money had been routed 764 00:43:30,216 --> 00:43:33,045 to a wrong account; it would come back. 765 00:43:36,309 --> 00:43:39,921 I get this strange phone call from the governor's office 766 00:43:39,921 --> 00:43:42,707 asking me if I would drop everything 767 00:43:42,707 --> 00:43:45,274 and come to Dhaka, Bangladesh. 768 00:43:49,061 --> 00:43:51,237 So I assembled a team... 769 00:43:52,107 --> 00:43:53,892 and we flew down. 770 00:43:57,896 --> 00:44:02,596 When we arrived there, we met with the Bangladesh Bank team. 771 00:44:02,596 --> 00:44:06,121 And that's when I discovered all the horrifying details 772 00:44:06,121 --> 00:44:08,471 of what had actually happened. 773 00:44:12,388 --> 00:44:15,217 They decide, "Let's look at the CCTV. 774 00:44:15,217 --> 00:44:17,393 What's that going to tell us?" 775 00:44:17,393 --> 00:44:20,309 There were eight hours' worth of tapes 776 00:44:20,309 --> 00:44:23,138 that had to be gone through. 777 00:44:23,138 --> 00:44:26,054 Your gut instinct is, you have a malicious insider. 778 00:44:26,054 --> 00:44:27,708 A physical person had to go in, 779 00:44:27,708 --> 00:44:30,842 log into that machine and try to make these transfers, 780 00:44:30,842 --> 00:44:34,715 because this attack hadn't happened before. 781 00:44:34,715 --> 00:44:37,631 They had a SWIFT room, which was locked. 782 00:44:37,631 --> 00:44:39,938 And typically when the SWIFT operators 783 00:44:39,938 --> 00:44:43,724 needed to do something on SWIFT, they had to go into the room, 784 00:44:43,724 --> 00:44:47,467 sit in that chair and terminal, 785 00:44:47,467 --> 00:44:52,037 and there was only one shadow we could find. 786 00:44:52,037 --> 00:44:54,779 We eventually decided it was the person 787 00:44:54,779 --> 00:44:58,391 sweeping the place after hours. 788 00:45:00,741 --> 00:45:04,310 They were saying, "How could somebody process the transaction 789 00:45:04,310 --> 00:45:05,964 when there was nobody there?" 790 00:45:05,964 --> 00:45:10,577 I mean, even after the payment instructions had been sent, 791 00:45:10,577 --> 00:45:15,408 they had no idea for a very long time what was happening. 792 00:45:15,408 --> 00:45:19,412 They didn't think it was a hack. They had no traces of a hack. 793 00:45:19,412 --> 00:45:22,632 But they watched eight hours of that footage over that weekend 794 00:45:22,632 --> 00:45:25,635 and realised there was no one at that computer. 795 00:45:25,635 --> 00:45:26,941 Nothing. 796 00:45:26,941 --> 00:45:29,248 They had no idea that the Bank of Bangladesh 797 00:45:29,248 --> 00:45:31,859 had been breached by hackers. 798 00:45:31,859 --> 00:45:35,384 Only after we see these things happen over and over again, 799 00:45:35,384 --> 00:45:39,171 we realise that cyber has such capabilities. 800 00:45:44,045 --> 00:45:47,440 Bangladesh was a bit of a bombshell for all of us. 801 00:45:49,311 --> 00:45:52,097 Hackers and most cybercrime, 802 00:45:52,097 --> 00:45:54,055 it's like smash-and-grab crime. 803 00:45:54,055 --> 00:45:56,492 Quickly grab something and monetise it 804 00:45:56,492 --> 00:45:58,103 as swiftly as you can. 805 00:45:58,103 --> 00:46:01,236 You know, storm a bank with shotguns, blow a safe, 806 00:46:01,236 --> 00:46:03,978 fill some bags with cash. 807 00:46:03,978 --> 00:46:06,024 Cybercrime... 808 00:46:06,024 --> 00:46:09,418 It doesn't lend itself well to long conspiracy 809 00:46:09,418 --> 00:46:11,856 and lots of investigation and investment 810 00:46:11,856 --> 00:46:13,596 into understanding your target. 811 00:46:13,596 --> 00:46:15,903 I mean, you couldn't do Bangladesh 812 00:46:15,903 --> 00:46:19,037 unless you really understood the internal workings 813 00:46:19,037 --> 00:46:21,909 of the central bank and all the actors involved. 814 00:46:21,909 --> 00:46:24,607 That's not something that freelance hackers 815 00:46:24,607 --> 00:46:26,827 really are good at. 816 00:46:26,827 --> 00:46:29,917 That requires a level of investment into resources 817 00:46:29,917 --> 00:46:34,095 and frankly intelligence that has to be sustained. 818 00:46:34,095 --> 00:46:38,012 To organise something of that complexity 819 00:46:38,012 --> 00:46:40,841 and for it not to be noticed 820 00:46:40,841 --> 00:46:43,539 by the intelligence agencies of the state 821 00:46:43,539 --> 00:46:46,020 where that is being planned 822 00:46:46,020 --> 00:46:50,285 would be very, very difficult indeed. 823 00:46:50,285 --> 00:46:53,419 These hackers went in and looked at the zeros and ones 824 00:46:53,419 --> 00:46:55,725 in the software and reverse engineered it, 825 00:46:55,725 --> 00:46:58,380 turned it back into understandable code. 826 00:46:58,380 --> 00:47:00,905 That's not something that happens overnight. 827 00:47:00,905 --> 00:47:02,384 It was pretty clear 828 00:47:02,384 --> 00:47:04,865 that this isn't just normal criminals. 829 00:47:04,865 --> 00:47:07,128 This has to be something bigger. 830 00:47:10,044 --> 00:47:13,961 Once attackers have gained access to their target network, 831 00:47:13,961 --> 00:47:16,007 they want to stay undetected. 832 00:47:18,487 --> 00:47:20,968 And we've seen many interesting examples 833 00:47:20,968 --> 00:47:23,014 of how exactly this is done. 834 00:47:26,278 --> 00:47:27,801 What exactly happened 835 00:47:27,801 --> 00:47:30,195 at the Natanz nuclear facility last week? 836 00:47:30,195 --> 00:47:32,806 It's a question people in Iran around the world 837 00:47:32,806 --> 00:47:35,461 have been asking since a fire was reported 838 00:47:35,461 --> 00:47:38,856 at Iran's main uranium enrichment facility on Thursday. 839 00:47:38,856 --> 00:47:41,902 We're used to Trojans and viruses on the internet, 840 00:47:41,902 --> 00:47:43,338 but this is the first worm 841 00:47:43,338 --> 00:47:46,907 designed to damage the physical world. 842 00:47:46,907 --> 00:47:51,042 In 2010, attackers created a piece of malicious software 843 00:47:51,042 --> 00:47:55,350 that was designed to infiltrate Iran's nuclear programme, 844 00:47:55,350 --> 00:47:57,004 to get into their centrifuges, 845 00:47:57,004 --> 00:47:59,050 in particular, get onto computers 846 00:47:59,050 --> 00:48:00,921 that controlled their centrifuges. 847 00:48:00,921 --> 00:48:04,142 Iran says it will retaliate against any country 848 00:48:04,142 --> 00:48:06,884 that conducts cyber-attacks on its nuclear sites. 849 00:48:06,884 --> 00:48:09,538 The intention was to spin the centrifuges 850 00:48:09,538 --> 00:48:12,150 of Iran's nuclear capabilities out of control, 851 00:48:12,150 --> 00:48:14,152 make the centrifuges explode 852 00:48:14,152 --> 00:48:15,414 and push them ten years back 853 00:48:15,414 --> 00:48:17,372 in the uranium enrichment programme. 