1
00:00:02,000 --> 00:00:07,000
Downloaded from
YTS.MX

2
00:00:08,000 --> 00:00:13,000
Official YIFY movies site:
YTS.MX

3
00:01:10,809 --> 00:01:12,115
It's Friday,

4
00:01:12,115 --> 00:01:15,423
and it is, of course,
the Muslim prayer day.

5
00:01:15,423 --> 00:01:18,513
Everyone's off,
except for the skeleton staff

6
00:01:18,513 --> 00:01:20,645
at the Bangladeshi Bank,

7
00:01:20,645 --> 00:01:24,562
including Zubair Bin Huda,
who is the duty manager.

8
00:01:27,870 --> 00:01:31,395
He's part of
the elite team of employees

9
00:01:31,395 --> 00:01:35,095
who run
the SWIFT banking system,

10
00:01:35,095 --> 00:01:38,663
which is a highly secure
banking system

11
00:01:38,663 --> 00:01:41,318
that sends money
around the world.

12
00:01:43,538 --> 00:01:47,281
Now, Bin Huda goes,
as he does every day,

13
00:01:47,281 --> 00:01:49,152
to the SWIFT printer

14
00:01:49,152 --> 00:01:53,374
to check up on the transactions
from the day before.

15
00:01:53,374 --> 00:01:56,159
There are usually printouts

16
00:01:56,159 --> 00:01:58,422
of transactions
that came in overnight.

17
00:01:58,422 --> 00:02:02,774
The SWIFT software would print
out a ledger every single day,

18
00:02:02,774 --> 00:02:06,952
an audit trace of every single
transaction that occurred

19
00:02:06,952 --> 00:02:08,693
on paper.

20
00:02:08,693 --> 00:02:11,392
But when they came in
on February 5th morning,

21
00:02:11,392 --> 00:02:12,871
as they usually do,

22
00:02:12,871 --> 00:02:15,744
they found there were
no SWIFT messages at all.

23
00:02:15,744 --> 00:02:20,009
In fact, the printer's
shut down. It won't work.

24
00:02:20,009 --> 00:02:21,358
They try and turn it on.

25
00:02:21,358 --> 00:02:25,188
Nothing will kick it
back into life.

26
00:02:25,188 --> 00:02:28,148
He assumes it was simply
a technical error,

27
00:02:28,148 --> 00:02:30,193
shrugs, goes home for the night,

28
00:02:30,193 --> 00:02:32,282
comes back in
on Saturday morning

29
00:02:32,282 --> 00:02:34,502
to check the system again.

30
00:02:35,677 --> 00:02:36,939
The next day,

31
00:02:36,939 --> 00:02:40,160
they somehow manually
get the printer to work.

32
00:02:40,160 --> 00:02:42,466
This deputy head manager
walks in the room,

33
00:02:42,466 --> 00:02:46,122
the printer starts working, and
these weird messages come out.

34
00:02:46,122 --> 00:02:49,560
The printer
starts spewing out

35
00:02:49,560 --> 00:02:51,736
all of these transactions,

36
00:02:51,736 --> 00:02:56,306
including individual requests
to the Fed in New York

37
00:02:56,306 --> 00:02:59,353
for $1 billion.

38
00:03:01,268 --> 00:03:04,880
At that moment,
it's panic stations.

39
00:03:44,789 --> 00:03:50,230
When I was growing up,
the biggest crime in Britain

40
00:03:50,230 --> 00:03:52,319
ever recorded
was the Great Train Robbery.

41
00:03:52,319 --> 00:03:56,366
It was an extraordinary thing.
They stole about £2.5 million.

42
00:03:56,366 --> 00:03:58,760
That's about $4 million.

43
00:03:58,760 --> 00:04:04,244
And that story
ran literally for 30 years.

44
00:04:05,245 --> 00:04:06,768
Four million dollars.

45
00:04:07,856 --> 00:04:10,293
What you're about to hear

46
00:04:10,293 --> 00:04:14,036
is the story of an attempt
to steal...

47
00:04:15,037 --> 00:04:17,518
a billion dollars

48
00:04:18,475 --> 00:04:20,434
It's told by world-leading

49
00:04:20,434 --> 00:04:23,959
cybersecurity and legal experts
and journalists:

50
00:04:23,959 --> 00:04:26,309
the very people
who uncovered the facts

51
00:04:26,309 --> 00:04:27,919
and threaded them together

52
00:04:27,919 --> 00:04:32,489
to reveal how dangerous the
world of cybercrime is today.

53
00:04:49,898 --> 00:04:53,336
So, there are four big threats

54
00:04:53,336 --> 00:04:57,471
to the world
and to the human race.

55
00:04:57,471 --> 00:04:59,603
One of them
we've just experienced,

56
00:04:59,603 --> 00:05:01,736
that's the pandemic.

57
00:05:01,736 --> 00:05:04,826
Then you've got weapons
of mass destruction.

58
00:05:04,826 --> 00:05:08,220
You've got climate change.

59
00:05:08,220 --> 00:05:13,965
But barrelling down towards us
before those is cyber.

60
00:05:24,498 --> 00:05:25,934
This is the possibility

61
00:05:25,934 --> 00:05:30,068
of our overdependency
on network technologies

62
00:05:30,068 --> 00:05:34,943
being undermined, either by
malfunctioning of the system...

63
00:05:34,943 --> 00:05:36,597
New problems are emerging

64
00:05:36,597 --> 00:05:39,164
the day after an Amazon
web service outage.

