WEBVTT FILE

1
00:00:02.000 --> 00:00:07.000
Downloaded from
YTS.MX

2
00:00:08.000 --> 00:00:13.000
Official YIFY movies site:
YTS.MX

3
00:01:10.809 --> 00:01:12.115
It's Friday,

4
00:01:12.115 --> 00:01:15.423
and it is, of course,
the Muslim prayer day.

5
00:01:15.423 --> 00:01:18.513
Everyone's off,
except for the skeleton staff

6
00:01:18.513 --> 00:01:20.645
at the Bangladeshi Bank,

7
00:01:20.645 --> 00:01:24.562
including Zubair Bin Huda,
who is the duty manager.

8
00:01:27.870 --> 00:01:31.395
He's part of
the elite team of employees

9
00:01:31.395 --> 00:01:35.095
who run
the SWIFT banking system,

10
00:01:35.095 --> 00:01:38.663
which is a highly secure
banking system

11
00:01:38.663 --> 00:01:41.318
that sends money
around the world.

12
00:01:43.538 --> 00:01:47.281
Now, Bin Huda goes,
as he does every day,

13
00:01:47.281 --> 00:01:49.152
to the SWIFT printer

14
00:01:49.152 --> 00:01:53.374
to check up on the transactions
from the day before.

15
00:01:53.374 --> 00:01:56.159
There are usually printouts

16
00:01:56.159 --> 00:01:58.422
of transactions
that came in overnight.

17
00:01:58.422 --> 00:02:02.774
The SWIFT software would print
out a ledger every single day,

18
00:02:02.774 --> 00:02:06.952
an audit trace of every single
transaction that occurred

19
00:02:06.952 --> 00:02:08.693
on paper.

20
00:02:08.693 --> 00:02:11.392
But when they came in
on February 5th morning,

21
00:02:11.392 --> 00:02:12.871
as they usually do,

22
00:02:12.871 --> 00:02:15.744
they found there were
no SWIFT messages at all.

23
00:02:15.744 --> 00:02:20.009
In fact, the printer's
shut down. It won't work.

24
00:02:20.009 --> 00:02:21.358
They try and turn it on.

25
00:02:21.358 --> 00:02:25.188
Nothing will kick it
back into life.

26
00:02:25.188 --> 00:02:28.148
He assumes it was simply
a technical error,

27
00:02:28.148 --> 00:02:30.193
shrugs, goes home for the night,

28
00:02:30.193 --> 00:02:32.282
comes back in
on Saturday morning

29
00:02:32.282 --> 00:02:34.502
to check the system again.

30
00:02:35.677 --> 00:02:36.939
The next day,

31
00:02:36.939 --> 00:02:40.160
they somehow manually
get the printer to work.

32
00:02:40.160 --> 00:02:42.466
This deputy head manager
walks in the room,

33
00:02:42.466 --> 00:02:46.122
the printer starts working, and
these weird messages come out.

34
00:02:46.122 --> 00:02:49.560
The printer
starts spewing out

35
00:02:49.560 --> 00:02:51.736
all of these transactions,

36
00:02:51.736 --> 00:02:56.306
including individual requests
to the Fed in New York

37
00:02:56.306 --> 00:02:59.353
for $1 billion.

38
00:03:01.268 --> 00:03:04.880
At that moment,
it's panic stations.

39
00:03:44.789 --> 00:03:50.230
When I was growing up,
the biggest crime in Britain

40
00:03:50.230 --> 00:03:52.319
ever recorded
was the Great Train Robbery.

41
00:03:52.319 --> 00:03:56.366
It was an extraordinary thing.
They stole about £2.5 million.

42
00:03:56.366 --> 00:03:58.760
That's about $4 million.

43
00:03:58.760 --> 00:04:04.244
And that story
ran literally for 30 years.

44
00:04:05.245 --> 00:04:06.768
Four million dollars.

45
00:04:07.856 --> 00:04:10.293
What you're about to hear

46
00:04:10.293 --> 00:04:14.036
is the story of an attempt
to steal...

47
00:04:15.037 --> 00:04:17.518
a billion dollars

48
00:04:18.475 --> 00:04:20.434
It's told by world-leading

49
00:04:20.434 --> 00:04:23.959
cybersecurity and legal experts
and journalists:

50
00:04:23.959 --> 00:04:26.309
the very people
who uncovered the facts

51
00:04:26.309 --> 00:04:27.919
and threaded them together

52
00:04:27.919 --> 00:04:32.489
to reveal how dangerous the
world of cybercrime is today.

53
00:04:49.898 --> 00:04:53.336
So, there are four big threats

54
00:04:53.336 --> 00:04:57.471
to the world
and to the human race.

55
00:04:57.471 --> 00:04:59.603
One of them
we've just experienced,

56
00:04:59.603 --> 00:05:01.736
that's the pandemic.

57
00:05:01.736 --> 00:05:04.826
Then you've got weapons
of mass destruction.

58
00:05:04.826 --> 00:05:08.220
You've got climate change.

59
00:05:08.220 --> 00:05:13.965
But barrelling down towards us
before those is cyber.

60
00:05:24.498 --> 00:05:25.934
This is the possibility

61
00:05:25.934 --> 00:05:30.068
of our overdependency
on network technologies

62
00:05:30.068 --> 00:05:34.943
being undermined, either by
malfunctioning of the system...

63
00:05:34.943 --> 00:05:36.597
New problems are emerging

64
00:05:36.597 --> 00:05:39.164
the day after an Amazon
web service outage.

65
00:05:39.164 --> 00:05:42.254
Massive and mysterious,
a global outage...

66
00:05:42.254 --> 00:05:45.214
...or by a targeted attack.

67
00:05:45.214 --> 00:05:47.129
More than a thousand companies

68
00:05:47.129 --> 00:05:49.305
have been crippled
by this attack so far.

69
00:05:49.305 --> 00:05:52.264
Sounds like we're looking
at a 2022 with more hacks,

70
00:05:52.264 --> 00:05:53.570
more lost money.

71
00:05:59.924 --> 00:06:04.233
So, when I started hunting
hackers in the early 1990s...

72
00:06:05.452 --> 00:06:07.671
our enemy was really simple.

73
00:06:07.671 --> 00:06:10.152
All the malware,
all the viruses,

74
00:06:10.152 --> 00:06:13.111
all the attacks were
done by teenage boys.

75
00:06:13.111 --> 00:06:15.462
What will your parents think?

76
00:06:17.594 --> 00:06:20.815
I've been doing this job
for two decades now.

77
00:06:24.253 --> 00:06:25.472
When we first started,

78
00:06:25.472 --> 00:06:27.909
the people writing viruses
and malware

79
00:06:27.909 --> 00:06:29.476
were doing it for fun,

80
00:06:29.476 --> 00:06:32.392
to get their name in lights,
to say, "Look what I can do."

81
00:06:32.392 --> 00:06:34.655
No flash, please.

82
00:06:34.655 --> 00:06:37.788
When I started analysing
viruses, they looked like this.

83
00:06:37.788 --> 00:06:41.052
Malware was still spread
on floppy disks.

84
00:06:41.052 --> 00:06:44.708
They were spreading at the speed
of people travelling the world

85
00:06:44.708 --> 00:06:47.102
and carrying the viruses
with them.

86
00:06:47.102 --> 00:06:50.540
Michelangelo has
proven less harmful than feared.

87
00:06:50.540 --> 00:06:53.108
All the stuff you've got
in there you may really want,

88
00:06:53.108 --> 00:06:54.414
it's just gone?

89
00:06:54.414 --> 00:06:56.459
Then the internet came around,
and suddenly,

90
00:06:56.459 --> 00:06:59.331
malware outbreaks could
go around the world in seconds.

91
00:06:59.331 --> 00:07:00.942
For the last 36 hours,

92
00:07:00.942 --> 00:07:04.685
the ILOVEYOU virus has been
creating havoc around the world.

93
00:07:04.685 --> 00:07:08.166
Experts have reason to worry.
The first attack, July 19th,

94
00:07:08.166 --> 00:07:11.648
infected about 300,000
systems in nine hours.

95
00:07:11.648 --> 00:07:14.129
First of all, the guys who
make a living doing security

96
00:07:14.129 --> 00:07:16.044
and are trying to protect themselves

97
00:07:16.044 --> 00:07:19.569
are scared shitless of you,
because you can just ruin 'em.

98
00:07:19.569 --> 00:07:20.875
After the period of time

99
00:07:20.875 --> 00:07:22.529
where hackers
were just doing things for fun,

100
00:07:22.529 --> 00:07:26.010
some of them realised that they
could use it to make money.

101
00:07:28.535 --> 00:07:31.668
Prior to, like, the 2000s...

102
00:07:31.668 --> 00:07:35.716
cyber was primarily around
a disruption of websites...

103
00:07:36.630 --> 00:07:38.893
defacement of a webpage.

104
00:07:38.893 --> 00:07:42.505
Just as we got around 2000,
the dot-com boom, the explosion,

105
00:07:42.505 --> 00:07:44.376
we started into
what would become

106
00:07:44.376 --> 00:07:46.161
financially motivated hackers.

107
00:07:46.161 --> 00:07:49.033
This really flourished,
especially in Eastern European,

108
00:07:49.033 --> 00:07:53.124
Russia, CIS bloc countries.

109
00:07:53.124 --> 00:07:55.953
This was the time
of gangster capitalism,

110
00:07:55.953 --> 00:08:00.001
when everyone's world in Eastern
Europe was falling apart,

111
00:08:00.001 --> 00:08:02.612
where organised crime and...

112
00:08:02.612 --> 00:08:05.528
former members of
the intelligence services

113
00:08:05.528 --> 00:08:09.314
were taking hold
of the economy.

114
00:08:10.881 --> 00:08:14.276
So you had a lot of young people
in the 1990s

115
00:08:14.276 --> 00:08:17.932
who were very good
mathematicians, physicists,

116
00:08:17.932 --> 00:08:20.282
computer scientists,

117
00:08:20.282 --> 00:08:23.503
who simply took
the logic and the morality

118
00:08:23.503 --> 00:08:26.593
of gangster capitalism online.

119
00:08:30.074 --> 00:08:32.163
Virus writers
were writing viruses

120
00:08:32.163 --> 00:08:33.817
to infect Windows computers,

121
00:08:33.817 --> 00:08:36.951
and those computers were then
sold to email spammers,

122
00:08:36.951 --> 00:08:39.954
who were using those machines
to send Viagra spam

123
00:08:39.954 --> 00:08:42.652
or what have you,
basically making money.

124
00:08:42.652 --> 00:08:44.436
And that changed everything.

125
00:08:48.789 --> 00:08:51.574
People at that time
began to use online banking,

126
00:08:51.574 --> 00:08:54.621
and they began to steal people's
online banking credentials,

127
00:08:54.621 --> 00:08:57.275
from there, also get
credit card numbers,

128
00:08:57.275 --> 00:08:59.408
and use that
to basically transfer funds.

129
00:08:59.408 --> 00:09:02.672
Just in hundreds of dollars at
a time from these individuals.

130
00:09:02.672 --> 00:09:05.893
They eventually realised
that going after individuals

131
00:09:05.893 --> 00:09:07.198
was much more difficult

132
00:09:07.198 --> 00:09:10.288
than just going after
the banks themselves.

133
00:09:10.288 --> 00:09:11.942
Get into databases,

134
00:09:11.942 --> 00:09:14.423
those databases held
credit card numbers.

135
00:09:14.423 --> 00:09:17.600
Take those numbers and then
sell them on the black market.

136
00:09:19.341 --> 00:09:23.345
Originally, the internet
was set up at the Pentagon...

137
00:09:25.042 --> 00:09:29.003
just to be able to share
resources between computers.

138
00:09:32.136 --> 00:09:35.226
And it was really never
designed to have

139
00:09:35.226 --> 00:09:38.490
banking attached to it,

140
00:09:38.490 --> 00:09:41.711
critical infrastructure
attached to it.

141
00:09:41.711 --> 00:09:44.366
It was really designed
for availability.

142
00:09:44.366 --> 00:09:47.108
It was never designed
for security.

143
00:09:48.500 --> 00:09:50.502
Whereas in the early 1990s

144
00:09:50.502 --> 00:09:53.505
when there was only 30,000
people connected to it

145
00:09:53.505 --> 00:09:56.813
and several hundred systems,
we've moved to a system

146
00:09:56.813 --> 00:09:59.947
which essentially is the
backbone of global finance.

147
00:10:01.339 --> 00:10:04.560
The fact that
it's able to do that...

148
00:10:04.560 --> 00:10:07.432
the fact that it's able
to sustain currently between

149
00:10:07.432 --> 00:10:10.392
15 and 20 percent
of GDP globally

150
00:10:10.392 --> 00:10:12.742
tells us something about
just how important

151
00:10:12.742 --> 00:10:14.918
this infrastructure is.

152
00:10:14.918 --> 00:10:17.094
Why did people move
into the internet

153
00:10:17.094 --> 00:10:18.661
to seek economic opportunity?

154
00:10:18.661 --> 00:10:21.621
Because that's where the
economic opportunity was,

155
00:10:21.621 --> 00:10:23.579
untethered by norms,

156
00:10:23.579 --> 00:10:25.799
untethered
by national boundaries,

157
00:10:25.799 --> 00:10:28.497
and essentially limited
only by the creativity

158
00:10:28.497 --> 00:10:30.194
that these individuals had.

159
00:10:40.814 --> 00:10:43.817
The user nagged
the Federal Reserve Bank

160
00:10:43.817 --> 00:10:48.386
with 35 payment instructions
worth $951 million.

161
00:10:48.386 --> 00:10:50.867
We'd just never heard
of such a thing before.

162
00:10:50.867 --> 00:10:53.043
We'd been investigating cybercrime

163
00:10:53.043 --> 00:10:55.567
for a couple of decades
at that point.

164
00:10:55.567 --> 00:10:57.700
You see cyber criminals go in,

165
00:10:57.700 --> 00:11:01.748
and they try to transfer a few
hundred thousands of dollars,

166
00:11:01.748 --> 00:11:05.055
maybe a million,
a couple of million.

167
00:11:05.055 --> 00:11:09.059
But conducting a cyber-attack
to try to steal one billion?

168
00:11:09.059 --> 00:11:13.020
That was an order of magnitude
that we had never seen before.

169
00:11:13.020 --> 00:11:14.674
It was clear from early on

170
00:11:14.674 --> 00:11:18.112
that it was one of the biggest
cyber heists in the world.

171
00:11:18.112 --> 00:11:20.505
When we first started
hearing rumours

172
00:11:20.505 --> 00:11:23.813
about something affecting
SWIFT network,

173
00:11:23.813 --> 00:11:26.424
I didn't understand
how big it was.

174
00:11:26.424 --> 00:11:28.122
But when we started realising

175
00:11:28.122 --> 00:11:30.646
this is at a completely
different scale,

176
00:11:30.646 --> 00:11:32.561
it just blew my mind.

177
00:11:46.314 --> 00:11:47.445
Once they realised

178
00:11:47.445 --> 00:11:49.578
that the money actually
was really gone,

179
00:11:49.578 --> 00:11:51.623
then the panic began to set in.

180
00:11:51.623 --> 00:11:56.890
They lost $81 million instantly
to a bank in the Philippines.

181
00:11:56.890 --> 00:11:59.980
They see the $81 million
has already gone

182
00:11:59.980 --> 00:12:05.855
and that nearly $900 million
extra has been requested.

183
00:12:08.815 --> 00:12:13.254
They basically try to figure out
what to do next.

184
00:12:13.254 --> 00:12:15.865
They have no idea what to do.

185
00:12:15.865 --> 00:12:19.129
They hunted for ways to contact
the New York Fed.

186
00:12:20.957 --> 00:12:23.655
Desperate calls are made
by them.

187
00:12:27.834 --> 00:12:29.749
And it goes
to an answering machine.