854 00:48:17,372 --> 00:48:18,721 As a piece of malware, 855 00:48:18,721 --> 00:48:21,768 it was 40 times larger than any piece of malware 856 00:48:21,768 --> 00:48:24,336 that had ever been encountered before. 857 00:48:24,336 --> 00:48:28,514 It would have taken the most advanced, 858 00:48:28,514 --> 00:48:30,995 brilliant computer engineers 859 00:48:30,995 --> 00:48:34,085 years and years of human working hours 860 00:48:34,085 --> 00:48:35,956 to produce this. 861 00:48:35,956 --> 00:48:38,089 Why was it so big? 862 00:48:38,089 --> 00:48:42,310 Because it needed to cover itself up. 863 00:48:44,834 --> 00:48:47,794 The attackers were actually recording 864 00:48:47,794 --> 00:48:52,320 the network traffic, the normal network traffic, 865 00:48:52,320 --> 00:48:55,062 and then playing it back to the sensors 866 00:48:55,062 --> 00:48:58,848 when they started modifying the operations of the centrifuges 867 00:48:58,848 --> 00:49:00,720 they were trying to break. 868 00:49:04,463 --> 00:49:06,900 This is the equivalent of, in the real world, 869 00:49:06,900 --> 00:49:09,903 recording the CCTV footage from a security camera 870 00:49:09,903 --> 00:49:12,166 and then playing it back to the camera 871 00:49:12,166 --> 00:49:14,125 when you're doing something bad. 872 00:49:14,125 --> 00:49:16,301 That's what Stuxnet was doing. 873 00:49:16,301 --> 00:49:18,042 And in the Bangladesh heist, 874 00:49:18,042 --> 00:49:20,218 they were doing something similar. 875 00:49:20,218 --> 00:49:22,872 Once they made their transactions, 876 00:49:22,872 --> 00:49:26,311 they wanted to make sure no one realised they had happened. 877 00:49:26,311 --> 00:49:29,053 They were actually falsifying the information 878 00:49:29,053 --> 00:49:30,576 about transactions. 879 00:49:30,576 --> 00:49:33,405 The recording of the transactions were being done 880 00:49:33,405 --> 00:49:34,972 both in electronic format, 881 00:49:34,972 --> 00:49:38,540 but also falsifying the data being sent to the printers, 882 00:49:38,540 --> 00:49:41,021 which actually looked like everything was fine. 883 00:49:41,021 --> 00:49:44,242 So you find out how you're being tracked, 884 00:49:44,242 --> 00:49:46,984 and then you try to cover your tracks. 885 00:49:46,984 --> 00:49:48,246 Stuxnet did that. 886 00:49:48,246 --> 00:49:50,770 The Bangladeshi heist did it as well. 887 00:49:53,207 --> 00:49:56,950 Once that money arrived in the Philippines, 888 00:49:56,950 --> 00:50:00,519 they needed to change that money into cold, hard cash. 889 00:50:00,519 --> 00:50:02,912 Right now, it's still in digital ones and zeros, 890 00:50:02,912 --> 00:50:05,437 just a transaction that said the money has moved 891 00:50:05,437 --> 00:50:06,829 from the Bank of Bangladesh 892 00:50:06,829 --> 00:50:10,094 to these accounts at RCBC. Four accounts. 893 00:50:10,094 --> 00:50:13,532 The thieves had to get it out of the Philippines, 894 00:50:13,532 --> 00:50:15,621 make it disappear. 895 00:50:15,621 --> 00:50:18,450 So how were they going to do that? 896 00:50:18,450 --> 00:50:20,843 There is one industry in the Philippines 897 00:50:20,843 --> 00:50:23,237 where there is absolutely no oversight, 898 00:50:23,237 --> 00:50:27,241 where it's a cash-only business. There are no records, no names. 899 00:50:27,241 --> 00:50:29,113 That is the casino industry. 900 00:50:41,125 --> 00:50:43,257 When we talk about laundering funds, 901 00:50:43,257 --> 00:50:45,955 we're talking about taking dirty, illicit funds, 902 00:50:45,955 --> 00:50:49,481 running them through a legal business 903 00:50:49,481 --> 00:50:52,049 so that if I came to you and said, 904 00:50:52,049 --> 00:50:55,400 "Hey, where'd you get that $81 million?", 905 00:50:55,400 --> 00:51:00,318 you could have a paper trail to show that you won it back. 906 00:51:00,318 --> 00:51:03,103 The hard part is not stealing the money. 907 00:51:03,103 --> 00:51:06,628 The hard part is moving the money into a form you can use 908 00:51:06,628 --> 00:51:08,152 without getting caught. 909 00:51:10,241 --> 00:51:15,202 And one method we've seen for quite a while is gambling. 910 00:51:15,202 --> 00:51:17,074 It was very clear that, 911 00:51:17,074 --> 00:51:20,251 if, at all, there was a place for you to do that, 912 00:51:20,251 --> 00:51:22,166 it would have been the Philippines, 913 00:51:22,166 --> 00:51:25,038 because the casinos are not regulated at all. 914 00:51:27,171 --> 00:51:30,304 It's like a lot of high-flying gamblers 915 00:51:30,304 --> 00:51:33,307 who'd kind of fly to Manila, 916 00:51:33,307 --> 00:51:37,050 crowd these numerous casinos in Manila, 917 00:51:37,050 --> 00:51:38,399 lots of money coming in. 918 00:51:38,399 --> 00:51:41,315 People don't question that kind of money. 919 00:51:41,315 --> 00:51:42,795 I mean, you know... 920 00:51:42,795 --> 00:51:44,753 "Well, as long as it's coming to us, 921 00:51:44,753 --> 00:51:47,887 we don't bother too much about where it is coming from." 922 00:51:49,323 --> 00:51:52,283 The thieves knew if they could get that money 923 00:51:52,283 --> 00:51:55,547 into the casinos, it would essentially be lost. 924 00:51:56,809 --> 00:51:58,115 What happened was, 925 00:51:58,115 --> 00:52:00,421 the manager from the Philippines bank, 926 00:52:00,421 --> 00:52:03,381 she was the one who'd opened those four accounts 927 00:52:03,381 --> 00:52:05,557 using fraudulent IDs. 928 00:52:05,557 --> 00:52:09,952 She got the money withdrawn from the bank in the Philippines. 929 00:52:11,563 --> 00:52:12,955 From there, it started to go 930 00:52:12,955 --> 00:52:14,566 through something called Philrem. 931 00:52:14,566 --> 00:52:18,004 It's a bit like a Western Union in the Philippines, 932 00:52:18,004 --> 00:52:20,180 transferred into pesos. 933 00:52:20,180 --> 00:52:22,487 I don't know if you've ever used 934 00:52:22,487 --> 00:52:24,010 Philippine pesos before, 935 00:52:24,010 --> 00:52:28,057 but that's one hell of a lot of pesos, $22 million. 936 00:52:28,057 --> 00:52:33,454 In fact, it's over one million banknotes. 937 00:52:33,454 --> 00:52:35,630 They actually had to request that cash 938 00:52:35,630 --> 00:52:38,981 to come from a sister branch location, 939 00:52:38,981 --> 00:52:40,853 that arrived in boxes. 940 00:52:40,853 --> 00:52:44,422 The bank manager was seen by one of the other bank employees 941 00:52:44,422 --> 00:52:47,599 collecting those boxes and literally going outside 942 00:52:47,599 --> 00:52:49,862 and loading them up into a Lexus. 