65
00:05:39,164 --> 00:05:42,254
Massive and mysterious,
a global outage...

66
00:05:42,254 --> 00:05:45,214
...or by a targeted attack.

67
00:05:45,214 --> 00:05:47,129
More than a thousand companies

68
00:05:47,129 --> 00:05:49,305
have been crippled
by this attack so far.

69
00:05:49,305 --> 00:05:52,264
Sounds like we're looking
at a 2022 with more hacks,

70
00:05:52,264 --> 00:05:53,570
more lost money.

71
00:05:59,924 --> 00:06:04,233
So, when I started hunting
hackers in the early 1990s...

72
00:06:05,452 --> 00:06:07,671
our enemy was really simple.

73
00:06:07,671 --> 00:06:10,152
All the malware,
all the viruses,

74
00:06:10,152 --> 00:06:13,111
all the attacks were
done by teenage boys.

75
00:06:13,111 --> 00:06:15,462
What will your parents think?

76
00:06:17,594 --> 00:06:20,815
I've been doing this job
for two decades now.

77
00:06:24,253 --> 00:06:25,472
When we first started,

78
00:06:25,472 --> 00:06:27,909
the people writing viruses
and malware

79
00:06:27,909 --> 00:06:29,476
were doing it for fun,

80
00:06:29,476 --> 00:06:32,392
to get their name in lights,
to say, "Look what I can do."

81
00:06:32,392 --> 00:06:34,655
No flash, please.

82
00:06:34,655 --> 00:06:37,788
When I started analysing
viruses, they looked like this.

83
00:06:37,788 --> 00:06:41,052
Malware was still spread
on floppy disks.

84
00:06:41,052 --> 00:06:44,708
They were spreading at the speed
of people travelling the world

85
00:06:44,708 --> 00:06:47,102
and carrying the viruses
with them.

86
00:06:47,102 --> 00:06:50,540
Michelangelo has
proven less harmful than feared.

87
00:06:50,540 --> 00:06:53,108
All the stuff you've got
in there you may really want,

88
00:06:53,108 --> 00:06:54,414
it's just gone?

89
00:06:54,414 --> 00:06:56,459
Then the internet came around,
and suddenly,

90
00:06:56,459 --> 00:06:59,331
malware outbreaks could
go around the world in seconds.

91
00:06:59,331 --> 00:07:00,942
For the last 36 hours,

92
00:07:00,942 --> 00:07:04,685
the ILOVEYOU virus has been
creating havoc around the world.

93
00:07:04,685 --> 00:07:08,166
Experts have reason to worry.
The first attack, July 19th,

94
00:07:08,166 --> 00:07:11,648
infected about 300,000
systems in nine hours.

95
00:07:11,648 --> 00:07:14,129
First of all, the guys who
make a living doing security

96
00:07:14,129 --> 00:07:16,044
and are trying to protect themselves

97
00:07:16,044 --> 00:07:19,569
are scared shitless of you,
because you can just ruin 'em.

98
00:07:19,569 --> 00:07:20,875
After the period of time

99
00:07:20,875 --> 00:07:22,529
where hackers
were just doing things for fun,

100
00:07:22,529 --> 00:07:26,010
some of them realised that they
could use it to make money.

101
00:07:28,535 --> 00:07:31,668
Prior to, like, the 2000s...

102
00:07:31,668 --> 00:07:35,716
cyber was primarily around
a disruption of websites...

103
00:07:36,630 --> 00:07:38,893
defacement of a webpage.

104
00:07:38,893 --> 00:07:42,505
Just as we got around 2000,
the dot-com boom, the explosion,

105
00:07:42,505 --> 00:07:44,376
we started into
what would become

106
00:07:44,376 --> 00:07:46,161
financially motivated hackers.

107
00:07:46,161 --> 00:07:49,033
This really flourished,
especially in Eastern European,

108
00:07:49,033 --> 00:07:53,124
Russia, CIS bloc countries.

109
00:07:53,124 --> 00:07:55,953
This was the time
of gangster capitalism,

110
00:07:55,953 --> 00:08:00,001
when everyone's world in Eastern
Europe was falling apart,

111
00:08:00,001 --> 00:08:02,612
where organised crime and...

112
00:08:02,612 --> 00:08:05,528
former members of
the intelligence services

113
00:08:05,528 --> 00:08:09,314
were taking hold
of the economy.

114
00:08:10,881 --> 00:08:14,276
So you had a lot of young people
in the 1990s

115
00:08:14,276 --> 00:08:17,932
who were very good
mathematicians, physicists,

116
00:08:17,932 --> 00:08:20,282
computer scientists,

117
00:08:20,282 --> 00:08:23,503
who simply took
the logic and the morality

118
00:08:23,503 --> 00:08:26,593
of gangster capitalism online.

119
00:08:30,074 --> 00:08:32,163
Virus writers
were writing viruses

120
00:08:32,163 --> 00:08:33,817
to infect Windows computers,

121
00:08:33,817 --> 00:08:36,951
and those computers were then
sold to email spammers,

122
00:08:36,951 --> 00:08:39,954
who were using those machines
to send Viagra spam

123
00:08:39,954 --> 00:08:42,652
or what have you,
basically making money.

124
00:08:42,652 --> 00:08:44,436
And that changed everything.

125
00:08:48,789 --> 00:08:51,574
People at that time
began to use online banking,

126
00:08:51,574 --> 00:08:54,621
and they began to steal people's
online banking credentials,

127
00:08:54,621 --> 00:08:57,275
from there, also get
credit card numbers,

128
00:08:57,275 --> 00:08:59,408
and use that
to basically transfer funds.