188
00:12:29.749 --> 00:12:31.751
<i>You've reached
the Federal Reserve Bank...</i>

189
00:12:31.751 --> 00:12:33.622
Because it's Saturday
in New York,

190
00:12:33.622 --> 00:12:36.016
and nobody's picking
up the phone.

191
00:12:36.016 --> 00:12:39.106
<i>- Please call back...</i>
- It's a complete shitshow.

192
00:12:39.106 --> 00:12:43.153
Total disorganisation,
at both ends, I would stress.

193
00:12:45.503 --> 00:12:49.246
<i>The New York Times Magazine</i>
was planning a true-crime issue,

194
00:12:49.246 --> 00:12:50.421
and my editor came to me

195
00:12:50.421 --> 00:12:52.902
and asked I was interested
in doing it.

196
00:12:54.251 --> 00:12:55.600
I looked into it a bit.

197
00:12:55.600 --> 00:12:58.125
There definitely were
some intriguing elements,

198
00:12:58.125 --> 00:12:59.779
and made me pay attention.

199
00:13:02.129 --> 00:13:04.435
The Federal Reserve
has pretty much

200
00:13:04.435 --> 00:13:07.177
depended on the SWIFT
banking system,

201
00:13:07.177 --> 00:13:11.878
and since there has rarely
been a hack, if ever,

202
00:13:11.878 --> 00:13:14.837
of the SWIFT banking system...

203
00:13:14.837 --> 00:13:18.058
the Federal Reserve
has never instituted

204
00:13:18.058 --> 00:13:20.800
any sort of 24-7 hotline.

205
00:13:22.540 --> 00:13:26.501
Eventually, they get
hold of somebody at SWIFT,

206
00:13:26.501 --> 00:13:28.155
and SWIFT says,

207
00:13:28.155 --> 00:13:29.765
"Just shut the whole lot down

208
00:13:29.765 --> 00:13:32.507
until we know
what's going on here."

209
00:13:32.507 --> 00:13:36.163
Badrul Khan decides before he
can actually make that decision,

210
00:13:36.163 --> 00:13:39.166
he has to talk to the deputy
governor of the bank,

211
00:13:39.166 --> 00:13:40.820
which he does.

212
00:13:40.820 --> 00:13:43.823
Deputy governor doesn't want to
take the decision upon himself,

213
00:13:43.823 --> 00:13:47.435
so he talks to the governor.
And guess what.

214
00:13:47.435 --> 00:13:50.655
The governor says,
"It's probably a mistake.

215
00:13:50.655 --> 00:13:52.614
We won't shut it down."

216
00:13:56.009 --> 00:13:58.750
Work week begins
at the Bangladesh Bank

217
00:13:58.750 --> 00:14:00.187
on Sunday morning,

218
00:14:00.187 --> 00:14:02.972
and it's then that the general
manager of the bank

219
00:14:02.972 --> 00:14:05.845
comes in and begins to take
stock of what had happened.

220
00:14:05.845 --> 00:14:07.411
They're running out of options.

221
00:14:07.411 --> 00:14:11.111
They're not sure what to do.
Fed is still closed in New York.

222
00:14:11.111 --> 00:14:13.200
They go through
all the SWIFT material,

223
00:14:13.200 --> 00:14:16.072
discover that most of
the money has gone

224
00:14:16.072 --> 00:14:18.205
to the bank in Manila.

225
00:14:18.205 --> 00:14:21.164
And these desperate
messages are sent out:

226
00:14:21.164 --> 00:14:22.600
"Stop the transactions.

227
00:14:22.600 --> 00:14:25.168
Hold that money. Do not
allow it to be withdrawn.

228
00:14:25.168 --> 00:14:27.127
It's our money.
It's been stolen."

229
00:14:28.650 --> 00:14:30.260
But there's a problem.

230
00:14:30.260 --> 00:14:32.219
Five, four,

231
00:14:32.219 --> 00:14:35.135
three, two, one!

232
00:14:35.135 --> 00:14:37.920
Happy New Year!

233
00:14:41.924 --> 00:14:43.795
It's Chinese New Year,

234
00:14:43.795 --> 00:14:46.929
and the Rizal Commercial Bank
is closed.

235
00:14:51.673 --> 00:14:56.199
The thieves chose
a sequence of days...

236
00:14:56.199 --> 00:15:00.638
from Friday, Saturday,
Sunday and Monday,

237
00:15:00.638 --> 00:15:03.815
when one or another
of the three countries

238
00:15:03.815 --> 00:15:06.557
that would be communicating
with one another

239
00:15:06.557 --> 00:15:09.169
was shut down for a holiday.

240
00:15:15.566 --> 00:15:17.612
You've got to hand it
to these guys.

241
00:15:17.612 --> 00:15:19.005
They knew it.

242
00:15:19.005 --> 00:15:21.703
They knew that if they did it
over that weekend,

243
00:15:21.703 --> 00:15:23.966
with the Friday,
the Muslim holiday,

244
00:15:23.966 --> 00:15:27.187
the Sunday and the Saturday,
everything closed in New York,

245
00:15:27.187 --> 00:15:30.538
and the Monday,
Chinese New Year.

246
00:15:32.322 --> 00:15:37.110
They've got four days
to get the heist done.

247
00:15:37.110 --> 00:15:39.373
This is really classy planning.

248
00:15:41.375 --> 00:15:45.422
In that respect,
it was really an ingenious plan.

249
00:15:45.422 --> 00:15:49.426
It's kind of like a great film
director in a malevolent way,

250
00:15:49.426 --> 00:15:53.082
planning out, you know,
a very complex film.

251
00:15:56.433 --> 00:15:58.131
The country of Bangladesh

252
00:15:58.131 --> 00:16:01.873
is the 170th poorest country
in the world.

253
00:16:01.873 --> 00:16:04.267
One billion dollars
is huge to them.

254
00:16:04.267 --> 00:16:06.356
When we talk
about cyber-attacks,

255
00:16:06.356 --> 00:16:08.054
they're not just zeros and ones.

256
00:16:08.054 --> 00:16:10.186
We're not just talking
about people

257
00:16:10.186 --> 00:16:13.755
moving around zeros and ones,
deleting zeros and ones.

258
00:16:15.539 --> 00:16:18.107
One billion dollars
to Bangladesh

259
00:16:18.107 --> 00:16:21.545
potentially means that people
starve in the country.

260
00:16:21.545 --> 00:16:25.245
These things have potential
serious repercussions.

261
00:16:27.725 --> 00:16:30.206
The Bangladesh Bank
heist was significant

262
00:16:30.206 --> 00:16:34.297
because it showed how fragile
global banking was as a whole.

263
00:16:36.169 --> 00:16:40.260
Banks don't just operate
as single isolated entities.

264
00:16:40.260 --> 00:16:42.784
They're part of a system.

265
00:16:42.784 --> 00:16:45.482
And that system is vulnerable.

266
00:16:47.702 --> 00:16:52.402
The US Federal Reserve holds
trillions of dollars in accounts

267
00:16:52.402 --> 00:16:55.579
kept by central banks
all around the world.

268
00:16:55.579 --> 00:16:59.279
Its computer security systems
are state of the art, making it

269
00:16:59.279 --> 00:17:03.587
one of the most difficult
financial institutions to hack.

270
00:17:07.287 --> 00:17:10.551
The criminals realise
that it can't get into

271
00:17:10.551 --> 00:17:14.076
the network system of the Fed,

272
00:17:14.076 --> 00:17:17.906
but the Fed has to talk
to other central banks

273
00:17:17.906 --> 00:17:19.777
around the world,

274
00:17:19.777 --> 00:17:23.390
and this is
where they find a flaw.

275
00:17:25.305 --> 00:17:27.437
The criminals turn
their attention

276
00:17:27.437 --> 00:17:30.440
to the banks'
communication systems.

277
00:17:31.963 --> 00:17:35.402
Every day, the Fed places
thousands of transactions

278
00:17:35.402 --> 00:17:39.058
on behalf of the central banks
that hold US dollar reserves

279
00:17:39.058 --> 00:17:40.320
at the Fed.

280
00:17:40.320 --> 00:17:42.757
The Federal Reserve
has pretty much depended

281
00:17:42.757 --> 00:17:45.107
on the SWIFT banking system

282
00:17:45.107 --> 00:17:48.067
to get its instructions
about transfers.

283
00:17:48.067 --> 00:17:51.026
SWIFT sends money
around the world

284
00:17:51.026 --> 00:17:52.941
to thousands of member banks.

285
00:17:52.941 --> 00:17:57.946
It's the main way that banks
dispatch money to one another.

286
00:17:59.165 --> 00:18:01.602
SWIFT allows you
to transfer money

287
00:18:01.602 --> 00:18:02.777
from one bank to another,

288
00:18:02.777 --> 00:18:04.561
no matter where you are
in the world.

289
00:18:04.561 --> 00:18:07.347
Make international
wire transfers.

290
00:18:07.347 --> 00:18:11.568
The whole banking system
is integrated,

291
00:18:11.568 --> 00:18:15.659
and they depend
above all else on SWIFT,

292
00:18:15.659 --> 00:18:21.143
the international transaction
mechanisms, to work.

293
00:18:21.143 --> 00:18:23.319
What it means is,
all it takes

294
00:18:23.319 --> 00:18:28.803
is a single weak link
to bring down the whole network.

295
00:18:30.370 --> 00:18:33.373
So although the target
is the Fed,

296
00:18:33.373 --> 00:18:37.725
they are looking for a bank
with which the Fed communicates,

297
00:18:37.725 --> 00:18:42.338
which holds a lot
of its reserves in New York.

298
00:18:42.338 --> 00:18:44.123
But it's a long way away,

299
00:18:44.123 --> 00:18:48.562
in a distant time zone
from the Fed,

300
00:18:48.562 --> 00:18:51.304
and it's likely to have

301
00:18:51.304 --> 00:18:56.396
patchy security systems in place
in its computer network.

302
00:18:58.963 --> 00:19:00.791
My colleagues in Dhaka,

303
00:19:00.791 --> 00:19:04.012
they were chasing it
for a long time.

304
00:19:04.012 --> 00:19:07.450
It was a robbery of a scale
that we hadn't heard of.

305
00:19:09.235 --> 00:19:11.585
The first thought
that came to my mind was,

306
00:19:11.585 --> 00:19:14.631
because it was the
Bangladeshi Central Bank,

307
00:19:14.631 --> 00:19:17.243
I thought the hackers found it

308
00:19:17.243 --> 00:19:19.549
somehow easier to target it.

309
00:19:19.549 --> 00:19:21.377
Because it was Bangladesh,

310
00:19:21.377 --> 00:19:24.424
I suspected they would
be more vulnerable

311
00:19:24.424 --> 00:19:26.774
to cyber-attacks as such.

312
00:19:28.515 --> 00:19:31.344
"Hmm. A Bangladeshi bank.

313
00:19:31.344 --> 00:19:33.998
Probably doesn't have
the same level of security

314
00:19:33.998 --> 00:19:36.218
and if they do,
it's probably one or two people,

315
00:19:36.218 --> 00:19:40.222
not a team of 6,000
working on it.

316
00:19:41.136 --> 00:19:42.355
Let's go for it."

317
00:19:42.355 --> 00:19:44.661
These attackers
weren't just skilled

318
00:19:44.661 --> 00:19:45.923
in breaching networks,

319
00:19:45.923 --> 00:19:47.838
figuring out how
to get into an organisation.

320
00:19:47.838 --> 00:19:52.016
They had to study that
SWIFT software deeply.

321
00:19:52.016 --> 00:19:55.194
This attack happened
well before that February 5th,

322
00:19:55.194 --> 00:19:56.847
when the bank employee walked in

323
00:19:56.847 --> 00:19:59.894
and saw that printer hadn't
printed out the audit jobs

324
00:19:59.894 --> 00:20:01.939
and couldn't figure out
what was going on.

325
00:20:01.939 --> 00:20:04.812
This attack started more
than a year prior to that.

326
00:20:04.812 --> 00:20:07.293
These attackers had been
working for months

327
00:20:07.293 --> 00:20:09.120
in the build-up until that day.

328
00:20:09.120 --> 00:20:11.253
It is a mistake
for people to think

329
00:20:11.253 --> 00:20:13.560
that this was something
that happened overnight.

330
00:20:13.560 --> 00:20:15.649
It is a mistake
for people to think

331
00:20:15.649 --> 00:20:18.956
that this happened in a month,
or two months or three months.

332
00:20:18.956 --> 00:20:21.394
It is a slow,
methodical approach,

333
00:20:21.394 --> 00:20:25.528
because it's a business,
all right? You build it.

334
00:20:32.274 --> 00:20:35.146
Bank robberies used to be
something that happened

335
00:20:35.146 --> 00:20:37.497
in the real world.

336
00:20:37.497 --> 00:20:40.630
Now they only happen
in the online world.

337
00:20:42.806 --> 00:20:46.767
If you would try to steal
$100 million in banknotes,

338
00:20:46.767 --> 00:20:49.160
that would be, like,
ten trucks full of notes.

339
00:20:49.160 --> 00:20:51.511
If you drive ten trucks
full of notes out of the bank,

340
00:20:51.511 --> 00:20:54.035
someone would notice.

341
00:20:54.035 --> 00:20:57.299
But when you do the same thing
online, no one notices anything.

342
00:20:57.299 --> 00:21:01.042
Every movie you've ever seen
of them breaking into a bank

343
00:21:01.042 --> 00:21:03.436
is them doing it
over a bank holiday

344
00:21:03.436 --> 00:21:05.394
or something of that nature.

345
00:21:05.394 --> 00:21:07.222
Same concept here.

346
00:21:12.096 --> 00:21:15.361
This isn't Matthew Broderick
sitting in front of a computer,

347
00:21:15.361 --> 00:21:17.450
like <i>War Games</i>
back in the 1980s,

348
00:21:17.450 --> 00:21:19.321
some kid in their basement.

349
00:21:21.105 --> 00:21:24.370
These are
criminal organisations.

350
00:21:24.370 --> 00:21:26.023
Each person has a skill set.

351
00:21:26.023 --> 00:21:29.070
It's kind of like that
<i>Ocean's Eleven</i>-type thing.

352
00:21:30.593 --> 00:21:33.074
You know,
"This guy could crack the bank,

353
00:21:33.074 --> 00:21:35.337
this guy could do
the surveillance cameras,

354
00:21:35.337 --> 00:21:37.774
this is the getaway,
this is the conman."

355
00:21:37.774 --> 00:21:39.559
You all have a role to play,

356
00:21:39.559 --> 00:21:42.301
and you need everybody
to execute their role

357
00:21:42.301 --> 00:21:44.085
to the best of their abilities

358
00:21:44.085 --> 00:21:46.870
for you to be
successful and get it out.

359
00:21:48.742 --> 00:21:53.007
So how do you pull off
a heist of this magnitude?

360
00:21:53.007 --> 00:21:58.317
It takes the right crew of
highly skilled specialists.

361
00:21:58.317 --> 00:22:03.191
And it all starts not with ones
and zeros, but with people.

362
00:22:07.151 --> 00:22:10.590
Cybercrime is about
gaining credentials

363
00:22:10.590 --> 00:22:12.635
to gain access,

364
00:22:12.635 --> 00:22:15.421
stealing the keys.

365
00:22:15.421 --> 00:22:19.816
The social engineer
is critical to a hack.

366
00:22:19.816 --> 00:22:22.253
It's how you get in,
and you get in

367
00:22:22.253 --> 00:22:26.388
not through digital means,
you get in through human means.

368
00:22:26.388 --> 00:22:28.956
It's to do with psychology.

369
00:22:31.306 --> 00:22:35.528
The criminals have to ensnare
one of the employees

370
00:22:35.528 --> 00:22:38.052
of the Bangladeshi Bank,

371
00:22:38.052 --> 00:22:41.882
beginning by going through
their social media profiles

372
00:22:41.882 --> 00:22:44.711
and looking
for suitable targets.