943 00:52:50,993 --> 00:52:53,344 And that money was driven away. 944 00:52:59,785 --> 00:53:03,702 So, we're talking stacks of bills carried in vans 945 00:53:03,702 --> 00:53:07,227 to the Solaire Casino right by the airport. 946 00:53:07,227 --> 00:53:10,448 It allows the Chinese gamblers to come off the plane. 947 00:53:10,448 --> 00:53:13,320 Five minutes, they're on the floor playing baccarat. 948 00:53:16,410 --> 00:53:19,979 The money goes to this place. It's wheeled in wheelbarrows 949 00:53:19,979 --> 00:53:24,113 across the casino floor up to this guarded escalator. 950 00:53:35,255 --> 00:53:38,215 There's so much physical cash involved, 951 00:53:38,215 --> 00:53:41,305 they've enlisted their own crew of gamblers 952 00:53:41,305 --> 00:53:44,830 to launder the stolen funds. 953 00:53:44,830 --> 00:53:47,093 And they just played baccarat, 954 00:53:47,093 --> 00:53:49,617 all day long. 955 00:53:49,617 --> 00:53:51,140 They had individuals, 956 00:53:51,140 --> 00:53:54,231 mostly appeared to be Chinese nationals that they had, 957 00:53:54,231 --> 00:53:57,538 I assume, hired to take those funds and launder them. 958 00:53:57,538 --> 00:54:01,499 You change that cash into casino chips, 959 00:54:01,499 --> 00:54:03,152 play a few games, 960 00:54:03,152 --> 00:54:04,937 cash in the chips. 961 00:54:04,937 --> 00:54:10,595 And when you get that cash back, that is then laundered. 962 00:54:10,595 --> 00:54:13,119 And this wouldn't have been unusual. 963 00:54:13,119 --> 00:54:15,513 This was the Chinese lunar week. 964 00:54:15,513 --> 00:54:18,298 That would've been very common for individuals, 965 00:54:18,298 --> 00:54:20,561 high rollers, to come into the Philippines 966 00:54:20,561 --> 00:54:22,868 and play at the casinos during that time. 967 00:54:22,868 --> 00:54:26,611 Spending $22 million in a casino over a weekend, 968 00:54:26,611 --> 00:54:28,569 let's face it, could be fun. 969 00:54:32,878 --> 00:54:36,708 Doing this story and trying to figure out 970 00:54:36,708 --> 00:54:40,407 where in history to sort of place this thing. 971 00:54:40,407 --> 00:54:43,323 Was this the biggest heist of all time? 972 00:54:43,323 --> 00:54:47,327 No, but it certainly looked to be the biggest cyber heist 973 00:54:47,327 --> 00:54:50,243 of a bank in history. 974 00:54:50,243 --> 00:54:54,378 And over the next few days, I just remember 975 00:54:54,378 --> 00:54:58,425 calling up my sources at Symantec 976 00:54:58,425 --> 00:55:00,993 and a couple other cybersecurity firms 977 00:55:00,993 --> 00:55:04,257 and getting in touch with a guy named Eric Chien. 978 00:55:06,085 --> 00:55:09,131 We have all kinds of sensors sitting on networks 979 00:55:09,131 --> 00:55:10,785 and computers all over the world. 980 00:55:10,785 --> 00:55:14,136 Any time some sort of cyber criminal, some attacker, 981 00:55:14,136 --> 00:55:18,053 is trying to breach a computer, they're leaving traces behind. 982 00:55:19,577 --> 00:55:23,537 Every attack has a signature. 983 00:55:23,537 --> 00:55:25,104 If you look at it long enough, 984 00:55:25,104 --> 00:55:27,454 if you study it, if you work it long enough, 985 00:55:27,454 --> 00:55:29,717 you can understand the way they do things. 986 00:55:29,717 --> 00:55:31,284 The way they state something, 987 00:55:31,284 --> 00:55:34,461 the way they code a particular way, 988 00:55:34,461 --> 00:55:39,901 the methodology of the attack, the step-by-step approaches. 989 00:55:39,901 --> 00:55:42,904 It might be considered like Sherlock Holmesian 990 00:55:42,904 --> 00:55:44,384 to come up with this idea. 991 00:55:44,384 --> 00:55:46,778 "Because he walks with a gait this way, 992 00:55:46,778 --> 00:55:48,954 and he does this..." But it is true. 993 00:55:48,954 --> 00:55:53,262 We see those signatures. We see those patterns. 994 00:55:54,220 --> 00:55:56,004 What we discovered was, 995 00:55:56,004 --> 00:55:59,443 by looking at the artefacts that these attackers had used, 996 00:55:59,443 --> 00:56:01,880 the malicious binaries they had used, 997 00:56:01,880 --> 00:56:03,185 the code inside of it, 998 00:56:03,185 --> 00:56:05,753 as well as the email accounts that they used 999 00:56:05,753 --> 00:56:07,929 to send the initial spear-phishing messages, 1000 00:56:07,929 --> 00:56:12,499 we were able to map this back to an attacker back in 2014. 1001 00:56:15,415 --> 00:56:18,505 Sony Pictures is mainly housed in Culver City. 1002 00:56:18,505 --> 00:56:20,507 And in 2014, 1003 00:56:20,507 --> 00:56:24,598 Sony Pictures went down, which was unheard of. 1004 00:56:24,598 --> 00:56:26,078 On that day in November, 1005 00:56:26,078 --> 00:56:28,559 people would have come in, tried to swipe their badge 1006 00:56:28,559 --> 00:56:30,778 and not even be able to get into the office. 1007 00:56:30,778 --> 00:56:32,780 They get into the building finally 1008 00:56:32,780 --> 00:56:35,957 and then they discover that nothing else is working either. 1009 00:56:35,957 --> 00:56:40,005 Printers aren't working, computers aren't working. 1010 00:56:40,005 --> 00:56:43,225 People who had laptops connected to the network 1011 00:56:43,225 --> 00:56:44,966 would have immediately seen 1012 00:56:44,966 --> 00:56:47,926 skulls and crossbones show up on their screens, 1013 00:56:47,926 --> 00:56:51,016 scrolling with scary Halloween-type music 1014 00:56:51,016 --> 00:56:52,496 playing in the background. 1015 00:56:52,496 --> 00:56:55,716 And it said, "Hacked by the GOP." 1016 00:56:55,716 --> 00:56:58,980 Guardians of the Peace. 1017 00:56:58,980 --> 00:57:02,027 A mysterious crew of hackers, 1018 00:57:02,027 --> 00:57:05,987 also known as the Lazarus Group. 1019 00:57:05,987 --> 00:57:08,120 We'd call them the Lazarus Group. 1020 00:57:08,120 --> 00:57:09,251 They've been responsible 1021 00:57:09,251 --> 00:57:11,123 for many, many attacks over the years. 1022 00:57:11,123 --> 00:57:13,342 You know, political statements 1023 00:57:13,342 --> 00:57:15,954 and bringing down some websites in South Korea 1024 00:57:15,954 --> 00:57:20,306 and also the White House in the United States and the Pentagon. 1025 00:57:20,306 --> 00:57:23,875 Now, at this point, the penny has dropped. 1026 00:57:23,875 --> 00:57:26,007 Sony has been hacked. 1027 00:57:26,007 --> 00:57:28,662 The hack attack has had a devastating effect 1028 00:57:28,662 --> 00:57:31,491 on the entertainment company, with an avalanche of leaks 1029 00:57:31,491 --> 00:57:34,189 revealing personal information of employees 1030 00:57:34,189 --> 00:57:37,497 and salacious email exchanges of A-list celebrities. 1031 00:57:37,497 --> 00:57:40,500 They ultimately compromised Sony Pictures Network, 1032 00:57:40,500 --> 00:57:43,851 got inside and wiped 10,000 computers. 