129
00:08:59,408 --> 00:09:02,672
Just in hundreds of dollars at
a time from these individuals.

130
00:09:02,672 --> 00:09:05,893
They eventually realised
that going after individuals

131
00:09:05,893 --> 00:09:07,198
was much more difficult

132
00:09:07,198 --> 00:09:10,288
than just going after
the banks themselves.

133
00:09:10,288 --> 00:09:11,942
Get into databases,

134
00:09:11,942 --> 00:09:14,423
those databases held
credit card numbers.

135
00:09:14,423 --> 00:09:17,600
Take those numbers and then
sell them on the black market.

136
00:09:19,341 --> 00:09:23,345
Originally, the internet
was set up at the Pentagon...

137
00:09:25,042 --> 00:09:29,003
just to be able to share
resources between computers.

138
00:09:32,136 --> 00:09:35,226
And it was really never
designed to have

139
00:09:35,226 --> 00:09:38,490
banking attached to it,

140
00:09:38,490 --> 00:09:41,711
critical infrastructure
attached to it.

141
00:09:41,711 --> 00:09:44,366
It was really designed
for availability.

142
00:09:44,366 --> 00:09:47,108
It was never designed
for security.

143
00:09:48,500 --> 00:09:50,502
Whereas in the early 1990s

144
00:09:50,502 --> 00:09:53,505
when there was only 30,000
people connected to it

145
00:09:53,505 --> 00:09:56,813
and several hundred systems,
we've moved to a system

146
00:09:56,813 --> 00:09:59,947
which essentially is the
backbone of global finance.

147
00:10:01,339 --> 00:10:04,560
The fact that
it's able to do that...

148
00:10:04,560 --> 00:10:07,432
the fact that it's able
to sustain currently between

149
00:10:07,432 --> 00:10:10,392
15 and 20 percent
of GDP globally

150
00:10:10,392 --> 00:10:12,742
tells us something about
just how important

151
00:10:12,742 --> 00:10:14,918
this infrastructure is.

152
00:10:14,918 --> 00:10:17,094
Why did people move
into the internet

153
00:10:17,094 --> 00:10:18,661
to seek economic opportunity?

154
00:10:18,661 --> 00:10:21,621
Because that's where the
economic opportunity was,

155
00:10:21,621 --> 00:10:23,579
untethered by norms,

156
00:10:23,579 --> 00:10:25,799
untethered
by national boundaries,

157
00:10:25,799 --> 00:10:28,497
and essentially limited
only by the creativity

158
00:10:28,497 --> 00:10:30,194
that these individuals had.

159
00:10:40,814 --> 00:10:43,817
The user nagged
the Federal Reserve Bank

160
00:10:43,817 --> 00:10:48,386
with 35 payment instructions
worth $951 million.

161
00:10:48,386 --> 00:10:50,867
We'd just never heard
of such a thing before.

162
00:10:50,867 --> 00:10:53,043
We'd been investigating cybercrime

163
00:10:53,043 --> 00:10:55,567
for a couple of decades
at that point.

164
00:10:55,567 --> 00:10:57,700
You see cyber criminals go in,

165
00:10:57,700 --> 00:11:01,748
and they try to transfer a few
hundred thousands of dollars,

166
00:11:01,748 --> 00:11:05,055
maybe a million,
a couple of million.

167
00:11:05,055 --> 00:11:09,059
But conducting a cyber-attack
to try to steal one billion?

168
00:11:09,059 --> 00:11:13,020
That was an order of magnitude
that we had never seen before.

169
00:11:13,020 --> 00:11:14,674
It was clear from early on

170
00:11:14,674 --> 00:11:18,112
that it was one of the biggest
cyber heists in the world.

171
00:11:18,112 --> 00:11:20,505
When we first started
hearing rumours

172
00:11:20,505 --> 00:11:23,813
about something affecting
SWIFT network,

173
00:11:23,813 --> 00:11:26,424
I didn't understand
how big it was.

174
00:11:26,424 --> 00:11:28,122
But when we started realising

175
00:11:28,122 --> 00:11:30,646
this is at a completely
different scale,

176
00:11:30,646 --> 00:11:32,561
it just blew my mind.

177
00:11:46,314 --> 00:11:47,445
Once they realised

178
00:11:47,445 --> 00:11:49,578
that the money actually
was really gone,

179
00:11:49,578 --> 00:11:51,623
then the panic began to set in.

180
00:11:51,623 --> 00:11:56,890
They lost $81 million instantly
to a bank in the Philippines.

181
00:11:56,890 --> 00:11:59,980
They see the $81 million
has already gone

182
00:11:59,980 --> 00:12:05,855
and that nearly $900 million
extra has been requested.

183
00:12:08,815 --> 00:12:13,254
They basically try to figure out
what to do next.

184
00:12:13,254 --> 00:12:15,865
They have no idea what to do.

185
00:12:15,865 --> 00:12:19,129
They hunted for ways to contact
the New York Fed.

186
00:12:20,957 --> 00:12:23,655
Desperate calls are made
by them.

187
00:12:27,834 --> 00:12:29,749
And it goes
to an answering machine.

188
00:12:29,749 --> 00:12:31,751
<i>You've reached
the Federal Reserve Bank...</i>

189
00:12:31,751 --> 00:12:33,622
Because it's Saturday
in New York,

190
00:12:33,622 --> 00:12:36,016
and nobody's picking
up the phone.