373
00:22:45.929 --> 00:22:48.932
Our relationship
with the computer

374
00:22:48.932 --> 00:22:51.848
is one of perceived intimacy;

375
00:22:51.848 --> 00:22:54.373
that when we're using
a computer,

376
00:22:54.373 --> 00:22:57.767
no one else can see
what we're doing, we believe,

377
00:22:57.767 --> 00:23:00.379
and it's just us and the screen.

378
00:23:02.119 --> 00:23:05.819
And if we were to read
an email from a friend,

379
00:23:05.819 --> 00:23:08.909
we tend to believe it
at face value.

380
00:23:12.216 --> 00:23:15.219
They found
close to three dozen employees.

381
00:23:15.219 --> 00:23:18.832
And they constructed
a simple spear-phish email:

382
00:23:18.832 --> 00:23:21.748
an email message that pretended
to be from a guy

383
00:23:21.748 --> 00:23:24.446
named Rasal Alam.

384
00:23:24.446 --> 00:23:26.056
And Rasal Alam said,

385
00:23:26.056 --> 00:23:28.581
"Hey, I just wanna
work at your company.

386
00:23:28.581 --> 00:23:31.410
Here's a résumé attached.
Have a look."

387
00:23:31.410 --> 00:23:34.108
And it turned out
that they mailed that

388
00:23:34.108 --> 00:23:36.893
to about 36 different employees,
and three of them

389
00:23:36.893 --> 00:23:39.722
opened that attachment
connected to that email.

390
00:23:40.984 --> 00:23:42.333
It was a zip file,

391
00:23:42.333 --> 00:23:44.640
and the zip file contained
just a document inside.

392
00:23:44.640 --> 00:23:47.295
They opened up the document
and it was his résumé.

393
00:23:47.295 --> 00:23:50.733
It was a résumé for Rasel Ahlam,
who wanted to work at the bank,

394
00:23:50.733 --> 00:23:52.996
but unbeknownst
to those individuals,

395
00:23:52.996 --> 00:23:56.826
also contained
malicious code inside.

396
00:23:56.826 --> 00:23:58.741
We can look at any data breach,

397
00:23:58.741 --> 00:24:01.222
and the root cause
has either been

398
00:24:01.222 --> 00:24:03.311
a technical problem

399
00:24:03.311 --> 00:24:05.400
or a people problem.

400
00:24:05.400 --> 00:24:08.229
And the technical problems
can be really hard

401
00:24:08.229 --> 00:24:10.536
and really expensive
and really slow to fix,

402
00:24:10.536 --> 00:24:12.581
but at least we can fix them.

403
00:24:12.581 --> 00:24:16.150
But in the end, we have
no patch for human brains.

404
00:24:17.804 --> 00:24:22.243
There's no way to fix the people
who do stupid mistakes.

405
00:24:22.243 --> 00:24:23.723
When attackers try to send

406
00:24:23.723 --> 00:24:27.030
these spear-phishing emails,
they try to do two things.

407
00:24:27.030 --> 00:24:30.512
They try to look very normal.
It was just a résumé.

408
00:24:30.512 --> 00:24:31.818
They try to fly under the radar,

409
00:24:31.818 --> 00:24:33.515
to look as legitimate
as possible.

410
00:24:33.515 --> 00:24:37.476
And the second is they often
try to use enticing techniques.

411
00:24:43.612 --> 00:24:47.050
New dangers tonight from
the Love Bug computer virus,

412
00:24:47.050 --> 00:24:49.966
this time disguised
as a friendlier email.

413
00:24:49.966 --> 00:24:53.579
The first internet virus
that went around the world

414
00:24:53.579 --> 00:24:57.887
in less than 48 hours was
called the ILOVEYOU virus.

415
00:24:57.887 --> 00:25:00.499
And already,
business interruption costs

416
00:25:00.499 --> 00:25:03.676
are estimated at more than
a billion dollars.

417
00:25:03.676 --> 00:25:06.592
You would be sitting
there working away,

418
00:25:06.592 --> 00:25:08.507
and then suddenly,
in your inbox,

419
00:25:08.507 --> 00:25:12.554
you get an email which says,
"I love you."

420
00:25:12.554 --> 00:25:15.252
And it could well be
that this is a person

421
00:25:15.252 --> 00:25:17.820
who you've always
held a torch for.

422
00:25:17.820 --> 00:25:20.344
And so, of course,
you're very excited,

423
00:25:20.344 --> 00:25:24.087
and you press on the link,
and then you're doomed.

424
00:25:24.087 --> 00:25:26.873
What happens is,
the virus infects your machine

425
00:25:26.873 --> 00:25:29.963
and proceeds to email everyone
you've ever emailed.

426
00:25:29.963 --> 00:25:32.618
The end result of that
is the mail servers

427
00:25:32.618 --> 00:25:33.706
get bogged down,

428
00:25:33.706 --> 00:25:36.143
and the only way
to solve the problem

429
00:25:36.143 --> 00:25:39.276
is to shut the servers down,
hence the interruption.

430
00:25:39.276 --> 00:25:42.323
The ILOVEYOU virus
was one of the first viruses

431
00:25:42.323 --> 00:25:45.065
that had really
worldwide impact.

432
00:25:47.110 --> 00:25:49.722
It was still a virus
written by a guy

433
00:25:49.722 --> 00:25:52.594
that just wanted to get
his name in lights.

434
00:25:52.594 --> 00:25:53.813
He wanted to see his virus

435
00:25:53.813 --> 00:25:55.597
travel around the world
a little bit

436
00:25:55.597 --> 00:25:57.381
and maybe get
in the news somewhere,

437
00:25:57.381 --> 00:25:59.819
and then him be able to say,
"Oh, I wrote that."

438
00:25:59.819 --> 00:26:03.083
Mr de Guzman hardly
seemed to comprehend the chaos

439
00:26:03.083 --> 00:26:05.041
inflicted on
the world's computers.

440
00:26:05.041 --> 00:26:08.610
But what happened was, it
spread so quickly and so fast,

441
00:26:08.610 --> 00:26:11.265
it brought down email
all over the world,

442
00:26:11.265 --> 00:26:13.920
and having email go down
was monumental.

443
00:26:13.920 --> 00:26:17.358
Experts say that the ILOVEYOU
virus could end up costing

444
00:26:17.358 --> 00:26:21.580
the world economy $10 billion
in lost work time.

445
00:26:21.580 --> 00:26:25.627
It became the first sign to show
that we relied on the internet.

446
00:26:25.627 --> 00:26:29.196
The internet was the basis for
our financial transactions,

447
00:26:29.196 --> 00:26:31.154
for the way we do business.

448
00:26:32.460 --> 00:26:33.635
I would talk to people

449
00:26:33.635 --> 00:26:35.332
and remind them
and educate them and say,

450
00:26:35.332 --> 00:26:36.899
"Look, you can't just click

451
00:26:36.899 --> 00:26:39.380
on any attachment
that comes to you in an email."

452
00:26:39.380 --> 00:26:42.818
I remember talking to a guy
about the Anna Kournikova virus

453
00:26:42.818 --> 00:26:45.995
that purported to be nude
pictures of Anna Kournikova.

454
00:26:45.995 --> 00:26:48.955
And he told me, he said,
"Yeah, I knew it was a virus.

455
00:26:48.955 --> 00:26:52.088
I thought it was probably
a virus. But what if it wasn't?

456
00:26:52.088 --> 00:26:53.960
What if it really was
nude pictures?

457
00:26:53.960 --> 00:26:55.788
So I double-clicked on it."

458
00:26:56.919 --> 00:26:58.399
People just don't realise

459
00:26:58.399 --> 00:27:02.055
what clicking on that
attachment means.

460
00:27:02.055 --> 00:27:06.102
Cyber criminals and hackers
realised a long time ago

461
00:27:06.102 --> 00:27:09.018
that your username and password,

462
00:27:09.018 --> 00:27:11.804
particularly to
your email account,

463
00:27:11.804 --> 00:27:15.285
could get them into your
stock brokerage account,

464
00:27:15.285 --> 00:27:18.201
to your online
banking account,

465
00:27:18.201 --> 00:27:23.903
to send phishing emails
to other contacts.

466
00:27:23.903 --> 00:27:27.994
If you protect
yourself properly,

467
00:27:27.994 --> 00:27:31.214
the chances are
you won't be a victim

468
00:27:31.214 --> 00:27:35.218
of what one would call
"drive-by hacking".

469
00:27:35.218 --> 00:27:39.483
If, however, you're being
specifically targeted

470
00:27:39.483 --> 00:27:42.965
by a hacking group,
they will follow that trace.

471
00:27:43.879 --> 00:27:45.533
And they will get you.

472
00:27:48.449 --> 00:27:53.280
Now, we know that at least three
members of the Bangladeshi Bank

473
00:27:53.280 --> 00:27:56.587
were targeted by this after
the social engineer

474
00:27:56.587 --> 00:27:58.981
had scanned
all of their social media,

475
00:27:58.981 --> 00:28:00.722
and at least three of them

476
00:28:00.722 --> 00:28:04.073
opened the letter
and took the bait.

477
00:28:04.073 --> 00:28:06.249
Once that code
began executing

478
00:28:06.249 --> 00:28:08.295
on those bank employees'
computers,

479
00:28:08.295 --> 00:28:10.906
it would reach out back
to the attackers

480
00:28:10.906 --> 00:28:13.866
and tell them that
these machines are now infected

481
00:28:13.866 --> 00:28:15.302
and give them full control,

482
00:28:15.302 --> 00:28:18.044
as if they were sitting
in front of the keyboard,

483
00:28:18.044 --> 00:28:21.134
just like those employees.

484
00:28:21.134 --> 00:28:23.745
There was malware
in the system

485
00:28:23.745 --> 00:28:26.574
that was actually
copying screenshots,

486
00:28:28.358 --> 00:28:33.450
copying keystrokes of employees,
and no one knew.

487
00:28:33.450 --> 00:28:35.801
They've got
their foot in the door.

488
00:28:35.801 --> 00:28:38.760
This is the essential
first step.

489
00:28:38.760 --> 00:28:42.677
The first layer of security
has been breached.

490
00:28:48.639 --> 00:28:52.339
And the digger, the person who
is getting deeper and deeper

491
00:28:52.339 --> 00:28:54.558
into the computer network,

492
00:28:54.558 --> 00:28:58.258
has to be a very
advanced hacker.

493
00:28:58.258 --> 00:29:02.958
This is when you need
a real professional.

494
00:29:02.958 --> 00:29:05.656
They're like ghosts.
Nobody can see them,

495
00:29:05.656 --> 00:29:10.009
but they're mapping every
single bit of that network.

496
00:29:11.967 --> 00:29:13.577
In the Bank of Bangladesh,

497
00:29:13.577 --> 00:29:16.145
you had computers that are all
interconnected to each other,

498
00:29:16.145 --> 00:29:19.279
and they're connected
using what's called a switch.

499
00:29:19.279 --> 00:29:23.022
In your average bank, that has
a good security program,

500
00:29:23.022 --> 00:29:25.676
those switches are
what's called segmented.

501
00:29:25.676 --> 00:29:27.591
So each of those switches
only allow

502
00:29:27.591 --> 00:29:30.290
a certain number of computers
to talk to each other

503
00:29:30.290 --> 00:29:32.814
rather than every computer
to talk to each other.

504
00:29:32.814 --> 00:29:35.382
But in the case of
the Bank of Bangladesh,

505
00:29:35.382 --> 00:29:38.559
in the back-office network, they
were using these very cheap,

506
00:29:38.559 --> 00:29:42.084
literally $10 switches
that didn't do any segmentation.

507
00:29:42.084 --> 00:29:45.348
Every computer was potentially
connected to each other.

508
00:29:45.348 --> 00:29:48.308
Basically,
it's a cost-cutting exercise.

509
00:29:48.308 --> 00:29:53.530
But that cost-cutting exercise
was what the digger needed.

510
00:29:53.530 --> 00:29:55.489
Those attackers
began to do

511
00:29:55.489 --> 00:29:58.231
what we call a lateral traverse
across the network,

512
00:29:58.231 --> 00:30:01.147
search for other computers
to infect,

513
00:30:01.147 --> 00:30:03.062
look for credentials.

514
00:30:04.585 --> 00:30:06.848
Whenever you log
into a computer,

515
00:30:06.848 --> 00:30:08.676
your credentials are cached.

516
00:30:08.676 --> 00:30:11.331
They're put into the memory
of the computer.

517
00:30:11.331 --> 00:30:14.290
Attackers are able
to filter through that memory

518
00:30:14.290 --> 00:30:16.640
and find used usernames
and passwords.

519
00:30:16.640 --> 00:30:19.469
They don't always know
what they're for,

520
00:30:19.469 --> 00:30:22.385
so they try to collect as many
credentials as they can

521
00:30:22.385 --> 00:30:25.432
and see, "What computers can
I see from this computer?",

522
00:30:25.432 --> 00:30:27.608
and just begin to use them
over and over again

523
00:30:27.608 --> 00:30:28.652
and just try them.

524
00:30:31.264 --> 00:30:32.613
Eventually, they hop on

525
00:30:32.613 --> 00:30:35.050
and are able to connect
to another computer.

526
00:30:35.050 --> 00:30:36.312
They get onto that one.

527
00:30:36.312 --> 00:30:38.271
It's still not what
they're interested in,

528
00:30:38.271 --> 00:30:40.664
but they're able to find more
usernames and passwords

529
00:30:40.664 --> 00:30:42.405
and try those
on all the other computers

530
00:30:42.405 --> 00:30:44.190
they can see
from that advantage point.

531
00:30:44.190 --> 00:30:48.020
That's how they move across
the network over and over again.

532
00:30:48.020 --> 00:30:50.544
They would delete
all traces of themselves

533
00:30:50.544 --> 00:30:52.894
as they moved
across the network,

534
00:30:52.894 --> 00:30:55.636
ultimately jumping from
computer to computer

535
00:30:55.636 --> 00:30:57.681
until they found
the SWIFT terminal,

536
00:30:57.681 --> 00:31:00.815
their ultimate goal in order
to make wire transfers

537
00:31:00.815 --> 00:31:02.817
out of the Bank of Bangladesh.

538
00:31:04.993 --> 00:31:06.777
It takes a long time.

539
00:31:06.777 --> 00:31:10.172
They're there for months.
This is an ongoing process.

540
00:31:10.172 --> 00:31:14.220
If at any moment they're
discovered to be in there,

541
00:31:14.220 --> 00:31:18.137
then the whole
operation is finished.

542
00:31:22.141 --> 00:31:24.056
With the Bangladeshi Bank heist,

543
00:31:24.056 --> 00:31:27.276
you basically have two
operations running in parallel.

544
00:31:27.276 --> 00:31:29.670
You have an offline operation
going on,

545
00:31:29.670 --> 00:31:32.238
which is to do with
the money laundering.

546
00:31:36.895 --> 00:31:38.940
It's the fence's responsibility

547
00:31:38.940 --> 00:31:43.902
to set up
the recipient accounts.

548
00:31:43.902 --> 00:31:46.382
They're gonna end up
with cold, hard cash,

549
00:31:46.382 --> 00:31:48.080
and they need individuals
on the ground

550
00:31:48.080 --> 00:31:50.909
to pick up that cash
and move it.

551
00:31:53.172 --> 00:31:54.434
And so, in May of 2015,

552
00:31:54.434 --> 00:31:56.871
before they'd even got
into the SWIFT terminal,

553
00:31:56.871 --> 00:31:59.656
they were able to recruit
a Chinese individual

554
00:31:59.656 --> 00:32:03.312
to go to the Philippines and
open up four bank accounts there

555
00:32:03.312 --> 00:32:05.227
at a bank called RCBC.

556
00:32:05.227 --> 00:32:08.883
You have to make sure
those people inside the bank

557
00:32:08.883 --> 00:32:10.711
in the Philippines

558
00:32:10.711 --> 00:32:12.974
have been properly corrupted

559
00:32:12.974 --> 00:32:17.674
and properly instructed
as to what their role is.