1033 00:57:43,851 --> 00:57:45,592 On top of that, they actually stole 1034 00:57:45,592 --> 00:57:48,682 all kinds of documents and emails from Sony Pictures. 1035 00:57:48,682 --> 00:57:50,815 The hack on Sony Pictures 1036 00:57:50,815 --> 00:57:53,382 is rocking Hollywood's very foundation; 1037 00:57:53,382 --> 00:57:56,037 the industry, warts and all, exposed. 1038 00:57:56,037 --> 00:57:59,258 Initially, we had no link between the SWIFT attack 1039 00:57:59,258 --> 00:58:01,956 and the Sony Pictures attack. 1040 00:58:01,956 --> 00:58:04,481 But when we were looking at the malware, 1041 00:58:04,481 --> 00:58:06,395 we found an interesting detail. 1042 00:58:06,395 --> 00:58:09,573 There was a component called an indexing manager, 1043 00:58:09,573 --> 00:58:13,011 which was saving the logs during the SWIFT attack 1044 00:58:13,011 --> 00:58:15,492 into an encrypted file. 1045 00:58:15,492 --> 00:58:18,538 The file was encrypted with a really long key, 1046 00:58:18,538 --> 00:58:22,063 and when we just googled for the key, 1047 00:58:22,063 --> 00:58:25,284 we found that the same key, exactly, 1048 00:58:25,284 --> 00:58:30,594 was used 18 months earlier in the Sony Pictures attack. 1049 00:58:31,769 --> 00:58:34,119 This was the moment we realised 1050 00:58:34,119 --> 00:58:36,077 the Bangladeshi SWIFT attack 1051 00:58:36,077 --> 00:58:39,733 was probably perpetrated by the Lazarus Group. 1052 00:58:40,691 --> 00:58:42,301 So, who is Lazarus? 1053 00:58:42,301 --> 00:58:43,781 Well, from what we know, 1054 00:58:43,781 --> 00:58:46,740 they're a trans-global criminal organisation 1055 00:58:46,740 --> 00:58:51,571 that's been trained at a nation-state level. 1056 00:58:51,571 --> 00:58:55,444 The nation states really started coming in on a criminal side... 1057 00:58:57,055 --> 00:58:59,231 when sanctions started. 1058 00:58:59,231 --> 00:59:02,277 When we start limiting the capability of a nation 1059 00:59:02,277 --> 00:59:05,411 to get cash, and we up the methodology 1060 00:59:05,411 --> 00:59:07,979 to monitor the way they're getting cash, 1061 00:59:07,979 --> 00:59:11,025 they turn to different approaches. 1062 00:59:11,025 --> 00:59:13,898 So if you're a country that's under sanction 1063 00:59:13,898 --> 00:59:17,162 and your ability to get funds has been compromised, 1064 00:59:17,162 --> 00:59:20,121 you may be motivated to go to the Lazarus Group 1065 00:59:20,121 --> 00:59:23,429 to fix your problem. 1066 00:59:23,429 --> 00:59:25,649 It's like a job for them. It is a job for them. 1067 00:59:25,649 --> 00:59:27,694 They get recruited. It's a nine-to-five job. 1068 00:59:27,694 --> 00:59:30,958 They come in, and each of them has their specialties. 1069 00:59:30,958 --> 00:59:32,351 They have managers, 1070 00:59:32,351 --> 00:59:35,223 they have targets that they're told to go after. 1071 00:59:35,223 --> 00:59:37,356 When you talk about nation states, 1072 00:59:37,356 --> 00:59:39,619 obviously, for your average nation state, 1073 00:59:39,619 --> 00:59:42,927 most cyber offensive campaigns are under the military. 1074 00:59:42,927 --> 00:59:45,712 It's very similar to how a military organisation 1075 00:59:45,712 --> 00:59:49,020 would be organised for their cyber offensive campaigns. 1076 00:59:49,020 --> 00:59:51,457 There is a hotel, for example, in China 1077 00:59:51,457 --> 00:59:53,590 where they've taken over multiple floors 1078 00:59:53,590 --> 00:59:55,635 where they essentially have dormitories. 1079 00:59:55,635 --> 00:59:59,073 They go to sleep in that hotel, they eat in that hotel, 1080 00:59:59,073 --> 01:00:01,423 and they don't come out of that hotel. 1081 01:00:01,423 --> 01:00:04,078 They just move from one room to another, 1082 01:00:04,078 --> 01:00:05,863 hack all day and night. 1083 01:00:08,039 --> 01:00:10,650 And the Lazarus Group is thought to be made up 1084 01:00:10,650 --> 01:00:13,392 of these state-trained hackers. 1085 01:00:18,745 --> 01:00:21,226 What's amazing about cyber, 1086 01:00:21,226 --> 01:00:23,794 when you talk about nation states, 1087 01:00:23,794 --> 01:00:27,319 is the cost to entry is extremely low. 1088 01:00:27,319 --> 01:00:29,713 We have nation states who have been 1089 01:00:29,713 --> 01:00:33,194 trying to create nuclear missiles, 1090 01:00:33,194 --> 01:00:35,066 tried to create a nuclear programme. 1091 01:00:35,066 --> 01:00:36,981 Places like Iran, for example. 1092 01:00:36,981 --> 01:00:41,507 The dollars it costs to do so, it's extraordinary. 1093 01:00:41,507 --> 01:00:44,684 But if you want to build a cyber offensive campaign, 1094 01:00:44,684 --> 01:00:46,991 you get two, three, four, five guys 1095 01:00:46,991 --> 01:00:50,472 and potentially threaten to disable the power grid 1096 01:00:50,472 --> 01:00:52,039 in some country. 1097 01:00:52,039 --> 01:00:54,476 When you talk about trying to rob a bank 1098 01:00:54,476 --> 01:00:57,175 or produce illicit drugs and sell them, 1099 01:00:57,175 --> 01:00:59,830 the amount of people required on the ground, 1100 01:00:59,830 --> 01:01:01,266 the amount of connections, 1101 01:01:01,266 --> 01:01:03,442 and for the dollars that you would receive, 1102 01:01:03,442 --> 01:01:04,922 is nothing compared to, 1103 01:01:04,922 --> 01:01:07,446 "Let's get three guys, break into a bank 1104 01:01:07,446 --> 01:01:10,667 and potentially transfer $1 billion." 1105 01:01:16,063 --> 01:01:20,502 Back in the VIP room of the Solaire Casino in Manila, 1106 01:01:20,502 --> 01:01:24,942 the money-laundering operation is in full flight. 1107 01:01:26,683 --> 01:01:29,729 They just spend hours upon hours gambling away, 1108 01:01:29,729 --> 01:01:31,296 collecting chips. 1109 01:01:31,296 --> 01:01:33,733 They transfer those chips back into cold, hard currency. 1110 01:01:33,733 --> 01:01:36,693 You put a hundred gamblers into the VIP lounge 1111 01:01:36,693 --> 01:01:40,784 playing cash, so maybe the house has a one or two percent margin. 1112 01:01:40,784 --> 01:01:43,743 But all the rest is untraceable money that they walk out with. 1113 01:01:43,743 --> 01:01:46,006 What's interesting about these individuals, 1114 01:01:46,006 --> 01:01:47,704 they weren't interested in winning. 1115 01:01:47,704 --> 01:01:50,184 They were just interested in playing. 1116 01:01:50,184 --> 01:01:51,620 If you lose the money, 1117 01:01:51,620 --> 01:01:53,405 the money doesn't go to the casino, 1118 01:01:53,405 --> 01:01:54,928 it goes to the other players. 1119 01:01:54,928 --> 01:01:58,410 So you can play the table where the other players are, 1120 01:01:58,410 --> 01:01:59,846 your partners. 