191
00:12:36,016 --> 00:12:39,106
<i>- Please call back...</i>
- It's a complete shitshow.

192
00:12:39,106 --> 00:12:43,153
Total disorganisation,
at both ends, I would stress.

193
00:12:45,503 --> 00:12:49,246
<i>The New York Times Magazine</i>
was planning a true-crime issue,

194
00:12:49,246 --> 00:12:50,421
and my editor came to me

195
00:12:50,421 --> 00:12:52,902
and asked I was interested
in doing it.

196
00:12:54,251 --> 00:12:55,600
I looked into it a bit.

197
00:12:55,600 --> 00:12:58,125
There definitely were
some intriguing elements,

198
00:12:58,125 --> 00:12:59,779
and made me pay attention.

199
00:13:02,129 --> 00:13:04,435
The Federal Reserve
has pretty much

200
00:13:04,435 --> 00:13:07,177
depended on the SWIFT
banking system,

201
00:13:07,177 --> 00:13:11,878
and since there has rarely
been a hack, if ever,

202
00:13:11,878 --> 00:13:14,837
of the SWIFT banking system...

203
00:13:14,837 --> 00:13:18,058
the Federal Reserve
has never instituted

204
00:13:18,058 --> 00:13:20,800
any sort of 24-7 hotline.

205
00:13:22,540 --> 00:13:26,501
Eventually, they get
hold of somebody at SWIFT,

206
00:13:26,501 --> 00:13:28,155
and SWIFT says,

207
00:13:28,155 --> 00:13:29,765
"Just shut the whole lot down

208
00:13:29,765 --> 00:13:32,507
until we know
what's going on here."

209
00:13:32,507 --> 00:13:36,163
Badrul Khan decides before he
can actually make that decision,

210
00:13:36,163 --> 00:13:39,166
he has to talk to the deputy
governor of the bank,

211
00:13:39,166 --> 00:13:40,820
which he does.

212
00:13:40,820 --> 00:13:43,823
Deputy governor doesn't want to
take the decision upon himself,

213
00:13:43,823 --> 00:13:47,435
so he talks to the governor.
And guess what.

214
00:13:47,435 --> 00:13:50,655
The governor says,
"It's probably a mistake.

215
00:13:50,655 --> 00:13:52,614
We won't shut it down."

216
00:13:56,009 --> 00:13:58,750
Work week begins
at the Bangladesh Bank

217
00:13:58,750 --> 00:14:00,187
on Sunday morning,

218
00:14:00,187 --> 00:14:02,972
and it's then that the general
manager of the bank

219
00:14:02,972 --> 00:14:05,845
comes in and begins to take
stock of what had happened.

220
00:14:05,845 --> 00:14:07,411
They're running out of options.

221
00:14:07,411 --> 00:14:11,111
They're not sure what to do.
Fed is still closed in New York.

222
00:14:11,111 --> 00:14:13,200
They go through
all the SWIFT material,

223
00:14:13,200 --> 00:14:16,072
discover that most of
the money has gone

224
00:14:16,072 --> 00:14:18,205
to the bank in Manila.

225
00:14:18,205 --> 00:14:21,164
And these desperate
messages are sent out:

226
00:14:21,164 --> 00:14:22,600
"Stop the transactions.

227
00:14:22,600 --> 00:14:25,168
Hold that money. Do not
allow it to be withdrawn.

228
00:14:25,168 --> 00:14:27,127
It's our money.
It's been stolen."

229
00:14:28,650 --> 00:14:30,260
But there's a problem.

230
00:14:30,260 --> 00:14:32,219
Five, four,

231
00:14:32,219 --> 00:14:35,135
three, two, one!

232
00:14:35,135 --> 00:14:37,920
Happy New Year!

233
00:14:41,924 --> 00:14:43,795
It's Chinese New Year,

234
00:14:43,795 --> 00:14:46,929
and the Rizal Commercial Bank
is closed.

235
00:14:51,673 --> 00:14:56,199
The thieves chose
a sequence of days...

236
00:14:56,199 --> 00:15:00,638
from Friday, Saturday,
Sunday and Monday,

237
00:15:00,638 --> 00:15:03,815
when one or another
of the three countries

238
00:15:03,815 --> 00:15:06,557
that would be communicating
with one another

239
00:15:06,557 --> 00:15:09,169
was shut down for a holiday.

240
00:15:15,566 --> 00:15:17,612
You've got to hand it
to these guys.

241
00:15:17,612 --> 00:15:19,005
They knew it.

242
00:15:19,005 --> 00:15:21,703
They knew that if they did it
over that weekend,

243
00:15:21,703 --> 00:15:23,966
with the Friday,
the Muslim holiday,

244
00:15:23,966 --> 00:15:27,187
the Sunday and the Saturday,
everything closed in New York,

245
00:15:27,187 --> 00:15:30,538
and the Monday,
Chinese New Year.

246
00:15:32,322 --> 00:15:37,110
They've got four days
to get the heist done.

247
00:15:37,110 --> 00:15:39,373
This is really classy planning.

248
00:15:41,375 --> 00:15:45,422
In that respect,
it was really an ingenious plan.

249
00:15:45,422 --> 00:15:49,426
It's kind of like a great film
director in a malevolent way,

250
00:15:49,426 --> 00:15:53,082
planning out, you know,
a very complex film.

251
00:15:56,433 --> 00:15:58,131
The country of Bangladesh

252
00:15:58,131 --> 00:16:01,873
is the 170th poorest country
in the world.