560
00:32:17.674 --> 00:32:20.068
The fence opens up
these accounts,

561
00:32:20.068 --> 00:32:22.592
puts $500 in each of them,

562
00:32:22.592 --> 00:32:25.726
and then they just go to sleep
for nine months.

563
00:32:28.598 --> 00:32:31.950
These attackers were
inside the Bank of Bangladesh

564
00:32:31.950 --> 00:32:34.822
for a full year,
which is incredible.

565
00:32:41.307 --> 00:32:43.265
They actually got
onto that SWIFT terminal

566
00:32:43.265 --> 00:32:44.788
exactly one year later...

567
00:32:47.617 --> 00:32:50.229
on January 29th, 2016.

568
00:32:55.495 --> 00:32:58.019
In any bank,
you have different employees.

569
00:32:58.019 --> 00:33:01.414
You have back-office employees,
administrative employees,

570
00:33:01.414 --> 00:33:04.330
but you also have computers
that are connected

571
00:33:04.330 --> 00:33:07.159
directly to
financial transactions.

572
00:33:07.159 --> 00:33:11.076
And only users who have specific
access to those machines

573
00:33:11.076 --> 00:33:12.555
are allowed to use them.

574
00:33:12.555 --> 00:33:15.036
When we talk about the case of
the Bank of Bangladesh,

575
00:33:15.036 --> 00:33:18.605
there was a single computer
that had credentials

576
00:33:18.605 --> 00:33:20.085
from a shared employee.

577
00:33:20.085 --> 00:33:23.218
You had an employee that
would use that SWIFT terminal,

578
00:33:23.218 --> 00:33:26.830
but also had their own computer
in the normal back-office area.

579
00:33:26.830 --> 00:33:29.355
Once they got onto
that employee's computer,

580
00:33:29.355 --> 00:33:31.052
they were able to jump across.

581
00:33:31.052 --> 00:33:34.969
They waited. They basically
did a recon on the system.

582
00:33:34.969 --> 00:33:36.579
They crawled around.

583
00:33:36.579 --> 00:33:39.756
They looked and tried to fully
understand how this worked,

584
00:33:39.756 --> 00:33:43.804
how SWIFT worked, how each bank
employee would make a request

585
00:33:43.804 --> 00:33:47.155
into the SWIFT system,
where it would go,

586
00:33:47.155 --> 00:33:49.244
how to direct that to branches

587
00:33:49.244 --> 00:33:52.117
where they had set up
these accounts.

588
00:33:52.117 --> 00:33:55.729
And in this case, it was just
very simple and very clever.

589
00:33:58.166 --> 00:34:00.342
The thief is
not so much someone

590
00:34:00.342 --> 00:34:03.302
who is physically
taking out the money

591
00:34:03.302 --> 00:34:05.695
and stuffing it into a bag.

592
00:34:05.695 --> 00:34:07.610
They're making sure

593
00:34:07.610 --> 00:34:12.572
that every bit on the system
is coordinated.

594
00:34:12.572 --> 00:34:16.228
There are all sorts of things
to get right

595
00:34:16.228 --> 00:34:21.494
before that fatal moment
when the request is made.

596
00:34:21.494 --> 00:34:24.105
Everything has to be

597
00:34:24.105 --> 00:34:26.716
really, really
precisely coordinated

598
00:34:26.716 --> 00:34:29.937
to get all the timing right.
You've got four days.

599
00:34:29.937 --> 00:34:31.547
You can't afford a slip-up.

600
00:34:31.547 --> 00:34:34.333
When the attackers
got into the SWIFT terminal

601
00:34:34.333 --> 00:34:38.728
on January 29th of 2016,
they paused for about five days

602
00:34:38.728 --> 00:34:41.079
to get their malicious
software ready

603
00:34:41.079 --> 00:34:43.168
that allowed them
to cover their tracks

604
00:34:43.168 --> 00:34:45.257
when they were on
that SWIFT terminal.

605
00:34:45.257 --> 00:34:48.173
They decided to wait
until February 4th.

606
00:34:48.173 --> 00:34:49.826
And this is no accident.

607
00:34:52.960 --> 00:34:55.702
They have chosen
a long weekend

608
00:34:55.702 --> 00:34:58.574
due to holidays in different
parts of the world.

609
00:34:58.574 --> 00:35:01.186
That means,
instead of the usual two days

610
00:35:01.186 --> 00:35:02.535
they have to get away with it

611
00:35:02.535 --> 00:35:04.841
before alarms
start going off everywhere,

612
00:35:04.841 --> 00:35:07.931
they've got four days.
It's brilliant.

613
00:35:09.498 --> 00:35:11.935
February 4th, 2016,
was a Thursday.

614
00:35:11.935 --> 00:35:14.634
That's the last day of
the working week in Bangladesh.

615
00:35:14.634 --> 00:35:16.940
In Bangladesh, they work
from Sunday to Thursday.

616
00:35:16.940 --> 00:35:19.421
So, at some point late
in the afternoon,

617
00:35:19.421 --> 00:35:22.685
the SWIFT transaction operator
in the Bangladeshi Bank

618
00:35:22.685 --> 00:35:24.687
logs off his terminal.

619
00:35:28.778 --> 00:35:30.476
But three hours later,

620
00:35:30.476 --> 00:35:33.435
the thief logs into
that terminal

621
00:35:33.435 --> 00:35:35.829
and starts to impersonate him.

622
00:35:35.829 --> 00:35:38.919
They logged into that SWIFT
terminal at 8:36 p.m.,

623
00:35:38.919 --> 00:35:41.051
after they believed,
or really knew,

624
00:35:41.051 --> 00:35:44.403
that all the bank employees
had gone home for the weekend.

625
00:35:44.403 --> 00:35:48.233
And they put forward
35 different wire transactions

626
00:35:48.233 --> 00:35:52.280
from that SWIFT terminal,
totalling $951 million,

627
00:35:52.280 --> 00:35:55.631
almost $1 billion,
completely unheard of.

628
00:35:58.678 --> 00:36:02.029
Ten hours
behind Bangladesh,

629
00:36:02.029 --> 00:36:03.813
New York is waking up.

630
00:36:04.945 --> 00:36:07.252
The first thing
that the Fed sees

631
00:36:07.252 --> 00:36:09.297
is 35 requests

632
00:36:09.297 --> 00:36:13.214
for almost the entire holdings
of the Bangladeshi Bank.

633
00:36:13.214 --> 00:36:17.523
Usually, it's figures of sort
of $300,000, $500,000.

634
00:36:17.523 --> 00:36:19.525
They want almost a billion!

635
00:36:19.525 --> 00:36:23.746
The operator, perhaps
unsurprisingly, rejects it,

636
00:36:23.746 --> 00:36:26.488
sends it back to Bangladesh.

637
00:36:26.488 --> 00:36:28.751
But he rejects it not because

638
00:36:28.751 --> 00:36:32.581
this is an absolutely crazy
amount of money,

639
00:36:32.581 --> 00:36:36.585
but because the requests
are wrongly formatted.

640
00:36:36.585 --> 00:36:39.153
As much research
that they had done,

641
00:36:39.153 --> 00:36:41.851
they didn't really understand
how to fill out

642
00:36:41.851 --> 00:36:43.331
those SWIFT transfers.

643
00:36:43.331 --> 00:36:45.942
They were missing what's called
an intermediate bank.

644
00:36:45.942 --> 00:36:48.162
New York Federal Reserve
replied to them,

645
00:36:48.162 --> 00:36:50.469
via the SWIFT system,
back to their computer

646
00:36:50.469 --> 00:36:52.688
that they were sitting
in front of, virtually,

647
00:36:52.688 --> 00:36:56.475
saying, "Hey, these transactions
are missing information."

648
00:36:56.475 --> 00:36:58.520
They think on their feet.

649
00:36:58.520 --> 00:37:02.829
They reformat the requests,
send them back...

650
00:37:02.829 --> 00:37:06.006
and hold their breath
to see what happens.

651
00:37:06.006 --> 00:37:08.574
They ultimately corrected
34 of them.

652
00:37:08.574 --> 00:37:09.879
They had forgotten one.

653
00:37:09.879 --> 00:37:12.230
The one did have
the intermediate bank

654
00:37:12.230 --> 00:37:13.448
went to Deutsche Bank.

655
00:37:13.448 --> 00:37:15.581
That order was for $20 million

656
00:37:15.581 --> 00:37:19.802
to a charity called the Shalika
Foundation in Sri Lanka.

657
00:37:19.802 --> 00:37:22.109
But they had made
a typo as well,

658
00:37:22.109 --> 00:37:25.417
and they had misspelled
"foundation" as "fandation".

659
00:37:25.417 --> 00:37:27.680
And so Deutsche Bank
saw that typo

660
00:37:27.680 --> 00:37:29.856
and questioned it and, again,

661
00:37:29.856 --> 00:37:32.293
held that transaction
due to that typo.

662
00:37:34.643 --> 00:37:36.863
We use that
as the poster child

663
00:37:36.863 --> 00:37:40.083
for why you need
to learn how to spell.

664
00:37:40.083 --> 00:37:43.783
Otherwise, you can lose
$20 million.

665
00:37:43.783 --> 00:37:47.265
Ultimately, when
they return the other 34...

666
00:37:48.570 --> 00:37:50.268
Bingo.

667
00:37:50.268 --> 00:37:52.487
The operator approves them.

668
00:37:52.487 --> 00:37:55.795
Four of them went through.

669
00:37:55.795 --> 00:38:00.495
The green light is given.
The heist is on.

670
00:38:00.495 --> 00:38:03.629
Those four went through
to those bank accounts

671
00:38:03.629 --> 00:38:06.066
in the Philippines
that had been opened

672
00:38:06.066 --> 00:38:07.589
more than six months earlier.

673
00:38:07.589 --> 00:38:10.636
And they were able
to transfer out $81 million

674
00:38:10.636 --> 00:38:12.638
to the bank in the Philippines.

675
00:38:34.181 --> 00:38:37.837
Ultimately, they were about
to transfer $1 billion

676
00:38:37.837 --> 00:38:39.534
from the Bank of Bangladesh,

677
00:38:39.534 --> 00:38:42.494
but they didn't want
anyone to find out.

678
00:38:47.847 --> 00:38:51.459
They began to cover
their tracks.

679
00:38:51.459 --> 00:38:53.200
Normally, as a bank employee,

680
00:38:53.200 --> 00:38:55.071
you'll load up
the SWIFT software,

681
00:38:55.071 --> 00:38:57.944
you'll see on the screen
all the latest transactions,

682
00:38:57.944 --> 00:38:59.598
you can make transactions.

683
00:38:59.598 --> 00:39:04.342
And so the attackers deleted all
records of those transactions.

684
00:39:07.083 --> 00:39:08.563
But it's not just digital.

685
00:39:08.563 --> 00:39:13.002
In the world of finance,
everything must be a hard copy.

686
00:39:13.002 --> 00:39:16.005
And the attackers
knew that as well.

687
00:39:20.575 --> 00:39:23.622
Every SWIFT transaction
that takes place

688
00:39:23.622 --> 00:39:28.975
is immediately printed out
locally in the Bangladeshi Bank.

689
00:39:28.975 --> 00:39:31.978
So that printer cannot
be working

690
00:39:31.978 --> 00:39:34.676
when the heist is going on.

691
00:39:34.676 --> 00:39:37.549
The attackers hijacked
all of those print jobs,

692
00:39:37.549 --> 00:39:40.421
replaced all of those
print jobs with zeros

693
00:39:40.421 --> 00:39:43.555
so that nothing would
come out of the printer.

694
00:39:43.555 --> 00:39:48.516
Now, the other 30
wire transactions sat around.

695
00:39:48.516 --> 00:39:51.867
And, ultimately,
the attackers waited,

696
00:39:51.867 --> 00:39:54.261
and they waited...

697
00:39:54.261 --> 00:39:58.874
And they logged out at
3:59 a.m. Bangladesh time.

698
00:39:58.874 --> 00:40:01.442
Potentially, they thought
that in New York,

699
00:40:01.442 --> 00:40:03.096
the business day ended
at five p.m.,

700
00:40:03.096 --> 00:40:04.924
and they weren't gonna hear
any more.

701
00:40:04.924 --> 00:40:06.882
The New York Fed
had actually stopped

702
00:40:06.882 --> 00:40:08.449
the rest of the transactions,

703
00:40:08.449 --> 00:40:11.931
because the address for
the bank in the Philippines

704
00:40:11.931 --> 00:40:15.804
was on Jupiter Street.
J-U-P-I-T-E-R.

705
00:40:15.804 --> 00:40:20.853
Right, now this is when
the story gets really weird.

706
00:40:20.853 --> 00:40:24.857
In a totally unrelated incident
two years earlier,

707
00:40:24.857 --> 00:40:28.469
we have a Greek shipping
magnate, Dimitris Cambis,

708
00:40:28.469 --> 00:40:32.038
and he is buying eight tankers.

709
00:40:32.038 --> 00:40:35.258
What Dimitris knew,
but not many other people,

710
00:40:35.258 --> 00:40:39.872
was that the money
for these eight oil tankers

711
00:40:39.872 --> 00:40:41.917
came from Iran,

712
00:40:41.917 --> 00:40:45.660
and Iran was under US sanctions.

713
00:40:45.660 --> 00:40:48.358
Someone in the US
caught wind of the fact

714
00:40:48.358 --> 00:40:51.710
that the Iranians were
financing Mr Cambis.

715
00:40:51.710 --> 00:40:55.017
His company was put on
the sanctions watch list,

716
00:40:55.017 --> 00:40:58.325
and his company
was called Jupiter Seaways.

717
00:41:00.675 --> 00:41:02.590
It was just their bad luck

718
00:41:02.590 --> 00:41:05.201
that they designated
the money transfers

719
00:41:05.201 --> 00:41:11.338
to go to the Jupiter branch
of the Rizal Bank in Manila.

720
00:41:11.338 --> 00:41:15.211
As the transfers were being sent
out from the New York Reserve

721
00:41:15.211 --> 00:41:16.996
to the Philippines,

722
00:41:16.996 --> 00:41:20.956
the Jupiter name was caught
by the computer system.

723
00:41:20.956 --> 00:41:23.916
It halted these transactions.

724
00:41:23.916 --> 00:41:26.484
The Fed had to take
a second look.

725
00:41:26.484 --> 00:41:28.790
They stopped it
because they realised,

726
00:41:28.790 --> 00:41:31.184
"Wait, we have somewhere
in the order 35 transactions

727
00:41:31.184 --> 00:41:33.229
coming from
the Bank of Bangladesh,

728
00:41:33.229 --> 00:41:37.407
adding up to $1 billion?
You know, this isn't usual."

729
00:41:37.407 --> 00:41:40.062
So they held them
and sent a message back,

730
00:41:40.062 --> 00:41:41.890
asking for confirmation.

731
00:41:44.589 --> 00:41:47.766
Had the attackers waited
just one more hour,

732
00:41:47.766 --> 00:41:50.595
they could have replied to them
via the SWIFT system,

733
00:41:50.595 --> 00:41:53.206
saying these transactions
were not a mistake.

734
00:41:53.206 --> 00:41:55.295
Ultimately,
the Bank of Bangladesh

735
00:41:55.295 --> 00:41:57.253
might have lost
much, much more.

736
00:41:57.253 --> 00:42:01.344
So far, they managed
to get $81 million.

737
00:42:01.344 --> 00:42:05.435
But, boy, did they come close
to hitting the jackpot.

738
00:42:05.435 --> 00:42:07.655
Just under $1 billion

739
00:42:07.655 --> 00:42:11.572
was very, very nearly
stolen from this bank.

740
00:42:22.061 --> 00:42:25.194
The next day,
the bank employees came in,

741
00:42:25.194 --> 00:42:26.587
and the printer wasn't working,

742
00:42:26.587 --> 00:42:28.937
because they installed
their malicious code

743
00:42:28.937 --> 00:42:30.722
to prevent that from happening.