1121 01:01:59,846 --> 01:02:02,196 Then you can lose the dirty money on purpose, 1122 01:02:02,196 --> 01:02:04,024 moving the money to your partners. 1123 01:02:04,024 --> 01:02:05,678 Now it's cashed out. 1124 01:02:05,678 --> 01:02:09,073 Now it looks like it came from a great win in a poker tournament 1125 01:02:09,073 --> 01:02:11,640 instead of being stolen from somewhere. 1126 01:02:11,640 --> 01:02:14,513 So, casinos are a good way of laundering money. 1127 01:02:14,513 --> 01:02:17,342 Real-world criminals have done that for decades. 1128 01:02:17,342 --> 01:02:20,606 Online criminals are doing it today. 1129 01:02:20,606 --> 01:02:23,740 They played for a whole week, that whole lunar week, 1130 01:02:23,740 --> 01:02:25,698 every day, like workers, 1131 01:02:25,698 --> 01:02:28,309 nine to five, essentially, in that casino. 1132 01:02:33,358 --> 01:02:36,361 Finally, the Chinese New Year celebrations 1133 01:02:36,361 --> 01:02:37,884 have come to an end. 1134 01:02:37,884 --> 01:02:42,280 The staff at the RCBC bank in Manila are back at work. 1135 01:02:44,369 --> 01:02:47,328 Now, the Bangladesh Bank is still desperately trying 1136 01:02:47,328 --> 01:02:49,417 to put a stop on any further withdrawals 1137 01:02:49,417 --> 01:02:52,159 from those accounts in the Bank of the Philippines. 1138 01:02:52,159 --> 01:02:54,509 They've lost $22 million already, 1139 01:02:54,509 --> 01:02:58,818 but there's still $59 million left that they can save. 1140 01:02:58,818 --> 01:03:01,865 They're firing message after message to Manila, 1141 01:03:01,865 --> 01:03:04,737 "Hold all transactions." 1142 01:03:04,737 --> 01:03:07,087 In the Philippines, they got those messages. 1143 01:03:07,087 --> 01:03:08,567 They got those messages 1144 01:03:08,567 --> 01:03:10,830 as part of many other transaction messages they got 1145 01:03:10,830 --> 01:03:12,701 that were sitting in a printer queue 1146 01:03:12,701 --> 01:03:14,051 at the bottom of the stack, 1147 01:03:14,051 --> 01:03:16,357 and ultimately, they never saw those messages. 1148 01:03:16,357 --> 01:03:20,797 At this point, the fence gets in touch with the manager 1149 01:03:20,797 --> 01:03:22,799 of the bank in Jupiter Street. 1150 01:03:22,799 --> 01:03:26,672 "Can you please authorise the transfer of $59 million?" 1151 01:03:26,672 --> 01:03:29,849 She authorises that $59 million. 1152 01:03:29,849 --> 01:03:34,114 It goes straight to the Solaire Casino. 1153 01:03:34,114 --> 01:03:36,029 More money laundering. 1154 01:03:37,901 --> 01:03:39,424 Five hours later, 1155 01:03:39,424 --> 01:03:44,037 after increasingly urgent calls from the Bangladesh Bank, 1156 01:03:44,037 --> 01:03:50,000 the manager finally puts a block on all of the accounts. 1157 01:03:50,000 --> 01:03:52,829 But, really, it's too late. 1158 01:03:52,829 --> 01:03:54,831 The money's gone. 1159 01:03:59,139 --> 01:04:02,273 It's incredible when you think what the Lazarus Group 1160 01:04:02,273 --> 01:04:05,885 was able to pull off with just some ones and zeros. 1161 01:04:05,885 --> 01:04:07,756 They guide their bespoke malware 1162 01:04:07,756 --> 01:04:10,020 into the computer network of a bank, 1163 01:04:10,020 --> 01:04:11,717 and then a year later, 1164 01:04:11,717 --> 01:04:15,025 they're literally washing $100 million 1165 01:04:15,025 --> 01:04:17,331 through a casino in the Philippines. 1166 01:04:17,331 --> 01:04:19,856 It's astonishing. 1167 01:04:19,856 --> 01:04:22,336 But what's really, really scary 1168 01:04:22,336 --> 01:04:25,687 is what happened just a year later. 1169 01:04:27,428 --> 01:04:29,561 Now back to the major cyber-attack, 1170 01:04:29,561 --> 01:04:34,087 the ransomware crippling 200,000 computers in 150 countries. 1171 01:04:34,087 --> 01:04:37,699 The thousands of targets all received this ominous message 1172 01:04:37,699 --> 01:04:39,745 in English on their screens: 1173 01:04:49,276 --> 01:04:54,151 Everyone was basically locked up with this malware 1174 01:04:54,151 --> 01:04:58,329 that we discovered had been launched by the same attackers 1175 01:04:58,329 --> 01:05:01,158 as the Central Bank of Bangladesh. 1176 01:05:01,158 --> 01:05:03,377 So they design this malware, 1177 01:05:03,377 --> 01:05:05,989 and then they lose control of it entirely. 1178 01:05:05,989 --> 01:05:08,121 And that caused chaos. 1179 01:05:08,121 --> 01:05:11,385 Ambulances were diverted to other hospitals. 1180 01:05:11,385 --> 01:05:14,823 Patients were turned away, their operations cancelled. 1181 01:05:14,823 --> 01:05:17,696 You know, the first sign that something 1182 01:05:17,696 --> 01:05:21,961 was seriously wrong was when hospitals in the United Kingdom 1183 01:05:21,961 --> 01:05:24,529 started telling patients, "Don't come." 1184 01:05:24,529 --> 01:05:28,533 That their systems had been locked up with ransomware. 1185 01:05:28,533 --> 01:05:33,625 It's unclear if it was accidentally released too early, 1186 01:05:33,625 --> 01:05:35,018 it appears so, 1187 01:05:35,018 --> 01:05:37,890 or if it was designed not to work 1188 01:05:37,890 --> 01:05:41,241 and just begin wiping computers, because it didn't matter. 1189 01:05:41,241 --> 01:05:44,157 Even if you paid them, you would not get the decryption key. 1190 01:05:44,157 --> 01:05:45,985 They didn't have the decryption key. 1191 01:05:45,985 --> 01:05:48,118 They couldn't decrypt your files anymore. 1192 01:05:48,118 --> 01:05:50,816 Japan, Turkey and the Philippines 1193 01:05:50,816 --> 01:05:54,733 were also affected. In the US, FedEx was hit. 1194 01:05:54,733 --> 01:05:59,694 That virulent virus spiralled out of control. 1195 01:05:59,694 --> 01:06:04,047 In Germany, it attacked the network of the Deutsche Bahn, 1196 01:06:04,047 --> 01:06:05,439 German Railway. 1197 01:06:05,439 --> 01:06:09,400 In Spain, WannaCry hit Telefonica, 1198 01:06:09,400 --> 01:06:12,359 the biggest telecommunications company. 1199 01:06:12,359 --> 01:06:16,537 It hit the banking systems, and ATMs didn't work. 1200 01:06:16,537 --> 01:06:21,847 This thing was hitting companies in something like 150 countries. 1201 01:06:21,847 --> 01:06:23,588 Other targets in the US 1202 01:06:23,588 --> 01:06:26,025 include Merck Pharmaceutical in New Jersey. 1203 01:06:26,025 --> 01:06:28,810 Even the company that makes Oreo cookies may have been hit. 1204 01:06:28,810 --> 01:06:32,945 So, you had the health service, you had transport, 1205 01:06:32,945 --> 01:06:36,470 you had communications, you had the finance system, 1206 01:06:36,470 --> 01:06:37,906 and you had governance 1207 01:06:37,906 --> 01:06:42,824 all with one tiny piece of crappy malware, WannaCry. 