253
00:16:01,873 --> 00:16:04,267
One billion dollars
is huge to them.

254
00:16:04,267 --> 00:16:06,356
When we talk
about cyber-attacks,

255
00:16:06,356 --> 00:16:08,054
they're not just zeros and ones.

256
00:16:08,054 --> 00:16:10,186
We're not just talking
about people

257
00:16:10,186 --> 00:16:13,755
moving around zeros and ones,
deleting zeros and ones.

258
00:16:15,539 --> 00:16:18,107
One billion dollars
to Bangladesh

259
00:16:18,107 --> 00:16:21,545
potentially means that people
starve in the country.

260
00:16:21,545 --> 00:16:25,245
These things have potential
serious repercussions.

261
00:16:27,725 --> 00:16:30,206
The Bangladesh Bank
heist was significant

262
00:16:30,206 --> 00:16:34,297
because it showed how fragile
global banking was as a whole.

263
00:16:36,169 --> 00:16:40,260
Banks don't just operate
as single isolated entities.

264
00:16:40,260 --> 00:16:42,784
They're part of a system.

265
00:16:42,784 --> 00:16:45,482
And that system is vulnerable.

266
00:16:47,702 --> 00:16:52,402
The US Federal Reserve holds
trillions of dollars in accounts

267
00:16:52,402 --> 00:16:55,579
kept by central banks
all around the world.

268
00:16:55,579 --> 00:16:59,279
Its computer security systems
are state of the art, making it

269
00:16:59,279 --> 00:17:03,587
one of the most difficult
financial institutions to hack.

270
00:17:07,287 --> 00:17:10,551
The criminals realise
that it can't get into

271
00:17:10,551 --> 00:17:14,076
the network system of the Fed,

272
00:17:14,076 --> 00:17:17,906
but the Fed has to talk
to other central banks

273
00:17:17,906 --> 00:17:19,777
around the world,

274
00:17:19,777 --> 00:17:23,390
and this is
where they find a flaw.

275
00:17:25,305 --> 00:17:27,437
The criminals turn
their attention

276
00:17:27,437 --> 00:17:30,440
to the banks'
communication systems.

277
00:17:31,963 --> 00:17:35,402
Every day, the Fed places
thousands of transactions

278
00:17:35,402 --> 00:17:39,058
on behalf of the central banks
that hold US dollar reserves

279
00:17:39,058 --> 00:17:40,320
at the Fed.

280
00:17:40,320 --> 00:17:42,757
The Federal Reserve
has pretty much depended

281
00:17:42,757 --> 00:17:45,107
on the SWIFT banking system

282
00:17:45,107 --> 00:17:48,067
to get its instructions
about transfers.

283
00:17:48,067 --> 00:17:51,026
SWIFT sends money
around the world

284
00:17:51,026 --> 00:17:52,941
to thousands of member banks.

285
00:17:52,941 --> 00:17:57,946
It's the main way that banks
dispatch money to one another.

286
00:17:59,165 --> 00:18:01,602
SWIFT allows you
to transfer money

287
00:18:01,602 --> 00:18:02,777
from one bank to another,

288
00:18:02,777 --> 00:18:04,561
no matter where you are
in the world.

289
00:18:04,561 --> 00:18:07,347
Make international
wire transfers.

290
00:18:07,347 --> 00:18:11,568
The whole banking system
is integrated,

291
00:18:11,568 --> 00:18:15,659
and they depend
above all else on SWIFT,

292
00:18:15,659 --> 00:18:21,143
the international transaction
mechanisms, to work.

293
00:18:21,143 --> 00:18:23,319
What it means is,
all it takes

294
00:18:23,319 --> 00:18:28,803
is a single weak link
to bring down the whole network.

295
00:18:30,370 --> 00:18:33,373
So although the target
is the Fed,

296
00:18:33,373 --> 00:18:37,725
they are looking for a bank
with which the Fed communicates,

297
00:18:37,725 --> 00:18:42,338
which holds a lot
of its reserves in New York.

298
00:18:42,338 --> 00:18:44,123
But it's a long way away,

299
00:18:44,123 --> 00:18:48,562
in a distant time zone
from the Fed,

300
00:18:48,562 --> 00:18:51,304
and it's likely to have

301
00:18:51,304 --> 00:18:56,396
patchy security systems in place
in its computer network.

302
00:18:58,963 --> 00:19:00,791
My colleagues in Dhaka,

303
00:19:00,791 --> 00:19:04,012
they were chasing it
for a long time.

304
00:19:04,012 --> 00:19:07,450
It was a robbery of a scale
that we hadn't heard of.

305
00:19:09,235 --> 00:19:11,585
The first thought
that came to my mind was,

306
00:19:11,585 --> 00:19:14,631
because it was the
Bangladeshi Central Bank,

307
00:19:14,631 --> 00:19:17,243
I thought the hackers found it

308
00:19:17,243 --> 00:19:19,549
somehow easier to target it.

309
00:19:19,549 --> 00:19:21,377
Because it was Bangladesh,

310
00:19:21,377 --> 00:19:24,424
I suspected they would
be more vulnerable

311
00:19:24,424 --> 00:19:26,774
to cyber-attacks as such.

312
00:19:28,515 --> 00:19:31,344
"Hmm. A Bangladeshi bank.

313
00:19:31,344 --> 00:19:33,998
Probably doesn't have
the same level of security

314
00:19:33,998 --> 00:19:36,218
and if they do,
it's probably one or two people,

315
00:19:36,218 --> 00:19:40,222
not a team of 6,000
working on it.