744
00:42:30.722 --> 00:42:32.637
Ultimately,
those bank employees

745
00:42:32.637 --> 00:42:34.900
didn't get it fixed
until February 6,

746
00:42:34.900 --> 00:42:36.554
which would have been a Sunday.

747
00:42:38.251 --> 00:42:41.297
When the printer started,
all these messages came out,

748
00:42:41.297 --> 00:42:42.908
messages from the Fed asking,

749
00:42:42.908 --> 00:42:46.041
"What are these 30 transactions?
Did you mean to make these?"

750
00:42:46.041 --> 00:42:48.304
That triggered
the Bank of Bangladesh

751
00:42:48.304 --> 00:42:51.003
to realise something
had gone wrong.

752
00:42:51.003 --> 00:42:53.658
It was very clear
that they were in deep,

753
00:42:53.658 --> 00:42:57.357
such that the bank manager...
This is the Bank of Bangladesh,

754
00:42:57.357 --> 00:43:00.534
the federal bank, the national
bank of the country,

755
00:43:00.534 --> 00:43:04.103
did not notify the leaders,

756
00:43:04.103 --> 00:43:07.236
the government of Bangladesh.
He kept it under wraps.

757
00:43:07.236 --> 00:43:10.544
He notified someone he knew
who knew about security.

758
00:43:10.544 --> 00:43:12.372
"Get on a plane,
get to Bangladesh.

759
00:43:12.372 --> 00:43:14.940
I need you to look at
these computer systems."

760
00:43:20.467 --> 00:43:22.948
Initially, the governor
and his whole team

761
00:43:22.948 --> 00:43:24.166
were quite perplexed.

762
00:43:24.166 --> 00:43:27.343
They didn't quite know
what had happened.

763
00:43:27.343 --> 00:43:30.216
So they thought that
some money had been routed

764
00:43:30.216 --> 00:43:33.045
to a wrong account;
it would come back.

765
00:43:36.309 --> 00:43:39.921
I get this strange phone call
from the governor's office

766
00:43:39.921 --> 00:43:42.707
asking me if I would
drop everything

767
00:43:42.707 --> 00:43:45.274
and come to Dhaka, Bangladesh.

768
00:43:49.061 --> 00:43:51.237
So I assembled a team...

769
00:43:52.107 --> 00:43:53.892
and we flew down.

770
00:43:57.896 --> 00:44:02.596
When we arrived there, we met
with the Bangladesh Bank team.

771
00:44:02.596 --> 00:44:06.121
And that's when I discovered
all the horrifying details

772
00:44:06.121 --> 00:44:08.471
of what had actually happened.

773
00:44:12.388 --> 00:44:15.217
They decide,
"Let's look at the CCTV.

774
00:44:15.217 --> 00:44:17.393
What's that going to tell us?"

775
00:44:17.393 --> 00:44:20.309
There were eight
hours' worth of tapes

776
00:44:20.309 --> 00:44:23.138
that had to be gone through.

777
00:44:23.138 --> 00:44:26.054
Your gut instinct is,
you have a malicious insider.

778
00:44:26.054 --> 00:44:27.708
A physical person had to go in,

779
00:44:27.708 --> 00:44:30.842
log into that machine
and try to make these transfers,

780
00:44:30.842 --> 00:44:34.715
because this attack
hadn't happened before.

781
00:44:34.715 --> 00:44:37.631
They had a SWIFT room,
which was locked.

782
00:44:37.631 --> 00:44:39.938
And typically when
the SWIFT operators

783
00:44:39.938 --> 00:44:43.724
needed to do something on SWIFT,
they had to go into the room,

784
00:44:43.724 --> 00:44:47.467
sit in that chair and terminal,

785
00:44:47.467 --> 00:44:52.037
and there was only
one shadow we could find.

786
00:44:52.037 --> 00:44:54.779
We eventually decided
it was the person

787
00:44:54.779 --> 00:44:58.391
sweeping the place after hours.

788
00:45:00.741 --> 00:45:04.310
They were saying, "How could
somebody process the transaction

789
00:45:04.310 --> 00:45:05.964
when there was nobody there?"

790
00:45:05.964 --> 00:45:10.577
I mean, even after the payment
instructions had been sent,

791
00:45:10.577 --> 00:45:15.408
they had no idea for a very long
time what was happening.

792
00:45:15.408 --> 00:45:19.412
They didn't think it was a hack.
They had no traces of a hack.

793
00:45:19.412 --> 00:45:22.632
But they watched eight hours of
that footage over that weekend

794
00:45:22.632 --> 00:45:25.635
and realised there was
no one at that computer.

795
00:45:25.635 --> 00:45:26.941
Nothing.

796
00:45:26.941 --> 00:45:29.248
They had no idea that
the Bank of Bangladesh

797
00:45:29.248 --> 00:45:31.859
had been breached by hackers.

798
00:45:31.859 --> 00:45:35.384
Only after we see these things
happen over and over again,

799
00:45:35.384 --> 00:45:39.171
we realise that cyber
has such capabilities.

800
00:45:44.045 --> 00:45:47.440
Bangladesh was a bit of
a bombshell for all of us.

801
00:45:49.311 --> 00:45:52.097
Hackers and most cybercrime,

802
00:45:52.097 --> 00:45:54.055
it's like smash-and-grab crime.

803
00:45:54.055 --> 00:45:56.492
Quickly grab something
and monetise it

804
00:45:56.492 --> 00:45:58.103
as swiftly as you can.

805
00:45:58.103 --> 00:46:01.236
You know, storm a bank
with shotguns, blow a safe,

806
00:46:01.236 --> 00:46:03.978
fill some bags with cash.

807
00:46:03.978 --> 00:46:06.024
Cybercrime...

808
00:46:06.024 --> 00:46:09.418
It doesn't lend itself well
to long conspiracy

809
00:46:09.418 --> 00:46:11.856
and lots of investigation
and investment

810
00:46:11.856 --> 00:46:13.596
into understanding your target.

811
00:46:13.596 --> 00:46:15.903
I mean, you couldn't
do Bangladesh

812
00:46:15.903 --> 00:46:19.037
unless you really understood
the internal workings

813
00:46:19.037 --> 00:46:21.909
of the central bank
and all the actors involved.

814
00:46:21.909 --> 00:46:24.607
That's not something
that freelance hackers

815
00:46:24.607 --> 00:46:26.827
really are good at.

816
00:46:26.827 --> 00:46:29.917
That requires a level of
investment into resources

817
00:46:29.917 --> 00:46:34.095
and frankly intelligence
that has to be sustained.

818
00:46:34.095 --> 00:46:38.012
To organise something
of that complexity

819
00:46:38.012 --> 00:46:40.841
and for it not to be noticed

820
00:46:40.841 --> 00:46:43.539
by the intelligence agencies
of the state

821
00:46:43.539 --> 00:46:46.020
where that is being planned

822
00:46:46.020 --> 00:46:50.285
would be very,
very difficult indeed.

823
00:46:50.285 --> 00:46:53.419
These hackers went in
and looked at the zeros and ones

824
00:46:53.419 --> 00:46:55.725
in the software
and reverse engineered it,

825
00:46:55.725 --> 00:46:58.380
turned it back into
understandable code.

826
00:46:58.380 --> 00:47:00.905
That's not something
that happens overnight.

827
00:47:00.905 --> 00:47:02.384
It was pretty clear

828
00:47:02.384 --> 00:47:04.865
that this isn't just
normal criminals.

829
00:47:04.865 --> 00:47:07.128
This has to be something bigger.

830
00:47:10.044 --> 00:47:13.961
Once attackers have gained
access to their target network,

831
00:47:13.961 --> 00:47:16.007
they want to stay undetected.

832
00:47:18.487 --> 00:47:20.968
And we've seen many
interesting examples

833
00:47:20.968 --> 00:47:23.014
of how exactly this is done.

834
00:47:26.278 --> 00:47:27.801
What exactly happened

835
00:47:27.801 --> 00:47:30.195
at the Natanz nuclear facility
last week?

836
00:47:30.195 --> 00:47:32.806
It's a question people in Iran
around the world

837
00:47:32.806 --> 00:47:35.461
have been asking
since a fire was reported

838
00:47:35.461 --> 00:47:38.856
at Iran's main uranium
enrichment facility on Thursday.

839
00:47:38.856 --> 00:47:41.902
We're used to Trojans
and viruses on the internet,

840
00:47:41.902 --> 00:47:43.338
but this is the first worm

841
00:47:43.338 --> 00:47:46.907
designed to damage
the physical world.

842
00:47:46.907 --> 00:47:51.042
In 2010, attackers created
a piece of malicious software

843
00:47:51.042 --> 00:47:55.350
that was designed to infiltrate
Iran's nuclear programme,

844
00:47:55.350 --> 00:47:57.004
to get into their centrifuges,

845
00:47:57.004 --> 00:47:59.050
in particular,
get onto computers

846
00:47:59.050 --> 00:48:00.921
that controlled
their centrifuges.

847
00:48:00.921 --> 00:48:04.142
Iran says it will
retaliate against any country

848
00:48:04.142 --> 00:48:06.884
that conducts cyber-attacks
on its nuclear sites.

849
00:48:06.884 --> 00:48:09.538
The intention
was to spin the centrifuges

850
00:48:09.538 --> 00:48:12.150
of Iran's nuclear capabilities
out of control,

851
00:48:12.150 --> 00:48:14.152
make the centrifuges explode

852
00:48:14.152 --> 00:48:15.414
and push them ten years back

853
00:48:15.414 --> 00:48:17.372
in the uranium enrichment programme.

854
00:48:17.372 --> 00:48:18.721
As a piece of malware,

855
00:48:18.721 --> 00:48:21.768
it was 40 times larger
than any piece of malware

856
00:48:21.768 --> 00:48:24.336
that had ever been
encountered before.

857
00:48:24.336 --> 00:48:28.514
It would have taken
the most advanced,

858
00:48:28.514 --> 00:48:30.995
brilliant computer engineers

859
00:48:30.995 --> 00:48:34.085
years and years of human
working hours

860
00:48:34.085 --> 00:48:35.956
to produce this.

861
00:48:35.956 --> 00:48:38.089
Why was it so big?

862
00:48:38.089 --> 00:48:42.310
Because it needed
to cover itself up.

863
00:48:44.834 --> 00:48:47.794
The attackers
were actually recording

864
00:48:47.794 --> 00:48:52.320
the network traffic,
the normal network traffic,

865
00:48:52.320 --> 00:48:55.062
and then playing it back
to the sensors

866
00:48:55.062 --> 00:48:58.848
when they started modifying the
operations of the centrifuges

867
00:48:58.848 --> 00:49:00.720
they were trying to break.

868
00:49:04.463 --> 00:49:06.900
This is the equivalent of,
in the real world,

869
00:49:06.900 --> 00:49:09.903
recording the CCTV footage
from a security camera

870
00:49:09.903 --> 00:49:12.166
and then playing it back
to the camera

871
00:49:12.166 --> 00:49:14.125
when you're doing
something bad.

872
00:49:14.125 --> 00:49:16.301
That's what Stuxnet was doing.

873
00:49:16.301 --> 00:49:18.042
And in the Bangladesh heist,

874
00:49:18.042 --> 00:49:20.218
they were doing
something similar.

875
00:49:20.218 --> 00:49:22.872
Once they made
their transactions,

876
00:49:22.872 --> 00:49:26.311
they wanted to make sure no one
realised they had happened.

877
00:49:26.311 --> 00:49:29.053
They were actually falsifying
the information

878
00:49:29.053 --> 00:49:30.576
about transactions.

879
00:49:30.576 --> 00:49:33.405
The recording of the
transactions were being done

880
00:49:33.405 --> 00:49:34.972
both in electronic format,

881
00:49:34.972 --> 00:49:38.540
but also falsifying the data
being sent to the printers,

882
00:49:38.540 --> 00:49:41.021
which actually looked like
everything was fine.

883
00:49:41.021 --> 00:49:44.242
So you find out how
you're being tracked,

884
00:49:44.242 --> 00:49:46.984
and then you try
to cover your tracks.

885
00:49:46.984 --> 00:49:48.246
Stuxnet did that.

886
00:49:48.246 --> 00:49:50.770
The Bangladeshi heist
did it as well.

887
00:49:53.207 --> 00:49:56.950
Once that money
arrived in the Philippines,

888
00:49:56.950 --> 00:50:00.519
they needed to change
that money into cold, hard cash.

889
00:50:00.519 --> 00:50:02.912
Right now, it's still in
digital ones and zeros,

890
00:50:02.912 --> 00:50:05.437
just a transaction that said
the money has moved

891
00:50:05.437 --> 00:50:06.829
from the Bank of Bangladesh

892
00:50:06.829 --> 00:50:10.094
to these accounts at RCBC.
Four accounts.

893
00:50:10.094 --> 00:50:13.532
The thieves had to
get it out of the Philippines,

894
00:50:13.532 --> 00:50:15.621
make it disappear.

895
00:50:15.621 --> 00:50:18.450
So how were they going
to do that?

896
00:50:18.450 --> 00:50:20.843
There is one industry
in the Philippines

897
00:50:20.843 --> 00:50:23.237
where there is absolutely
no oversight,

898
00:50:23.237 --> 00:50:27.241
where it's a cash-only business.
There are no records, no names.

899
00:50:27.241 --> 00:50:29.113
That is the casino industry.

900
00:50:41.125 --> 00:50:43.257
When we talk about
laundering funds,

901
00:50:43.257 --> 00:50:45.955
we're talking about
taking dirty, illicit funds,

902
00:50:45.955 --> 00:50:49.481
running them through
a legal business

903
00:50:49.481 --> 00:50:52.049
so that if I came
to you and said,

904
00:50:52.049 --> 00:50:55.400
"Hey, where'd you get
that $81 million?",

905
00:50:55.400 --> 00:51:00.318
you could have a paper trail
to show that you won it back.

906
00:51:00.318 --> 00:51:03.103
The hard part
is not stealing the money.

907
00:51:03.103 --> 00:51:06.628
The hard part is moving the
money into a form you can use

908
00:51:06.628 --> 00:51:08.152
without getting caught.

909
00:51:10.241 --> 00:51:15.202
And one method we've seen
for quite a while is gambling.

910
00:51:15.202 --> 00:51:17.074
It was very clear that,

911
00:51:17.074 --> 00:51:20.251
if, at all, there was a place
for you to do that,

912
00:51:20.251 --> 00:51:22.166
it would have been
the Philippines,

913
00:51:22.166 --> 00:51:25.038
because the casinos
are not regulated at all.

914
00:51:27.171 --> 00:51:30.304
It's like a lot of
high-flying gamblers

915
00:51:30.304 --> 00:51:33.307
who'd kind of fly to Manila,

916
00:51:33.307 --> 00:51:37.050
crowd these numerous casinos
in Manila,

917
00:51:37.050 --> 00:51:38.399
lots of money coming in.

918
00:51:38.399 --> 00:51:41.315
People don't question
that kind of money.

919
00:51:41.315 --> 00:51:42.795
I mean, you know...

920
00:51:42.795 --> 00:51:44.753
"Well, as long as
it's coming to us,

921
00:51:44.753 --> 00:51:47.887
we don't bother too much
about where it is coming from."

922
00:51:49.323 --> 00:51:52.283
The thieves knew
if they could get that money

923
00:51:52.283 --> 00:51:55.547
into the casinos,
it would essentially be lost.

924
00:51:56.809 --> 00:51:58.115
What happened was,

925
00:51:58.115 --> 00:52:00.421
the manager from
the Philippines bank,

926
00:52:00.421 --> 00:52:03.381
she was the one who'd opened
those four accounts

927
00:52:03.381 --> 00:52:05.557
using fraudulent IDs.

928
00:52:05.557 --> 00:52:09.952
She got the money withdrawn from
the bank in the Philippines.

929
00:52:11.563 --> 00:52:12.955
From there, it started to go

930
00:52:12.955 --> 00:52:14.566
through something
called Philrem.