1208 01:06:42,824 --> 01:06:44,130 In other attacks, 1209 01:06:44,130 --> 01:06:46,002 they have to send you a spear-phishing email, 1210 01:06:46,002 --> 01:06:48,047 trick you into double-clicking on an attachment. 1211 01:06:48,047 --> 01:06:50,180 In this case, your computer just had to be on, 1212 01:06:50,180 --> 01:06:51,485 connected to the internet, 1213 01:06:51,485 --> 01:06:54,053 and it would have got infected by WannaCry. 1214 01:06:54,053 --> 01:06:57,274 It succeeded because the crappy malware 1215 01:06:57,274 --> 01:07:00,407 was being infiltrated into the systems 1216 01:07:00,407 --> 01:07:03,193 on the back of a much more powerful tool 1217 01:07:03,193 --> 01:07:04,803 called EternalBlue, 1218 01:07:04,803 --> 01:07:08,459 which had been developed by the National Security Agency 1219 01:07:08,459 --> 01:07:10,417 in the United States. 1220 01:07:10,417 --> 01:07:12,637 The thing the NSA never wanted to talk about 1221 01:07:12,637 --> 01:07:15,640 was the fact that it was travelling on a digital missile 1222 01:07:15,640 --> 01:07:19,426 that had been built at its own intelligence agency. 1223 01:07:19,426 --> 01:07:22,560 They repurposed something created by the US government, 1224 01:07:22,560 --> 01:07:24,170 leaked by the Russian government, 1225 01:07:24,170 --> 01:07:26,825 put it into their ransomware that allowed it to spread 1226 01:07:26,825 --> 01:07:30,742 all over the world, any computer on at that time. 1227 01:07:30,742 --> 01:07:34,006 So one crappy piece of malware 1228 01:07:34,006 --> 01:07:36,878 can hit every single aspect 1229 01:07:36,878 --> 01:07:39,142 of the critical national infrastructure 1230 01:07:39,142 --> 01:07:42,971 within the space of about ten days 1231 01:07:42,971 --> 01:07:44,886 in different countries. 1232 01:07:57,508 --> 01:08:00,728 Eventually, there's a court case after about a month. 1233 01:08:00,728 --> 01:08:03,601 There's a court case in Manila. 1234 01:08:03,601 --> 01:08:06,908 Ultimately, the bank manager didn't want anyone to find out. 1235 01:08:06,908 --> 01:08:08,388 But when he finally got in touch 1236 01:08:08,388 --> 01:08:10,825 with the Bank of the Philippines, they said, 1237 01:08:10,825 --> 01:08:12,827 "If you need this money returned, 1238 01:08:12,827 --> 01:08:15,700 you need to get a court order." So he files a court order, 1239 01:08:15,700 --> 01:08:18,006 but court orders are public in the Philippines, 1240 01:08:18,006 --> 01:08:19,573 like in many other countries. 1241 01:08:19,573 --> 01:08:22,576 A reporter spots it and realised that this has happened, 1242 01:08:22,576 --> 01:08:25,101 publishes it in a newspaper, and it all comes out. 1243 01:08:25,101 --> 01:08:28,016 The $81 million money-laundering scandal 1244 01:08:28,016 --> 01:08:31,672 is now considered one of the biggest bank heists in Asia. 1245 01:08:31,672 --> 01:08:33,805 But how exactly did thieves steal 1246 01:08:33,805 --> 01:08:35,981 such a huge amount of money? 1247 01:08:35,981 --> 01:08:37,461 Not just known in the Philippines 1248 01:08:37,461 --> 01:08:38,679 and the Bank of Bangladesh, 1249 01:08:38,679 --> 01:08:40,377 when the Bangladesh government finds out 1250 01:08:40,377 --> 01:08:42,901 the bank manager has been doing this behind the scenes, 1251 01:08:42,901 --> 01:08:44,337 but the whole world finds out. 1252 01:08:44,337 --> 01:08:46,774 And ultimately, the Bangladesh Bank 1253 01:08:46,774 --> 01:08:48,863 needs to get assistance from the FBI. 1254 01:08:48,863 --> 01:08:52,171 The New York Fed is involved. The United States is involved. 1255 01:08:52,171 --> 01:08:54,304 This becomes a whole worldwide issue 1256 01:08:54,304 --> 01:08:57,220 and begins to ripple across the financial industry 1257 01:08:57,220 --> 01:08:58,743 that this was even possible. 1258 01:08:58,743 --> 01:09:00,527 Experts believe that hackers 1259 01:09:00,527 --> 01:09:04,183 were able to break into the New York Federal Reserve's 1260 01:09:04,183 --> 01:09:06,403 special account for Bangladesh, 1261 01:09:06,403 --> 01:09:09,754 getting away with $81 million. 1262 01:09:09,754 --> 01:09:13,236 Now, Bangladesh's Central Bank governor, Atiur Rahman, 1263 01:09:13,236 --> 01:09:16,935 has resigned after hackers stole tens of millions of dollars 1264 01:09:16,935 --> 01:09:19,198 from the nation's foreign reserves. 1265 01:09:19,198 --> 01:09:23,159 The bank was criticised for its handling of the breach... 1266 01:09:23,159 --> 01:09:26,162 The governor was an excellent central banker. 1267 01:09:26,162 --> 01:09:27,902 I have a lot of respect for him. 1268 01:09:27,902 --> 01:09:32,298 He was deemed one of the top bankers by the Asia MoneyWeek. 1269 01:09:32,298 --> 01:09:34,126 And poor fellow, that time, 1270 01:09:34,126 --> 01:09:36,737 he was faced with this sort of scenario 1271 01:09:36,737 --> 01:09:39,827 which he honestly didn't understand. 1272 01:09:39,827 --> 01:09:42,787 He had really pushed the financial system 1273 01:09:42,787 --> 01:09:45,529 in Bangladesh into the 21st century. 1274 01:09:45,529 --> 01:09:48,575 He had to essentially fall on his sword and resign 1275 01:09:48,575 --> 01:09:51,404 in disgrace, and his career was ruined. 1276 01:09:51,404 --> 01:09:54,190 Many others at the bank had to resign as well. 1277 01:09:54,190 --> 01:09:57,758 An emotional Maia Deguito, the manager of the RCBC branch 1278 01:09:57,758 --> 01:10:01,153 in Jupiter Street in Makati, insists she is innocent 1279 01:10:01,153 --> 01:10:02,763 in the face of accusations 1280 01:10:02,763 --> 01:10:05,636 she is involved in the money-laundering scheme. 1281 01:10:05,636 --> 01:10:08,247 So far, only the branch manager 1282 01:10:08,247 --> 01:10:11,468 has been charged by the Anti-Money Laundering Council. 1283 01:10:11,468 --> 01:10:14,384 One of the great injustices of this whole scandal 1284 01:10:14,384 --> 01:10:17,343 is that the only person who got convicted of anything 1285 01:10:17,343 --> 01:10:18,953 was Maia Deguito, 1286 01:10:18,953 --> 01:10:22,696 and she was just the mid-level branch manager of the RCBC, 1287 01:10:22,696 --> 01:10:26,874 the bank in the Philippines that received the actual funds. 1288 01:10:26,874 --> 01:10:28,180 Typical, isn't it? 1289 01:10:28,180 --> 01:10:30,965 A crime that was conceived and carried out 1290 01:10:30,965 --> 01:10:32,402 by a whole bunch of men, 1291 01:10:32,402 --> 01:10:35,535 and the only person who gets done for it is a woman 1292 01:10:35,535 --> 01:10:38,538 who probably wasn't that guilty in the first place. 