316
00:19:41,136 --> 00:19:42,355
Let's go for it."

317
00:19:42,355 --> 00:19:44,661
These attackers
weren't just skilled

318
00:19:44,661 --> 00:19:45,923
in breaching networks,

319
00:19:45,923 --> 00:19:47,838
figuring out how
to get into an organisation.

320
00:19:47,838 --> 00:19:52,016
They had to study that
SWIFT software deeply.

321
00:19:52,016 --> 00:19:55,194
This attack happened
well before that February 5th,

322
00:19:55,194 --> 00:19:56,847
when the bank employee walked in

323
00:19:56,847 --> 00:19:59,894
and saw that printer hadn't
printed out the audit jobs

324
00:19:59,894 --> 00:20:01,939
and couldn't figure out
what was going on.

325
00:20:01,939 --> 00:20:04,812
This attack started more
than a year prior to that.

326
00:20:04,812 --> 00:20:07,293
These attackers had been
working for months

327
00:20:07,293 --> 00:20:09,120
in the build-up until that day.

328
00:20:09,120 --> 00:20:11,253
It is a mistake
for people to think

329
00:20:11,253 --> 00:20:13,560
that this was something
that happened overnight.

330
00:20:13,560 --> 00:20:15,649
It is a mistake
for people to think

331
00:20:15,649 --> 00:20:18,956
that this happened in a month,
or two months or three months.

332
00:20:18,956 --> 00:20:21,394
It is a slow,
methodical approach,

333
00:20:21,394 --> 00:20:25,528
because it's a business,
all right? You build it.

334
00:20:32,274 --> 00:20:35,146
Bank robberies used to be
something that happened

335
00:20:35,146 --> 00:20:37,497
in the real world.

336
00:20:37,497 --> 00:20:40,630
Now they only happen
in the online world.

337
00:20:42,806 --> 00:20:46,767
If you would try to steal
$100 million in banknotes,

338
00:20:46,767 --> 00:20:49,160
that would be, like,
ten trucks full of notes.

339
00:20:49,160 --> 00:20:51,511
If you drive ten trucks
full of notes out of the bank,

340
00:20:51,511 --> 00:20:54,035
someone would notice.

341
00:20:54,035 --> 00:20:57,299
But when you do the same thing
online, no one notices anything.

342
00:20:57,299 --> 00:21:01,042
Every movie you've ever seen
of them breaking into a bank

343
00:21:01,042 --> 00:21:03,436
is them doing it
over a bank holiday

344
00:21:03,436 --> 00:21:05,394
or something of that nature.

345
00:21:05,394 --> 00:21:07,222
Same concept here.

346
00:21:12,096 --> 00:21:15,361
This isn't Matthew Broderick
sitting in front of a computer,

347
00:21:15,361 --> 00:21:17,450
like <i>War Games</i>
back in the 1980s,

348
00:21:17,450 --> 00:21:19,321
some kid in their basement.

349
00:21:21,105 --> 00:21:24,370
These are
criminal organisations.

350
00:21:24,370 --> 00:21:26,023
Each person has a skill set.

351
00:21:26,023 --> 00:21:29,070
It's kind of like that
<i>Ocean's Eleven</i>-type thing.

352
00:21:30,593 --> 00:21:33,074
You know,
"This guy could crack the bank,

353
00:21:33,074 --> 00:21:35,337
this guy could do
the surveillance cameras,

354
00:21:35,337 --> 00:21:37,774
this is the getaway,
this is the conman."

355
00:21:37,774 --> 00:21:39,559
You all have a role to play,

356
00:21:39,559 --> 00:21:42,301
and you need everybody
to execute their role

357
00:21:42,301 --> 00:21:44,085
to the best of their abilities

358
00:21:44,085 --> 00:21:46,870
for you to be
successful and get it out.

359
00:21:48,742 --> 00:21:53,007
So how do you pull off
a heist of this magnitude?

360
00:21:53,007 --> 00:21:58,317
It takes the right crew of
highly skilled specialists.

361
00:21:58,317 --> 00:22:03,191
And it all starts not with ones
and zeros, but with people.

362
00:22:07,151 --> 00:22:10,590
Cybercrime is about
gaining credentials

363
00:22:10,590 --> 00:22:12,635
to gain access,

364
00:22:12,635 --> 00:22:15,421
stealing the keys.

365
00:22:15,421 --> 00:22:19,816
The social engineer
is critical to a hack.

366
00:22:19,816 --> 00:22:22,253
It's how you get in,
and you get in

367
00:22:22,253 --> 00:22:26,388
not through digital means,
you get in through human means.

368
00:22:26,388 --> 00:22:28,956
It's to do with psychology.

369
00:22:31,306 --> 00:22:35,528
The criminals have to ensnare
one of the employees

370
00:22:35,528 --> 00:22:38,052
of the Bangladeshi Bank,

371
00:22:38,052 --> 00:22:41,882
beginning by going through
their social media profiles

372
00:22:41,882 --> 00:22:44,711
and looking
for suitable targets.

373
00:22:45,929 --> 00:22:48,932
Our relationship
with the computer

374
00:22:48,932 --> 00:22:51,848
is one of perceived intimacy;

375
00:22:51,848 --> 00:22:54,373
that when we're using
a computer,

376
00:22:54,373 --> 00:22:57,767
no one else can see
what we're doing, we believe,

377
00:22:57,767 --> 00:23:00,379
and it's just us and the screen.