931
00:52:14.566 --> 00:52:18.004
It's a bit like a Western Union
in the Philippines,

932
00:52:18.004 --> 00:52:20.180
transferred into pesos.

933
00:52:20.180 --> 00:52:22.487
I don't know
if you've ever used

934
00:52:22.487 --> 00:52:24.010
Philippine pesos before,

935
00:52:24.010 --> 00:52:28.057
but that's one hell
of a lot of pesos, $22 million.

936
00:52:28.057 --> 00:52:33.454
In fact,
it's over one million banknotes.

937
00:52:33.454 --> 00:52:35.630
They actually had
to request that cash

938
00:52:35.630 --> 00:52:38.981
to come from a sister
branch location,

939
00:52:38.981 --> 00:52:40.853
that arrived in boxes.

940
00:52:40.853 --> 00:52:44.422
The bank manager was seen by
one of the other bank employees

941
00:52:44.422 --> 00:52:47.599
collecting those boxes
and literally going outside

942
00:52:47.599 --> 00:52:49.862
and loading them up
into a Lexus.

943
00:52:50.993 --> 00:52:53.344
And that money
was driven away.

944
00:52:59.785 --> 00:53:03.702
So, we're talking stacks
of bills carried in vans

945
00:53:03.702 --> 00:53:07.227
to the Solaire Casino
right by the airport.

946
00:53:07.227 --> 00:53:10.448
It allows the Chinese gamblers
to come off the plane.

947
00:53:10.448 --> 00:53:13.320
Five minutes, they're on
the floor playing baccarat.

948
00:53:16.410 --> 00:53:19.979
The money goes to this place.
It's wheeled in wheelbarrows

949
00:53:19.979 --> 00:53:24.113
across the casino floor
up to this guarded escalator.

950
00:53:35.255 --> 00:53:38.215
There's so much
physical cash involved,

951
00:53:38.215 --> 00:53:41.305
they've enlisted their
own crew of gamblers

952
00:53:41.305 --> 00:53:44.830
to launder the stolen funds.

953
00:53:44.830 --> 00:53:47.093
And they just played baccarat,

954
00:53:47.093 --> 00:53:49.617
all day long.

955
00:53:49.617 --> 00:53:51.140
They had individuals,

956
00:53:51.140 --> 00:53:54.231
mostly appeared to be Chinese
nationals that they had,

957
00:53:54.231 --> 00:53:57.538
I assume, hired to take
those funds and launder them.

958
00:53:57.538 --> 00:54:01.499
You change that cash
into casino chips,

959
00:54:01.499 --> 00:54:03.152
play a few games,

960
00:54:03.152 --> 00:54:04.937
cash in the chips.

961
00:54:04.937 --> 00:54:10.595
And when you get that cash back,
that is then laundered.

962
00:54:10.595 --> 00:54:13.119
And this wouldn't
have been unusual.

963
00:54:13.119 --> 00:54:15.513
This was the Chinese lunar week.

964
00:54:15.513 --> 00:54:18.298
That would've been very common
for individuals,

965
00:54:18.298 --> 00:54:20.561
high rollers, to come
into the Philippines

966
00:54:20.561 --> 00:54:22.868
and play at the casinos
during that time.

967
00:54:22.868 --> 00:54:26.611
Spending $22 million in
a casino over a weekend,

968
00:54:26.611 --> 00:54:28.569
let's face it, could be fun.

969
00:54:32.878 --> 00:54:36.708
Doing this story
and trying to figure out

970
00:54:36.708 --> 00:54:40.407
where in history
to sort of place this thing.

971
00:54:40.407 --> 00:54:43.323
Was this the biggest
heist of all time?

972
00:54:43.323 --> 00:54:47.327
No, but it certainly looked
to be the biggest cyber heist

973
00:54:47.327 --> 00:54:50.243
of a bank in history.

974
00:54:50.243 --> 00:54:54.378
And over the next few days,
I just remember

975
00:54:54.378 --> 00:54:58.425
calling up my sources
at Symantec

976
00:54:58.425 --> 00:55:00.993
and a couple other
cybersecurity firms

977
00:55:00.993 --> 00:55:04.257
and getting in touch with
a guy named Eric Chien.

978
00:55:06.085 --> 00:55:09.131
We have all kinds of
sensors sitting on networks

979
00:55:09.131 --> 00:55:10.785
and computers
all over the world.

980
00:55:10.785 --> 00:55:14.136
Any time some sort of
cyber criminal, some attacker,

981
00:55:14.136 --> 00:55:18.053
is trying to breach a computer,
they're leaving traces behind.

982
00:55:19.577 --> 00:55:23.537
Every attack
has a signature.

983
00:55:23.537 --> 00:55:25.104
If you look at it long enough,

984
00:55:25.104 --> 00:55:27.454
if you study it,
if you work it long enough,

985
00:55:27.454 --> 00:55:29.717
you can understand
the way they do things.

986
00:55:29.717 --> 00:55:31.284
The way they state something,

987
00:55:31.284 --> 00:55:34.461
the way they code
a particular way,

988
00:55:34.461 --> 00:55:39.901
the methodology of the attack,
the step-by-step approaches.

989
00:55:39.901 --> 00:55:42.904
It might be considered
like Sherlock Holmesian

990
00:55:42.904 --> 00:55:44.384
to come up with this idea.

991
00:55:44.384 --> 00:55:46.778
"Because he walks
with a gait this way,

992
00:55:46.778 --> 00:55:48.954
and he does this..."
But it is true.

993
00:55:48.954 --> 00:55:53.262
We see those signatures.
We see those patterns.

994
00:55:54.220 --> 00:55:56.004
What we discovered was,

995
00:55:56.004 --> 00:55:59.443
by looking at the artefacts
that these attackers had used,

996
00:55:59.443 --> 00:56:01.880
the malicious binaries
they had used,

997
00:56:01.880 --> 00:56:03.185
the code inside of it,

998
00:56:03.185 --> 00:56:05.753
as well as the email accounts
that they used

999
00:56:05.753 --> 00:56:07.929
to send the initial
spear-phishing messages,

1000
00:56:07.929 --> 00:56:12.499
we were able to map this back
to an attacker back in 2014.

1001
00:56:15.415 --> 00:56:18.505
Sony Pictures is mainly housed
in Culver City.

1002
00:56:18.505 --> 00:56:20.507
And in 2014,

1003
00:56:20.507 --> 00:56:24.598
Sony Pictures went down,
which was unheard of.

1004
00:56:24.598 --> 00:56:26.078
On that day in November,

1005
00:56:26.078 --> 00:56:28.559
people would have come in,
tried to swipe their badge

1006
00:56:28.559 --> 00:56:30.778
and not even be able
to get into the office.

1007
00:56:30.778 --> 00:56:32.780
They get
into the building finally

1008
00:56:32.780 --> 00:56:35.957
and then they discover that
nothing else is working either.

1009
00:56:35.957 --> 00:56:40.005
Printers aren't working,
computers aren't working.

1010
00:56:40.005 --> 00:56:43.225
People who had laptops
connected to the network

1011
00:56:43.225 --> 00:56:44.966
would have immediately seen

1012
00:56:44.966 --> 00:56:47.926
skulls and crossbones
show up on their screens,

1013
00:56:47.926 --> 00:56:51.016
scrolling with scary
<i>Halloween</i>-type music

1014
00:56:51.016 --> 00:56:52.496
playing in the background.

1015
00:56:52.496 --> 00:56:55.716
And it said,
"Hacked by the GOP."

1016
00:56:55.716 --> 00:56:58.980
Guardians of the Peace.

1017
00:56:58.980 --> 00:57:02.027
A mysterious crew of hackers,

1018
00:57:02.027 --> 00:57:05.987
also known as the Lazarus Group.

1019
00:57:05.987 --> 00:57:08.120
We'd call them
the Lazarus Group.

1020
00:57:08.120 --> 00:57:09.251
They've been responsible

1021
00:57:09.251 --> 00:57:11.123
for many, many attacks
over the years.

1022
00:57:11.123 --> 00:57:13.342
You know, political statements

1023
00:57:13.342 --> 00:57:15.954
and bringing down some
websites in South Korea

1024
00:57:15.954 --> 00:57:20.306
and also the White House in the
United States and the Pentagon.

1025
00:57:20.306 --> 00:57:23.875
Now, at this point,
the penny has dropped.

1026
00:57:23.875 --> 00:57:26.007
Sony has been hacked.

1027
00:57:26.007 --> 00:57:28.662
The hack attack
has had a devastating effect

1028
00:57:28.662 --> 00:57:31.491
on the entertainment company,
with an avalanche of leaks

1029
00:57:31.491 --> 00:57:34.189
revealing personal information
of employees

1030
00:57:34.189 --> 00:57:37.497
and salacious email exchanges
of A-list celebrities.

1031
00:57:37.497 --> 00:57:40.500
They ultimately compromised
Sony Pictures Network,

1032
00:57:40.500 --> 00:57:43.851
got inside
and wiped 10,000 computers.

1033
00:57:43.851 --> 00:57:45.592
On top of that,
they actually stole

1034
00:57:45.592 --> 00:57:48.682
all kinds of documents
and emails from Sony Pictures.

1035
00:57:48.682 --> 00:57:50.815
The hack
on Sony Pictures

1036
00:57:50.815 --> 00:57:53.382
is rocking Hollywood's
very foundation;

1037
00:57:53.382 --> 00:57:56.037
the industry,
warts and all, exposed.

1038
00:57:56.037 --> 00:57:59.258
Initially, we had no link
between the SWIFT attack

1039
00:57:59.258 --> 00:58:01.956
and the Sony Pictures attack.

1040
00:58:01.956 --> 00:58:04.481
But when we were looking
at the malware,

1041
00:58:04.481 --> 00:58:06.395
we found an interesting detail.

1042
00:58:06.395 --> 00:58:09.573
There was a component
called an indexing manager,

1043
00:58:09.573 --> 00:58:13.011
which was saving the logs
during the SWIFT attack

1044
00:58:13.011 --> 00:58:15.492
into an encrypted file.

1045
00:58:15.492 --> 00:58:18.538
The file was encrypted
with a really long key,

1046
00:58:18.538 --> 00:58:22.063
and when we just
googled for the key,

1047
00:58:22.063 --> 00:58:25.284
we found that the same key, exactly,

1048
00:58:25.284 --> 00:58:30.594
was used 18 months earlier
in the Sony Pictures attack.

1049
00:58:31.769 --> 00:58:34.119
This was
the moment we realised

1050
00:58:34.119 --> 00:58:36.077
the Bangladeshi SWIFT attack

1051
00:58:36.077 --> 00:58:39.733
was probably perpetrated
by the Lazarus Group.

1052
00:58:40.691 --> 00:58:42.301
So, who is Lazarus?

1053
00:58:42.301 --> 00:58:43.781
Well, from what we know,

1054
00:58:43.781 --> 00:58:46.740
they're a trans-global
criminal organisation

1055
00:58:46.740 --> 00:58:51.571
that's been trained
at a nation-state level.

1056
00:58:51.571 --> 00:58:55.444
The nation states really started
coming in on a criminal side...

1057
00:58:57.055 --> 00:58:59.231
when sanctions started.

1058
00:58:59.231 --> 00:59:02.277
When we start limiting
the capability of a nation

1059
00:59:02.277 --> 00:59:05.411
to get cash, and we up
the methodology

1060
00:59:05.411 --> 00:59:07.979
to monitor
the way they're getting cash,

1061
00:59:07.979 --> 00:59:11.025
they turn to different approaches.

1062
00:59:11.025 --> 00:59:13.898
So if you're a country
that's under sanction

1063
00:59:13.898 --> 00:59:17.162
and your ability to get funds
has been compromised,

1064
00:59:17.162 --> 00:59:20.121
you may be motivated to
go to the Lazarus Group

1065
00:59:20.121 --> 00:59:23.429
to fix your problem.

1066
00:59:23.429 --> 00:59:25.649
It's like a job for them.
It <i>is</i> a job for them.

1067
00:59:25.649 --> 00:59:27.694
They get recruited.
It's a nine-to-five job.

1068
00:59:27.694 --> 00:59:30.958
They come in, and each
of them has their specialties.

1069
00:59:30.958 --> 00:59:32.351
They have managers,

1070
00:59:32.351 --> 00:59:35.223
they have targets that
they're told to go after.

1071
00:59:35.223 --> 00:59:37.356
When you talk about
nation states,

1072
00:59:37.356 --> 00:59:39.619
obviously,
for your average nation state,

1073
00:59:39.619 --> 00:59:42.927
most cyber offensive campaigns
are under the military.

1074
00:59:42.927 --> 00:59:45.712
It's very similar to how
a military organisation

1075
00:59:45.712 --> 00:59:49.020
would be organised for their
cyber offensive campaigns.

1076
00:59:49.020 --> 00:59:51.457
There is a hotel,
for example, in China

1077
00:59:51.457 --> 00:59:53.590
where they've taken over
multiple floors

1078
00:59:53.590 --> 00:59:55.635
where they essentially
have dormitories.

1079
00:59:55.635 --> 00:59:59.073
They go to sleep in that hotel,
they eat in that hotel,

1080
00:59:59.073 --> 01:00:01.423
and they don't come
out of that hotel.

1081
01:00:01.423 --> 01:00:04.078
They just move from
one room to another,

1082
01:00:04.078 --> 01:00:05.863
hack all day and night.

1083
01:00:08.039 --> 01:00:10.650
And the Lazarus Group
is thought to be made up

1084
01:00:10.650 --> 01:00:13.392
of these state-trained hackers.

1085
01:00:18.745 --> 01:00:21.226
What's amazing about cyber,

1086
01:00:21.226 --> 01:00:23.794
when you talk about
nation states,

1087
01:00:23.794 --> 01:00:27.319
is the cost to entry
is extremely low.

1088
01:00:27.319 --> 01:00:29.713
We have nation states
who have been

1089
01:00:29.713 --> 01:00:33.194
trying to create
nuclear missiles,

1090
01:00:33.194 --> 01:00:35.066
tried to create
a nuclear programme.

1091
01:00:35.066 --> 01:00:36.981
Places like Iran, for example.

1092
01:00:36.981 --> 01:00:41.507
The dollars it costs to do so,
it's extraordinary.

1093
01:00:41.507 --> 01:00:44.684
But if you want to build
a cyber offensive campaign,

1094
01:00:44.684 --> 01:00:46.991
you get two, three,
four, five guys

1095
01:00:46.991 --> 01:00:50.472
and potentially threaten
to disable the power grid

1096
01:00:50.472 --> 01:00:52.039
in some country.

1097
01:00:52.039 --> 01:00:54.476
When you talk about
trying to rob a bank

1098
01:00:54.476 --> 01:00:57.175
or produce illicit drugs
and sell them,

1099
01:00:57.175 --> 01:00:59.830
the amount of people
required on the ground,

1100
01:00:59.830 --> 01:01:01.266
the amount of connections,

1101
01:01:01.266 --> 01:01:03.442
and for the dollars
that you would receive,

1102
01:01:03.442 --> 01:01:04.922
is nothing compared to,

1103
01:01:04.922 --> 01:01:07.446
"Let's get three guys,
break into a bank

1104
01:01:07.446 --> 01:01:10.667
and potentially
transfer $1 billion."

1105
01:01:16.063 --> 01:01:20.502
Back in the VIP room
of the Solaire Casino in Manila,

1106
01:01:20.502 --> 01:01:24.942
the money-laundering operation
is in full flight.

1107
01:01:26.683 --> 01:01:29.729
They just spend hours
upon hours gambling away,

1108
01:01:29.729 --> 01:01:31.296
collecting chips.

1109
01:01:31.296 --> 01:01:33.733
They transfer those chips
back into cold, hard currency.

1110
01:01:33.733 --> 01:01:36.693
You put a hundred
gamblers into the VIP lounge

1111
01:01:36.693 --> 01:01:40.784
playing cash, so maybe the house
has a one or two percent margin.