1293 01:10:38,538 --> 01:10:41,802 But she received a sentence of 56 years in jail 1294 01:10:41,802 --> 01:10:44,979 and a fine of $109 million, 1295 01:10:44,979 --> 01:10:49,506 which is significantly more than the thieves actually stole. 1296 01:10:50,985 --> 01:10:52,291 To my mind, 1297 01:10:52,291 --> 01:10:54,424 there's no question that she was a scapegoat. 1298 01:10:54,424 --> 01:10:58,297 I mean, the currency traders who turned that $81 million 1299 01:10:58,297 --> 01:11:01,300 into pesos got off scot-free. 1300 01:11:01,300 --> 01:11:03,737 There are a couple of Chinese operators 1301 01:11:03,737 --> 01:11:06,566 who brought these gamblers in from China. 1302 01:11:06,566 --> 01:11:10,396 We know that they received tens of millions of dollars in cash. 1303 01:11:10,396 --> 01:11:15,314 They vanished back to Macau. No trace of them was ever found. 1304 01:11:15,314 --> 01:11:17,751 We can't say for sure, but certainly it looks like 1305 01:11:17,751 --> 01:11:20,798 people at the Rizal Bank headquarters 1306 01:11:20,798 --> 01:11:23,888 buried these requests to stop these transactions. 1307 01:11:23,888 --> 01:11:27,239 But nobody else at the Rizal Bank was ever accused. 1308 01:11:27,239 --> 01:11:31,199 Oddly enough, in this giant scheme that involved 1309 01:11:31,199 --> 01:11:34,986 a half a dozen countries, nearly $1 billion, 1310 01:11:34,986 --> 01:11:40,208 only one bank employee in a small branch in Manila 1311 01:11:40,208 --> 01:11:42,646 was ever convicted of doing anything wrong. 1312 01:11:42,646 --> 01:11:46,040 It's incredible. Total impunity. 1313 01:11:52,395 --> 01:11:54,788 I think the most important lesson 1314 01:11:54,788 --> 01:11:57,878 of the Bangladesh Bank 1315 01:11:57,878 --> 01:11:59,880 is a lesson of scale. 1316 01:11:59,880 --> 01:12:01,882 The internet is a fantastic thing. 1317 01:12:01,882 --> 01:12:04,320 It's made our world much, much smaller. 1318 01:12:04,320 --> 01:12:07,061 You can do all sorts of things. It's fantastic. 1319 01:12:07,061 --> 01:12:08,933 But that interconnectivity, 1320 01:12:08,933 --> 01:12:11,805 where everything is linked to everything else, 1321 01:12:11,805 --> 01:12:15,418 means that if you get bad actors in that system, 1322 01:12:15,418 --> 01:12:17,245 then the damage 1323 01:12:17,245 --> 01:12:22,076 is infinitely more immense than it was before. 1324 01:12:23,687 --> 01:12:25,993 When I started this job two decades ago, 1325 01:12:25,993 --> 01:12:29,083 you had to explain to people, what is a virus? 1326 01:12:29,083 --> 01:12:31,042 What is a cyber-attack? 1327 01:12:31,042 --> 01:12:33,392 Today, we don't talk about 1328 01:12:33,392 --> 01:12:36,439 making sure this file doesn't get deleted any more. 1329 01:12:36,439 --> 01:12:40,573 We literally talk about making sure the supply chain is up, 1330 01:12:40,573 --> 01:12:42,619 food can reach people's tables. 1331 01:12:42,619 --> 01:12:45,665 Our job is not just to protect people's computers. 1332 01:12:45,665 --> 01:12:49,060 Our job is to ensure society is up and running. 1333 01:12:49,060 --> 01:12:52,063 Everything that we use now, 1334 01:12:52,063 --> 01:12:53,978 water, electricity, 1335 01:12:53,978 --> 01:12:56,937 the financial system, the comms system, 1336 01:12:56,937 --> 01:12:58,548 depends on the integrity 1337 01:12:58,548 --> 01:13:03,683 of unbelievably complex networked computer systems. 1338 01:13:03,683 --> 01:13:07,992 And our dependence is becoming such 1339 01:13:07,992 --> 01:13:10,386 that, should anything go wrong, 1340 01:13:10,386 --> 01:13:13,171 be it a technical hitch or be it a hack, 1341 01:13:13,171 --> 01:13:17,131 it can actually lead to our lives grinding to a halt 1342 01:13:17,131 --> 01:13:19,525 in a very short space of time. 1343 01:13:20,483 --> 01:13:22,136 We're sort of in a state 1344 01:13:22,136 --> 01:13:24,617 where we're increasing our vulnerability 1345 01:13:24,617 --> 01:13:27,359 and our attack surface every single day. 1346 01:13:27,359 --> 01:13:29,796 And instead of pausing 1347 01:13:29,796 --> 01:13:32,799 and thinking about how to lock up our power grid, 1348 01:13:32,799 --> 01:13:37,848 really, where our energy has been focused is on escalation. 1349 01:13:37,848 --> 01:13:41,373 Countries like the United States, China and Russia 1350 01:13:41,373 --> 01:13:44,550 have already arrogated the right to themselves 1351 01:13:44,550 --> 01:13:47,335 to attack with full force, 1352 01:13:47,335 --> 01:13:50,034 whether cyber or conventional weapons, 1353 01:13:50,034 --> 01:13:51,905 against anyone who brings down 1354 01:13:51,905 --> 01:13:56,519 a serious piece of critical national infrastructure. 1355 01:13:56,519 --> 01:14:01,480 We've had Stuxnet blowing up the Natanz centrifuge plant. 1356 01:14:01,480 --> 01:14:04,962 We've had ransomware attacks, which hit the Eastern Seaboard. 1357 01:14:04,962 --> 01:14:07,007 There was no gas to the Eastern Seaboard 1358 01:14:07,007 --> 01:14:09,619 for a whole week in the United States. 1359 01:14:09,619 --> 01:14:11,751 We had Russia against the Ukraine, 1360 01:14:11,751 --> 01:14:14,537 shutting out the power in the middle of winter. 1361 01:14:14,537 --> 01:14:17,453 We're talking about people losing their lives. 1362 01:14:17,453 --> 01:14:19,019 We've also had cyber-attacks 1363 01:14:19,019 --> 01:14:21,413 that potentially affected US elections. 1364 01:14:21,413 --> 01:14:23,763 We had the healthcare in the UK brought down, 1365 01:14:23,763 --> 01:14:25,939 dialysis machines no longer working. 1366 01:14:25,939 --> 01:14:29,421 This is an extremely fragile situation, 1367 01:14:29,421 --> 01:14:33,599 much more fragile than the period of détente, 1368 01:14:33,599 --> 01:14:37,255 because so many more countries have these weapons. 1369 01:14:37,255 --> 01:14:41,389 Malware is much more difficult to control than nuclear weapons. 1370 01:14:41,389 --> 01:14:44,871 People always warn me of the cyber Pearl Harbor 1371 01:14:44,871 --> 01:14:47,091 or the cyber 9/11, 1372 01:14:47,091 --> 01:14:49,746 but it's almost worse than that. 1373 01:14:49,746 --> 01:14:53,619 Every day, there are thousands of cyber-attacks, 1374 01:14:53,619 --> 01:14:58,232 and we're just getting more and more and more inured to them. 1375 01:14:59,016 --> 01:15:00,887 It's like a plague. 1376 01:15:00,887 --> 01:15:05,152 I think we'll see much more hostile cyber activity, 1377 01:15:05,152 --> 01:15:07,851 much more cyber bank robberies, 1378 01:15:07,851 --> 01:15:09,983 much more cyber espionage. 