378
00:23:02,119 --> 00:23:05,819
And if we were to read
an email from a friend,

379
00:23:05,819 --> 00:23:08,909
we tend to believe it
at face value.

380
00:23:12,216 --> 00:23:15,219
They found
close to three dozen employees.

381
00:23:15,219 --> 00:23:18,832
And they constructed
a simple spear-phish email:

382
00:23:18,832 --> 00:23:21,748
an email message that pretended
to be from a guy

383
00:23:21,748 --> 00:23:24,446
named Rasal Alam.

384
00:23:24,446 --> 00:23:26,056
And Rasal Alam said,

385
00:23:26,056 --> 00:23:28,581
"Hey, I just wanna
work at your company.

386
00:23:28,581 --> 00:23:31,410
Here's a résumé attached.
Have a look."

387
00:23:31,410 --> 00:23:34,108
And it turned out
that they mailed that

388
00:23:34,108 --> 00:23:36,893
to about 36 different employees,
and three of them

389
00:23:36,893 --> 00:23:39,722
opened that attachment
connected to that email.

390
00:23:40,984 --> 00:23:42,333
It was a zip file,

391
00:23:42,333 --> 00:23:44,640
and the zip file contained
just a document inside.

392
00:23:44,640 --> 00:23:47,295
They opened up the document
and it was his résumé.

393
00:23:47,295 --> 00:23:50,733
It was a résumé for Rasel Ahlam,
who wanted to work at the bank,

394
00:23:50,733 --> 00:23:52,996
but unbeknownst
to those individuals,

395
00:23:52,996 --> 00:23:56,826
also contained
malicious code inside.

396
00:23:56,826 --> 00:23:58,741
We can look at any data breach,

397
00:23:58,741 --> 00:24:01,222
and the root cause
has either been

398
00:24:01,222 --> 00:24:03,311
a technical problem

399
00:24:03,311 --> 00:24:05,400
or a people problem.

400
00:24:05,400 --> 00:24:08,229
And the technical problems
can be really hard

401
00:24:08,229 --> 00:24:10,536
and really expensive
and really slow to fix,

402
00:24:10,536 --> 00:24:12,581
but at least we can fix them.

403
00:24:12,581 --> 00:24:16,150
But in the end, we have
no patch for human brains.

404
00:24:17,804 --> 00:24:22,243
There's no way to fix the people
who do stupid mistakes.

405
00:24:22,243 --> 00:24:23,723
When attackers try to send

406
00:24:23,723 --> 00:24:27,030
these spear-phishing emails,
they try to do two things.

407
00:24:27,030 --> 00:24:30,512
They try to look very normal.
It was just a résumé.

408
00:24:30,512 --> 00:24:31,818
They try to fly under the radar,

409
00:24:31,818 --> 00:24:33,515
to look as legitimate
as possible.

410
00:24:33,515 --> 00:24:37,476
And the second is they often
try to use enticing techniques.

411
00:24:43,612 --> 00:24:47,050
New dangers tonight from
the Love Bug computer virus,

412
00:24:47,050 --> 00:24:49,966
this time disguised
as a friendlier email.

413
00:24:49,966 --> 00:24:53,579
The first internet virus
that went around the world

414
00:24:53,579 --> 00:24:57,887
in less than 48 hours was
called the ILOVEYOU virus.

415
00:24:57,887 --> 00:25:00,499
And already,
business interruption costs

416
00:25:00,499 --> 00:25:03,676
are estimated at more than
a billion dollars.

417
00:25:03,676 --> 00:25:06,592
You would be sitting
there working away,

418
00:25:06,592 --> 00:25:08,507
and then suddenly,
in your inbox,

419
00:25:08,507 --> 00:25:12,554
you get an email which says,
"I love you."

420
00:25:12,554 --> 00:25:15,252
And it could well be
that this is a person

421
00:25:15,252 --> 00:25:17,820
who you've always
held a torch for.

422
00:25:17,820 --> 00:25:20,344
And so, of course,
you're very excited,

423
00:25:20,344 --> 00:25:24,087
and you press on the link,
and then you're doomed.

424
00:25:24,087 --> 00:25:26,873
What happens is,
the virus infects your machine

425
00:25:26,873 --> 00:25:29,963
and proceeds to email everyone
you've ever emailed.

426
00:25:29,963 --> 00:25:32,618
The end result of that
is the mail servers

427
00:25:32,618 --> 00:25:33,706
get bogged down,

428
00:25:33,706 --> 00:25:36,143
and the only way
to solve the problem

429
00:25:36,143 --> 00:25:39,276
is to shut the servers down,
hence the interruption.

430
00:25:39,276 --> 00:25:42,323
The ILOVEYOU virus
was one of the first viruses

431
00:25:42,323 --> 00:25:45,065
that had really
worldwide impact.

432
00:25:47,110 --> 00:25:49,722
It was still a virus
written by a guy

433
00:25:49,722 --> 00:25:52,594
that just wanted to get
his name in lights.

434
00:25:52,594 --> 00:25:53,813
He wanted to see his virus

435
00:25:53,813 --> 00:25:55,597
travel around the world
a little bit

436
00:25:55,597 --> 00:25:57,381
and maybe get
in the news somewhere,

437
00:25:57,381 --> 00:25:59,819
and then him be able to say,
"Oh, I wrote that."

438
00:25:59,819 --> 00:26:03,083
Mr de Guzman hardly
seemed to comprehend the chaos

439
00:26:03,083 --> 00:26:05,041
inflicted on
the world's computers.