1112
01:01:40.784 --> 01:01:43.743
But all the rest is untraceable
money that they walk out with.

1113
01:01:43.743 --> 01:01:46.006
What's interesting
about these individuals,

1114
01:01:46.006 --> 01:01:47.704
they weren't interested
in winning.

1115
01:01:47.704 --> 01:01:50.184
They were just interested
in playing.

1116
01:01:50.184 --> 01:01:51.620
If you lose the money,

1117
01:01:51.620 --> 01:01:53.405
the money doesn't go
to the casino,

1118
01:01:53.405 --> 01:01:54.928
it goes to the other players.

1119
01:01:54.928 --> 01:01:58.410
So you can play the table
where the other players are,

1120
01:01:58.410 --> 01:01:59.846
your partners.

1121
01:01:59.846 --> 01:02:02.196
Then you can lose
the dirty money on purpose,

1122
01:02:02.196 --> 01:02:04.024
moving the money
to your partners.

1123
01:02:04.024 --> 01:02:05.678
Now it's cashed out.

1124
01:02:05.678 --> 01:02:09.073
Now it looks like it came from a
great win in a poker tournament

1125
01:02:09.073 --> 01:02:11.640
instead of being stolen
from somewhere.

1126
01:02:11.640 --> 01:02:14.513
So, casinos are a good way
of laundering money.

1127
01:02:14.513 --> 01:02:17.342
Real-world criminals have
done that for decades.

1128
01:02:17.342 --> 01:02:20.606
Online criminals
are doing it today.

1129
01:02:20.606 --> 01:02:23.740
They played for a whole week,
that whole lunar week,

1130
01:02:23.740 --> 01:02:25.698
every day, like workers,

1131
01:02:25.698 --> 01:02:28.309
nine to five, essentially,
in that casino.

1132
01:02:33.358 --> 01:02:36.361
Finally, the Chinese
New Year celebrations

1133
01:02:36.361 --> 01:02:37.884
have come to an end.

1134
01:02:37.884 --> 01:02:42.280
The staff at the RCBC bank
in Manila are back at work.

1135
01:02:44.369 --> 01:02:47.328
Now, the Bangladesh Bank
is still desperately trying

1136
01:02:47.328 --> 01:02:49.417
to put a stop
on any further withdrawals

1137
01:02:49.417 --> 01:02:52.159
from those accounts
in the Bank of the Philippines.

1138
01:02:52.159 --> 01:02:54.509
They've lost
$22 million already,

1139
01:02:54.509 --> 01:02:58.818
but there's still $59 million
left that they can save.

1140
01:02:58.818 --> 01:03:01.865
They're firing message
after message to Manila,

1141
01:03:01.865 --> 01:03:04.737
"Hold all transactions."

1142
01:03:04.737 --> 01:03:07.087
In the Philippines,
they got those messages.

1143
01:03:07.087 --> 01:03:08.567
They got those messages

1144
01:03:08.567 --> 01:03:10.830
as part of many other
transaction messages they got

1145
01:03:10.830 --> 01:03:12.701
that were sitting in
a printer queue

1146
01:03:12.701 --> 01:03:14.051
at the bottom of the stack,

1147
01:03:14.051 --> 01:03:16.357
and ultimately, they never
saw those messages.

1148
01:03:16.357 --> 01:03:20.797
At this point, the fence
gets in touch with the manager

1149
01:03:20.797 --> 01:03:22.799
of the bank in Jupiter Street.

1150
01:03:22.799 --> 01:03:26.672
"Can you please authorise
the transfer of $59 million?"

1151
01:03:26.672 --> 01:03:29.849
She authorises that $59 million.

1152
01:03:29.849 --> 01:03:34.114
It goes straight
to the Solaire Casino.

1153
01:03:34.114 --> 01:03:36.029
More money laundering.

1154
01:03:37.901 --> 01:03:39.424
Five hours later,

1155
01:03:39.424 --> 01:03:44.037
after increasingly urgent calls
from the Bangladesh Bank,

1156
01:03:44.037 --> 01:03:50.000
the manager finally puts a block
on all of the accounts.

1157
01:03:50.000 --> 01:03:52.829
But, really, it's too late.

1158
01:03:52.829 --> 01:03:54.831
The money's gone.

1159
01:03:59.139 --> 01:04:02.273
It's incredible when you think
what the Lazarus Group

1160
01:04:02.273 --> 01:04:05.885
was able to pull off with
just some ones and zeros.

1161
01:04:05.885 --> 01:04:07.756
They guide their bespoke malware

1162
01:04:07.756 --> 01:04:10.020
into the computer network
of a bank,

1163
01:04:10.020 --> 01:04:11.717
and then a year later,

1164
01:04:11.717 --> 01:04:15.025
they're literally washing
$100 million

1165
01:04:15.025 --> 01:04:17.331
through a casino
in the Philippines.

1166
01:04:17.331 --> 01:04:19.856
It's astonishing.

1167
01:04:19.856 --> 01:04:22.336
But what's really, really scary

1168
01:04:22.336 --> 01:04:25.687
is what happened
just a year later.

1169
01:04:27.428 --> 01:04:29.561
Now back to
the major cyber-attack,

1170
01:04:29.561 --> 01:04:34.087
the ransomware crippling 200,000
computers in 150 countries.

1171
01:04:34.087 --> 01:04:37.699
The thousands of targets all
received this ominous message

1172
01:04:37.699 --> 01:04:39.745
in English on their screens:

1173
01:04:49.276 --> 01:04:54.151
Everyone was basically locked up
with this malware

1174
01:04:54.151 --> 01:04:58.329
that we discovered had been
launched by the same attackers

1175
01:04:58.329 --> 01:05:01.158
as the Central Bank
of Bangladesh.

1176
01:05:01.158 --> 01:05:03.377
So they design this malware,

1177
01:05:03.377 --> 01:05:05.989
and then they lose
control of it entirely.

1178
01:05:05.989 --> 01:05:08.121
And that caused chaos.

1179
01:05:08.121 --> 01:05:11.385
Ambulances were
diverted to other hospitals.

1180
01:05:11.385 --> 01:05:14.823
Patients were turned away,
their operations cancelled.

1181
01:05:14.823 --> 01:05:17.696
You know,
the first sign that something

1182
01:05:17.696 --> 01:05:21.961
was seriously wrong was when
hospitals in the United Kingdom

1183
01:05:21.961 --> 01:05:24.529
started telling patients,
"Don't come."

1184
01:05:24.529 --> 01:05:28.533
That their systems had been
locked up with ransomware.

1185
01:05:28.533 --> 01:05:33.625
It's unclear if it was
accidentally released too early,

1186
01:05:33.625 --> 01:05:35.018
it appears so,

1187
01:05:35.018 --> 01:05:37.890
or if it was
designed not to work

1188
01:05:37.890 --> 01:05:41.241
and just begin wiping computers,
because it didn't matter.

1189
01:05:41.241 --> 01:05:44.157
Even if you paid them, you would
not get the decryption key.

1190
01:05:44.157 --> 01:05:45.985
They didn't have
the decryption key.

1191
01:05:45.985 --> 01:05:48.118
They couldn't decrypt your files anymore.

1192
01:05:48.118 --> 01:05:50.816
Japan, Turkey
and the Philippines

1193
01:05:50.816 --> 01:05:54.733
were also affected.
In the US, FedEx was hit.

1194
01:05:54.733 --> 01:05:59.694
That virulent virus
spiralled out of control.

1195
01:05:59.694 --> 01:06:04.047
In Germany, it attacked the
network of the Deutsche Bahn,

1196
01:06:04.047 --> 01:06:05.439
German Railway.

1197
01:06:05.439 --> 01:06:09.400
In Spain,
WannaCry hit Telefonica,

1198
01:06:09.400 --> 01:06:12.359
the biggest telecommunications company.

1199
01:06:12.359 --> 01:06:16.537
It hit the banking systems,
and ATMs didn't work.

1200
01:06:16.537 --> 01:06:21.847
This thing was hitting companies
in something like 150 countries.

1201
01:06:21.847 --> 01:06:23.588
Other targets in the US

1202
01:06:23.588 --> 01:06:26.025
include Merck Pharmaceutical
in New Jersey.

1203
01:06:26.025 --> 01:06:28.810
Even the company that makes
Oreo cookies may have been hit.

1204
01:06:28.810 --> 01:06:32.945
So, you had the health
service, you had transport,

1205
01:06:32.945 --> 01:06:36.470
you had communications,
you had the finance system,

1206
01:06:36.470 --> 01:06:37.906
and you had governance

1207
01:06:37.906 --> 01:06:42.824
all with one tiny piece
of crappy malware, WannaCry.

1208
01:06:42.824 --> 01:06:44.130
In other attacks,

1209
01:06:44.130 --> 01:06:46.002
they have to send you
a spear-phishing email,

1210
01:06:46.002 --> 01:06:48.047
trick you into double-clicking
on an attachment.

1211
01:06:48.047 --> 01:06:50.180
In this case, your computer
just had to be on,

1212
01:06:50.180 --> 01:06:51.485
connected to the internet,

1213
01:06:51.485 --> 01:06:54.053
and it would have got infected
by WannaCry.

1214
01:06:54.053 --> 01:06:57.274
It succeeded because
the crappy malware

1215
01:06:57.274 --> 01:07:00.407
was being infiltrated
into the systems

1216
01:07:00.407 --> 01:07:03.193
on the back
of a much more powerful tool

1217
01:07:03.193 --> 01:07:04.803
called EternalBlue,

1218
01:07:04.803 --> 01:07:08.459
which had been developed by
the National Security Agency

1219
01:07:08.459 --> 01:07:10.417
in the United States.

1220
01:07:10.417 --> 01:07:12.637
The thing the NSA
never wanted to talk about

1221
01:07:12.637 --> 01:07:15.640
was the fact that it was
travelling on a digital missile

1222
01:07:15.640 --> 01:07:19.426
that had been built
at its own intelligence agency.

1223
01:07:19.426 --> 01:07:22.560
They repurposed something
created by the US government,

1224
01:07:22.560 --> 01:07:24.170
leaked
by the Russian government,

1225
01:07:24.170 --> 01:07:26.825
put it into their ransomware
that allowed it to spread

1226
01:07:26.825 --> 01:07:30.742
all over the world,
any computer on at that time.

1227
01:07:30.742 --> 01:07:34.006
So one crappy piece
of malware

1228
01:07:34.006 --> 01:07:36.878
can hit every single aspect

1229
01:07:36.878 --> 01:07:39.142
of the critical national infrastructure

1230
01:07:39.142 --> 01:07:42.971
within the space
of about ten days

1231
01:07:42.971 --> 01:07:44.886
in different countries.

1232
01:07:57.508 --> 01:08:00.728
Eventually, there's a court case
after about a month.

1233
01:08:00.728 --> 01:08:03.601
There's a court case in Manila.

1234
01:08:03.601 --> 01:08:06.908
Ultimately, the bank manager
didn't want anyone to find out.

1235
01:08:06.908 --> 01:08:08.388
But when he finally got in touch

1236
01:08:08.388 --> 01:08:10.825
with the Bank
of the Philippines, they said,

1237
01:08:10.825 --> 01:08:12.827
"If you need this money returned,

1238
01:08:12.827 --> 01:08:15.700
you need to get a court order."
So he files a court order,

1239
01:08:15.700 --> 01:08:18.006
but court orders are public
in the Philippines,

1240
01:08:18.006 --> 01:08:19.573
like in many other countries.

1241
01:08:19.573 --> 01:08:22.576
A reporter spots it and realised
that this has happened,

1242
01:08:22.576 --> 01:08:25.101
publishes it in a newspaper,
and it all comes out.

1243
01:08:25.101 --> 01:08:28.016
The $81 million
money-laundering scandal

1244
01:08:28.016 --> 01:08:31.672
is now considered one of
the biggest bank heists in Asia.

1245
01:08:31.672 --> 01:08:33.805
But how exactly
did thieves steal

1246
01:08:33.805 --> 01:08:35.981
such a huge amount of money?

1247
01:08:35.981 --> 01:08:37.461
Not just known
in the Philippines

1248
01:08:37.461 --> 01:08:38.679
and the Bank of Bangladesh,

1249
01:08:38.679 --> 01:08:40.377
when the Bangladesh
government finds out

1250
01:08:40.377 --> 01:08:42.901
the bank manager has been
doing this behind the scenes,

1251
01:08:42.901 --> 01:08:44.337
but the whole world finds out.

1252
01:08:44.337 --> 01:08:46.774
And ultimately,
the Bangladesh Bank

1253
01:08:46.774 --> 01:08:48.863
needs to get assistance
from the FBI.

1254
01:08:48.863 --> 01:08:52.171
The New York Fed is involved.
The United States is involved.

1255
01:08:52.171 --> 01:08:54.304
This becomes
a whole worldwide issue

1256
01:08:54.304 --> 01:08:57.220
and begins to ripple across
the financial industry

1257
01:08:57.220 --> 01:08:58.743
that this was even possible.

1258
01:08:58.743 --> 01:09:00.527
Experts believe that hackers

1259
01:09:00.527 --> 01:09:04.183
were able to break into the
New York Federal Reserve's

1260
01:09:04.183 --> 01:09:06.403
special account for Bangladesh,

1261
01:09:06.403 --> 01:09:09.754
getting away with $81 million.

1262
01:09:09.754 --> 01:09:13.236
Now, Bangladesh's Central Bank
governor, Atiur Rahman,

1263
01:09:13.236 --> 01:09:16.935
has resigned after hackers stole
tens of millions of dollars

1264
01:09:16.935 --> 01:09:19.198
from the nation's
foreign reserves.

1265
01:09:19.198 --> 01:09:23.159
The bank was criticised for
its handling of the breach...

1266
01:09:23.159 --> 01:09:26.162
The governor was
an excellent central banker.

1267
01:09:26.162 --> 01:09:27.902
I have a lot of respect for him.

1268
01:09:27.902 --> 01:09:32.298
He was deemed one of the top
bankers by the Asia <i>MoneyWeek.</i>

1269
01:09:32.298 --> 01:09:34.126
And poor fellow, that time,

1270
01:09:34.126 --> 01:09:36.737
he was faced with
this sort of scenario

1271
01:09:36.737 --> 01:09:39.827
which he honestly
didn't understand.

1272
01:09:39.827 --> 01:09:42.787
He had really pushed
the financial system

1273
01:09:42.787 --> 01:09:45.529
in Bangladesh into
the 21st century.

1274
01:09:45.529 --> 01:09:48.575
He had to essentially fall
on his sword and resign

1275
01:09:48.575 --> 01:09:51.404
in disgrace,
and his career was ruined.

1276
01:09:51.404 --> 01:09:54.190
Many others at the bank
had to resign as well.

1277
01:09:54.190 --> 01:09:57.758
An emotional Maia Deguito,
the manager of the RCBC branch

1278
01:09:57.758 --> 01:10:01.153
in Jupiter Street in Makati,
insists she is innocent

1279
01:10:01.153 --> 01:10:02.763
in the face of accusations

1280
01:10:02.763 --> 01:10:05.636
she is involved in the
money-laundering scheme.

1281
01:10:05.636 --> 01:10:08.247
So far, only the branch manager

1282
01:10:08.247 --> 01:10:11.468
has been charged by the
Anti-Money Laundering Council.

1283
01:10:11.468 --> 01:10:14.384
One of the great
injustices of this whole scandal

1284
01:10:14.384 --> 01:10:17.343
is that the only person who
got convicted of anything

1285
01:10:17.343 --> 01:10:18.953
was Maia Deguito,

1286
01:10:18.953 --> 01:10:22.696
and she was just the mid-level
branch manager of the RCBC,

1287
01:10:22.696 --> 01:10:26.874
the bank in the Philippines
that received the actual funds.

1288
01:10:26.874 --> 01:10:28.180
Typical, isn't it?