1379 01:15:09,983 --> 01:15:13,030 We'll see much more cyber war. 1380 01:15:13,030 --> 01:15:15,815 In many ways, I think we've seen nothing yet. 1381 01:15:15,815 --> 01:15:19,253 As attacks increase in their sophistication 1382 01:15:19,253 --> 01:15:21,386 and their range, 1383 01:15:21,386 --> 01:15:25,346 then the impact can be ever greater. 1384 01:15:25,346 --> 01:15:29,873 There is a cyber-attack on critical national infrastructure 1385 01:15:29,873 --> 01:15:31,744 coming to a place near you 1386 01:15:31,744 --> 01:15:35,269 within the next five to ten years. 1387 01:15:35,269 --> 01:15:38,708 If it's done well, and if it's really malicious, 1388 01:15:38,708 --> 01:15:41,232 that could be catastrophic. 1389 01:15:43,016 --> 01:15:47,586 What's amazing about the Bank of Bangladesh heist is... 1390 01:15:47,586 --> 01:15:51,285 they almost walked away with $1 billion. 1391 01:15:54,071 --> 01:15:56,203 The mistakes that they made 1392 01:15:56,203 --> 01:15:59,990 that led to them only walking with $81 million 1393 01:15:59,990 --> 01:16:02,862 were literally a typo in a name 1394 01:16:02,862 --> 01:16:05,082 and potentially not being patient enough, 1395 01:16:05,082 --> 01:16:06,562 waiting just one more hour. 1396 01:16:06,562 --> 01:16:09,913 We could be telling a completely different story. 1397 01:16:09,913 --> 01:16:11,828 Presumably, these guys 1398 01:16:11,828 --> 01:16:15,309 kept perhaps 95 percent of that cash. 1399 01:16:15,309 --> 01:16:16,528 You could walk out 1400 01:16:16,528 --> 01:16:18,399 with 95 percent of what you came in with, 1401 01:16:18,399 --> 01:16:21,838 have nobody trace that money, no record of it whatsoever, 1402 01:16:21,838 --> 01:16:26,233 and get on a plane with it, and you're home free. 1403 01:16:26,233 --> 01:16:30,760 Even if you had invested a year's work, 1404 01:16:30,760 --> 01:16:35,460 that you had recruited a really decent set of hackers, 1405 01:16:35,460 --> 01:16:39,899 that you had corrupted bank officials, 1406 01:16:39,899 --> 01:16:43,947 you'll be looking at a profit of about $75 million. 1407 01:16:43,947 --> 01:16:47,037 For a year's work, not a bad pay-off. 1408 01:16:49,126 --> 01:16:52,999 The Bank of Bangladesh heist showed them what was possible. 1409 01:16:54,392 --> 01:16:56,742 They proved that they could do it. 1410 01:17:01,617 --> 01:17:03,662 After that attack, it didn't stop. 1411 01:17:03,662 --> 01:17:07,840 We saw continued attacks on various banks across Asia, 1412 01:17:07,840 --> 01:17:10,451 I think in the Philippines again. 1413 01:17:10,451 --> 01:17:14,673 And also, they started hacking the cryptocurrency exchanges, 1414 01:17:14,673 --> 01:17:18,546 where people store their Bitcoin and Monero digital currency, 1415 01:17:18,546 --> 01:17:21,724 which has proved to be incredibly lucrative for them. 1416 01:17:23,726 --> 01:17:25,684 In 2017, Lazarus was thought 1417 01:17:25,684 --> 01:17:27,338 to have successfully attacked 1418 01:17:27,338 --> 01:17:31,995 at least five Asian cryptocurrency exchanges. 1419 01:17:31,995 --> 01:17:37,827 That's a total of $571 million that was lost. 1420 01:17:37,827 --> 01:17:41,134 Cryptocurrency exchanges just have the bare minimum 1421 01:17:41,134 --> 01:17:43,659 of security, we're learning now. 1422 01:17:43,659 --> 01:17:46,923 In 2020, as the global pandemic spiralled, 1423 01:17:46,923 --> 01:17:50,143 AstraZeneca, makers of one of the key vaccines, 1424 01:17:50,143 --> 01:17:53,538 was hit by an attack, extorting the company 1425 01:17:53,538 --> 01:17:56,846 and stealing sensitive information for profit. 1426 01:17:58,064 --> 01:18:00,632 The sums involved are astronomical, 1427 01:18:00,632 --> 01:18:03,940 and Lazarus is still very much at large. 1428 01:18:06,246 --> 01:18:11,774 They have been designated by the United States an APT; 1429 01:18:11,774 --> 01:18:13,863 that's an advanced persistent threat. 1430 01:18:13,863 --> 01:18:16,692 Now, the fundamental criteria 1431 01:18:16,692 --> 01:18:20,478 is that they represent a threat 1432 01:18:20,478 --> 01:18:24,612 to US national security and national infrastructure. 1433 01:18:24,612 --> 01:18:28,486 So, just by dint of it being called an APT 1434 01:18:28,486 --> 01:18:33,404 means that the Lazarus Group is serious stuff. 1435 01:18:33,404 --> 01:18:35,623 Marvel fans, think HYDRA. 1436 01:18:35,623 --> 01:18:38,801 James Bond films, think of SPECTRE. 1437 01:18:38,801 --> 01:18:40,237 It's something like that. 1438 01:18:43,762 --> 01:18:47,635 Now, it's tempting to think this comparison is absurd, 1439 01:18:47,635 --> 01:18:51,074 but this is the scale that Lazarus operates on. 1440 01:18:51,074 --> 01:18:54,294 Arguably, they're the most potent cyber criminals 1441 01:18:54,294 --> 01:18:56,427 in business today. 1442 01:18:56,427 --> 01:19:00,300 So the nation state's involvement in cybercrime 1443 01:19:00,300 --> 01:19:02,955 means that cybercrime has actually morphed 1444 01:19:02,955 --> 01:19:05,653 into cyber warfare. 1445 01:19:05,653 --> 01:19:08,613 You can have zero trust in these systems. 1446 01:19:08,613 --> 01:19:12,095 You need to assume that everything has been broken, 1447 01:19:12,095 --> 01:19:14,010 everything is being listened to, 1448 01:19:14,010 --> 01:19:17,274 that everything can be captured, and operate accordingly. 1449 01:19:19,580 --> 01:19:22,453 If a small group can plan something 1450 01:19:22,453 --> 01:19:25,499 and get away with $81 million, 1451 01:19:25,499 --> 01:19:27,937 which involved the Fed in New York, 1452 01:19:27,937 --> 01:19:29,765 SWIFT in Brussels, 1453 01:19:29,765 --> 01:19:32,550 the Bangladeshi Bank in Dhaka, 1454 01:19:32,550 --> 01:19:36,032 and then all the peripherals in Manila, 1455 01:19:36,032 --> 01:19:40,427 just think about what one of the really professional operations 1456 01:19:40,427 --> 01:19:42,560 in China, Russia, 1457 01:19:42,560 --> 01:19:44,518 the NSA, GCHQ, 1458 01:19:44,518 --> 01:19:48,871 just think what havoc they could wreak. 1459 01:19:48,871 --> 01:19:52,613 And every year, the hacks get bigger, the damage greater, 1460 01:19:52,613 --> 01:19:54,702 the implications graver. 1461 01:19:56,139 --> 01:20:00,447 Armies literally have hackers hammering at the gates. 1462 01:20:00,447 --> 01:20:02,710 And it just takes a simple breach, 1463 01:20:02,710 --> 01:20:05,583 one person, one weak link, 1464 01:20:05,583 --> 01:20:08,238 and those armies will storm the defences 1465 01:20:08,238 --> 01:20:12,851 and bring down a network that our way of life depends on. 1466 01:20:12,851 --> 01:20:15,593 It happened in Bangladesh in 2016. 1467 01:20:15,593 --> 01:20:21,033 And believe you me, it's going to happen again very soon. 1468 01:21:14,957 --> 01:21:17,916 Iyuno 111472