1289
01:10:28.180 --> 01:10:30.965
A crime that was conceived
and carried out

1290
01:10:30.965 --> 01:10:32.402
by a whole bunch of men,

1291
01:10:32.402 --> 01:10:35.535
and the only person who
gets done for it is a woman

1292
01:10:35.535 --> 01:10:38.538
who probably wasn't that
guilty in the first place.

1293
01:10:38.538 --> 01:10:41.802
But she received a sentence
of 56 years in jail

1294
01:10:41.802 --> 01:10:44.979
and a fine of $109 million,

1295
01:10:44.979 --> 01:10:49.506
which is significantly more
than the thieves actually stole.

1296
01:10:50.985 --> 01:10:52.291
To my mind,

1297
01:10:52.291 --> 01:10:54.424
there's no question
that she was a scapegoat.

1298
01:10:54.424 --> 01:10:58.297
I mean, the currency traders
who turned that $81 million

1299
01:10:58.297 --> 01:11:01.300
into pesos got off scot-free.

1300
01:11:01.300 --> 01:11:03.737
There are a couple of
Chinese operators

1301
01:11:03.737 --> 01:11:06.566
who brought these gamblers
in from China.

1302
01:11:06.566 --> 01:11:10.396
We know that they received tens
of millions of dollars in cash.

1303
01:11:10.396 --> 01:11:15.314
They vanished back to Macau.
No trace of them was ever found.

1304
01:11:15.314 --> 01:11:17.751
We can't say for sure,
but certainly it looks like

1305
01:11:17.751 --> 01:11:20.798
people at the Rizal Bank headquarters

1306
01:11:20.798 --> 01:11:23.888
buried these requests
to stop these transactions.

1307
01:11:23.888 --> 01:11:27.239
But nobody else at the Rizal
Bank was ever accused.

1308
01:11:27.239 --> 01:11:31.199
Oddly enough, in this giant
scheme that involved

1309
01:11:31.199 --> 01:11:34.986
a half a dozen countries,
nearly $1 billion,

1310
01:11:34.986 --> 01:11:40.208
only one bank employee
in a small branch in Manila

1311
01:11:40.208 --> 01:11:42.646
was ever convicted of
doing anything wrong.

1312
01:11:42.646 --> 01:11:46.040
It's incredible. Total impunity.

1313
01:11:52.395 --> 01:11:54.788
I think the most
important lesson

1314
01:11:54.788 --> 01:11:57.878
of the Bangladesh Bank

1315
01:11:57.878 --> 01:11:59.880
is a lesson of scale.

1316
01:11:59.880 --> 01:12:01.882
The internet is
a fantastic thing.

1317
01:12:01.882 --> 01:12:04.320
It's made our world
much, much smaller.

1318
01:12:04.320 --> 01:12:07.061
You can do all sorts of things.
It's fantastic.

1319
01:12:07.061 --> 01:12:08.933
But that interconnectivity,

1320
01:12:08.933 --> 01:12:11.805
where everything
is linked to everything else,

1321
01:12:11.805 --> 01:12:15.418
means that if you get bad actors
in that system,

1322
01:12:15.418 --> 01:12:17.245
then the damage

1323
01:12:17.245 --> 01:12:22.076
is infinitely more immense
than it was before.

1324
01:12:23.687 --> 01:12:25.993
When I started this job
two decades ago,

1325
01:12:25.993 --> 01:12:29.083
you had to explain to people,
what is a virus?

1326
01:12:29.083 --> 01:12:31.042
What is a cyber-attack?

1327
01:12:31.042 --> 01:12:33.392
Today, we don't talk about

1328
01:12:33.392 --> 01:12:36.439
making sure this file doesn't
get deleted any more.

1329
01:12:36.439 --> 01:12:40.573
We literally talk about making
sure the supply chain is up,

1330
01:12:40.573 --> 01:12:42.619
food can reach people's tables.

1331
01:12:42.619 --> 01:12:45.665
Our job is not just to protect
people's computers.

1332
01:12:45.665 --> 01:12:49.060
Our job is to ensure
society is up and running.

1333
01:12:49.060 --> 01:12:52.063
Everything
that we use now,

1334
01:12:52.063 --> 01:12:53.978
water, electricity,

1335
01:12:53.978 --> 01:12:56.937
the financial system,
the comms system,

1336
01:12:56.937 --> 01:12:58.548
depends on the integrity

1337
01:12:58.548 --> 01:13:03.683
of unbelievably complex
networked computer systems.

1338
01:13:03.683 --> 01:13:07.992
And our dependence
is becoming such

1339
01:13:07.992 --> 01:13:10.386
that, should anything go wrong,

1340
01:13:10.386 --> 01:13:13.171
be it a technical hitch
or be it a hack,

1341
01:13:13.171 --> 01:13:17.131
it can actually lead
to our lives grinding to a halt

1342
01:13:17.131 --> 01:13:19.525
in a very short space of time.

1343
01:13:20.483 --> 01:13:22.136
We're sort of in a state

1344
01:13:22.136 --> 01:13:24.617
where we're increasing
our vulnerability

1345
01:13:24.617 --> 01:13:27.359
and our attack surface
every single day.

1346
01:13:27.359 --> 01:13:29.796
And instead of pausing

1347
01:13:29.796 --> 01:13:32.799
and thinking about
how to lock up our power grid,

1348
01:13:32.799 --> 01:13:37.848
really, where our energy has
been focused is on escalation.

1349
01:13:37.848 --> 01:13:41.373
Countries like the United
States, China and Russia

1350
01:13:41.373 --> 01:13:44.550
have already arrogated
the right to themselves

1351
01:13:44.550 --> 01:13:47.335
to attack with full force,

1352
01:13:47.335 --> 01:13:50.034
whether cyber
or conventional weapons,

1353
01:13:50.034 --> 01:13:51.905
against anyone who brings down

1354
01:13:51.905 --> 01:13:56.519
a serious piece of critical
national infrastructure.

1355
01:13:56.519 --> 01:14:01.480
We've had Stuxnet blowing
up the Natanz centrifuge plant.

1356
01:14:01.480 --> 01:14:04.962
We've had ransomware attacks,
which hit the Eastern Seaboard.

1357
01:14:04.962 --> 01:14:07.007
There was no gas
to the Eastern Seaboard

1358
01:14:07.007 --> 01:14:09.619
for a whole week
in the United States.

1359
01:14:09.619 --> 01:14:11.751
We had Russia
against the Ukraine,

1360
01:14:11.751 --> 01:14:14.537
shutting out the power
in the middle of winter.

1361
01:14:14.537 --> 01:14:17.453
We're talking about
people losing their lives.

1362
01:14:17.453 --> 01:14:19.019
We've also had cyber-attacks

1363
01:14:19.019 --> 01:14:21.413
that potentially affected
US elections.

1364
01:14:21.413 --> 01:14:23.763
We had the healthcare in the UK
brought down,

1365
01:14:23.763 --> 01:14:25.939
dialysis machines
no longer working.

1366
01:14:25.939 --> 01:14:29.421
This is an extremely
fragile situation,

1367
01:14:29.421 --> 01:14:33.599
much more fragile
than the period of détente,

1368
01:14:33.599 --> 01:14:37.255
because so many more
countries have these weapons.

1369
01:14:37.255 --> 01:14:41.389
Malware is much more difficult
to control than nuclear weapons.

1370
01:14:41.389 --> 01:14:44.871
People always warn me
of the cyber Pearl Harbor

1371
01:14:44.871 --> 01:14:47.091
or the cyber 9/11,

1372
01:14:47.091 --> 01:14:49.746
but it's almost worse than that.

1373
01:14:49.746 --> 01:14:53.619
Every day, there are thousands
of cyber-attacks,

1374
01:14:53.619 --> 01:14:58.232
and we're just getting more and
more and more inured to them.

1375
01:14:59.016 --> 01:15:00.887
It's like a plague.

1376
01:15:00.887 --> 01:15:05.152
I think we'll see much
more hostile cyber activity,

1377
01:15:05.152 --> 01:15:07.851
much more cyber bank robberies,

1378
01:15:07.851 --> 01:15:09.983
much more cyber espionage.

1379
01:15:09.983 --> 01:15:13.030
We'll see much more cyber war.

1380
01:15:13.030 --> 01:15:15.815
In many ways,
I think we've seen nothing yet.

1381
01:15:15.815 --> 01:15:19.253
As attacks increase
in their sophistication

1382
01:15:19.253 --> 01:15:21.386
and their range,

1383
01:15:21.386 --> 01:15:25.346
then the impact
can be ever greater.

1384
01:15:25.346 --> 01:15:29.873
There is a cyber-attack on
critical national infrastructure

1385
01:15:29.873 --> 01:15:31.744
coming to a place near you

1386
01:15:31.744 --> 01:15:35.269
within the next
five to ten years.

1387
01:15:35.269 --> 01:15:38.708
If it's done well,
and if it's really malicious,

1388
01:15:38.708 --> 01:15:41.232
that could be catastrophic.

1389
01:15:43.016 --> 01:15:47.586
What's amazing about the
Bank of Bangladesh heist is...

1390
01:15:47.586 --> 01:15:51.285
they almost walked away
with $1 billion.

1391
01:15:54.071 --> 01:15:56.203
The mistakes that they made

1392
01:15:56.203 --> 01:15:59.990
that led to them only walking
with $81 million

1393
01:15:59.990 --> 01:16:02.862
were literally a typo in a name

1394
01:16:02.862 --> 01:16:05.082
and potentially
not being patient enough,

1395
01:16:05.082 --> 01:16:06.562
waiting just one more hour.

1396
01:16:06.562 --> 01:16:09.913
We could be telling
a completely different story.

1397
01:16:09.913 --> 01:16:11.828
Presumably, these guys

1398
01:16:11.828 --> 01:16:15.309
kept perhaps 95 percent
of that cash.

1399
01:16:15.309 --> 01:16:16.528
You could walk out

1400
01:16:16.528 --> 01:16:18.399
with 95 percent
of what you came in with,

1401
01:16:18.399 --> 01:16:21.838
have nobody trace that money,
no record of it whatsoever,

1402
01:16:21.838 --> 01:16:26.233
and get on a plane with it,
and you're home free.

1403
01:16:26.233 --> 01:16:30.760
Even if you had invested
a year's work,

1404
01:16:30.760 --> 01:16:35.460
that you had recruited
a really decent set of hackers,

1405
01:16:35.460 --> 01:16:39.899
that you had corrupted
bank officials,

1406
01:16:39.899 --> 01:16:43.947
you'll be looking at a profit
of about $75 million.

1407
01:16:43.947 --> 01:16:47.037
For a year's work,
not a bad pay-off.

1408
01:16:49.126 --> 01:16:52.999
The Bank of Bangladesh heist
showed them what was possible.

1409
01:16:54.392 --> 01:16:56.742
They proved that
they could do it.

1410
01:17:01.617 --> 01:17:03.662
After that attack,
it didn't stop.

1411
01:17:03.662 --> 01:17:07.840
We saw continued attacks
on various banks across Asia,

1412
01:17:07.840 --> 01:17:10.451
I think in
the Philippines again.

1413
01:17:10.451 --> 01:17:14.673
And also, they started hacking
the cryptocurrency exchanges,

1414
01:17:14.673 --> 01:17:18.546
where people store their Bitcoin
and Monero digital currency,

1415
01:17:18.546 --> 01:17:21.724
which has proved to be
incredibly lucrative for them.

1416
01:17:23.726 --> 01:17:25.684
In 2017,
Lazarus was thought

1417
01:17:25.684 --> 01:17:27.338
to have successfully attacked

1418
01:17:27.338 --> 01:17:31.995
at least five Asian
cryptocurrency exchanges.

1419
01:17:31.995 --> 01:17:37.827
That's a total of
$571 million that was lost.

1420
01:17:37.827 --> 01:17:41.134
Cryptocurrency exchanges
just have the bare minimum

1421
01:17:41.134 --> 01:17:43.659
of security, we're learning now.

1422
01:17:43.659 --> 01:17:46.923
In 2020, as the global
pandemic spiralled,

1423
01:17:46.923 --> 01:17:50.143
AstraZeneca, makers of
one of the key vaccines,

1424
01:17:50.143 --> 01:17:53.538
was hit by an attack,
extorting the company

1425
01:17:53.538 --> 01:17:56.846
and stealing sensitive
information for profit.

1426
01:17:58.064 --> 01:18:00.632
The sums involved
are astronomical,

1427
01:18:00.632 --> 01:18:03.940
and Lazarus is still
very much at large.

1428
01:18:06.246 --> 01:18:11.774
They have been designated
by the United States an APT;

1429
01:18:11.774 --> 01:18:13.863
that's an
advanced persistent threat.

1430
01:18:13.863 --> 01:18:16.692
Now, the fundamental criteria

1431
01:18:16.692 --> 01:18:20.478
is that they represent a threat

1432
01:18:20.478 --> 01:18:24.612
to US national security
and national infrastructure.

1433
01:18:24.612 --> 01:18:28.486
So, just by dint of it
being called an APT

1434
01:18:28.486 --> 01:18:33.404
means that the Lazarus Group
is serious stuff.

1435
01:18:33.404 --> 01:18:35.623
Marvel fans,
think HYDRA.

1436
01:18:35.623 --> 01:18:38.801
James Bond films,
think of SPECTRE.

1437
01:18:38.801 --> 01:18:40.237
It's something like that.

1438
01:18:43.762 --> 01:18:47.635
Now, it's tempting to
think this comparison is absurd,

1439
01:18:47.635 --> 01:18:51.074
but this is the scale
that Lazarus operates on.

1440
01:18:51.074 --> 01:18:54.294
Arguably, they're the most
potent cyber criminals

1441
01:18:54.294 --> 01:18:56.427
in business today.

1442
01:18:56.427 --> 01:19:00.300
So the nation state's
involvement in cybercrime

1443
01:19:00.300 --> 01:19:02.955
means that cybercrime
has actually morphed

1444
01:19:02.955 --> 01:19:05.653
into cyber warfare.

1445
01:19:05.653 --> 01:19:08.613
You can have zero trust
in these systems.

1446
01:19:08.613 --> 01:19:12.095
You need to assume that
everything has been broken,

1447
01:19:12.095 --> 01:19:14.010
everything is being listened to,

1448
01:19:14.010 --> 01:19:17.274
that everything can be captured,
and operate accordingly.

1449
01:19:19.580 --> 01:19:22.453
If a small group
can plan something

1450
01:19:22.453 --> 01:19:25.499
and get away with $81 million,

1451
01:19:25.499 --> 01:19:27.937
which involved
the Fed in New York,

1452
01:19:27.937 --> 01:19:29.765
SWIFT in Brussels,

1453
01:19:29.765 --> 01:19:32.550
the Bangladeshi Bank in Dhaka,

1454
01:19:32.550 --> 01:19:36.032
and then all the peripherals
in Manila,

1455
01:19:36.032 --> 01:19:40.427
just think about what one of the
really professional operations

1456
01:19:40.427 --> 01:19:42.560
in China, Russia,

1457
01:19:42.560 --> 01:19:44.518
the NSA, GCHQ,

1458
01:19:44.518 --> 01:19:48.871
just think what havoc
they could wreak.

1459
01:19:48.871 --> 01:19:52.613
And every year, the hacks get
bigger, the damage greater,

1460
01:19:52.613 --> 01:19:54.702
the implications graver.

1461
01:19:56.139 --> 01:20:00.447
Armies literally have hackers
hammering at the gates.

1462
01:20:00.447 --> 01:20:02.710
And it just takes
a simple breach,

1463
01:20:02.710 --> 01:20:05.583
one person, one weak link,

1464
01:20:05.583 --> 01:20:08.238
and those armies
will storm the defences

1465
01:20:08.238 --> 01:20:12.851
and bring down a network
that our way of life depends on.

1466
01:20:12.851 --> 01:20:15.593
It happened in Bangladesh
in 2016.

1467
01:20:15.593 --> 01:20:21.033
And believe you me, it's going
to happen again very soon.

1468
01:21:14.957 --> 01:21:17.916
Iyuno