440
00:26:05,041 --> 00:26:08,610
But what happened was, it
spread so quickly and so fast,

441
00:26:08,610 --> 00:26:11,265
it brought down email
all over the world,

442
00:26:11,265 --> 00:26:13,920
and having email go down
was monumental.

443
00:26:13,920 --> 00:26:17,358
Experts say that the ILOVEYOU
virus could end up costing

444
00:26:17,358 --> 00:26:21,580
the world economy $10 billion
in lost work time.

445
00:26:21,580 --> 00:26:25,627
It became the first sign to show
that we relied on the internet.

446
00:26:25,627 --> 00:26:29,196
The internet was the basis for
our financial transactions,

447
00:26:29,196 --> 00:26:31,154
for the way we do business.

448
00:26:32,460 --> 00:26:33,635
I would talk to people

449
00:26:33,635 --> 00:26:35,332
and remind them
and educate them and say,

450
00:26:35,332 --> 00:26:36,899
"Look, you can't just click

451
00:26:36,899 --> 00:26:39,380
on any attachment
that comes to you in an email."

452
00:26:39,380 --> 00:26:42,818
I remember talking to a guy
about the Anna Kournikova virus

453
00:26:42,818 --> 00:26:45,995
that purported to be nude
pictures of Anna Kournikova.

454
00:26:45,995 --> 00:26:48,955
And he told me, he said,
"Yeah, I knew it was a virus.

455
00:26:48,955 --> 00:26:52,088
I thought it was probably
a virus. But what if it wasn't?

456
00:26:52,088 --> 00:26:53,960
What if it really was
nude pictures?

457
00:26:53,960 --> 00:26:55,788
So I double-clicked on it."

458
00:26:56,919 --> 00:26:58,399
People just don't realise

459
00:26:58,399 --> 00:27:02,055
what clicking on that
attachment means.

460
00:27:02,055 --> 00:27:06,102
Cyber criminals and hackers
realised a long time ago

461
00:27:06,102 --> 00:27:09,018
that your username and password,

462
00:27:09,018 --> 00:27:11,804
particularly to
your email account,

463
00:27:11,804 --> 00:27:15,285
could get them into your
stock brokerage account,

464
00:27:15,285 --> 00:27:18,201
to your online
banking account,

465
00:27:18,201 --> 00:27:23,903
to send phishing emails
to other contacts.

466
00:27:23,903 --> 00:27:27,994
If you protect
yourself properly,

467
00:27:27,994 --> 00:27:31,214
the chances are
you won't be a victim

468
00:27:31,214 --> 00:27:35,218
of what one would call
"drive-by hacking".

469
00:27:35,218 --> 00:27:39,483
If, however, you're being
specifically targeted

470
00:27:39,483 --> 00:27:42,965
by a hacking group,
they will follow that trace.

471
00:27:43,879 --> 00:27:45,533
And they will get you.

472
00:27:48,449 --> 00:27:53,280
Now, we know that at least three
members of the Bangladeshi Bank

473
00:27:53,280 --> 00:27:56,587
were targeted by this after
the social engineer

474
00:27:56,587 --> 00:27:58,981
had scanned
all of their social media,

475
00:27:58,981 --> 00:28:00,722
and at least three of them

476
00:28:00,722 --> 00:28:04,073
opened the letter
and took the bait.

477
00:28:04,073 --> 00:28:06,249
Once that code
began executing

478
00:28:06,249 --> 00:28:08,295
on those bank employees'
computers,

479
00:28:08,295 --> 00:28:10,906
it would reach out back
to the attackers

480
00:28:10,906 --> 00:28:13,866
and tell them that
these machines are now infected

481
00:28:13,866 --> 00:28:15,302
and give them full control,

482
00:28:15,302 --> 00:28:18,044
as if they were sitting
in front of the keyboard,

483
00:28:18,044 --> 00:28:21,134
just like those employees.

484
00:28:21,134 --> 00:28:23,745
There was malware
in the system

485
00:28:23,745 --> 00:28:26,574
that was actually
copying screenshots,

486
00:28:28,358 --> 00:28:33,450
copying keystrokes of employees,
and no one knew.

487
00:28:33,450 --> 00:28:35,801
They've got
their foot in the door.

488
00:28:35,801 --> 00:28:38,760
This is the essential
first step.

489
00:28:38,760 --> 00:28:42,677
The first layer of security
has been breached.

490
00:28:48,639 --> 00:28:52,339
And the digger, the person who
is getting deeper and deeper

491
00:28:52,339 --> 00:28:54,558
into the computer network,

492
00:28:54,558 --> 00:28:58,258
has to be a very
advanced hacker.

493
00:28:58,258 --> 00:29:02,958
This is when you need
a real professional.

494
00:29:02,958 --> 00:29:05,656
They're like ghosts.
Nobody can see them,

495
00:29:05,656 --> 00:29:10,009
but they're mapping every
single bit of that network.

496
00:29:11,967 --> 00:29:13,577
In the Bank of Bangladesh,

497
00:29:13,577 --> 00:29:16,145
you had computers that are all
interconnected to each other,

498
00:29:16,145 --> 00:29:19,279
and they're connected
using what's called a switch.

499
00:29:19,279 --> 00:29:23,022
In your average bank, that has
a good security program,

500
00:29:23,022 --> 00:29:25,676
those switches are
what's called segmented.

501
00:29:25,676 --> 00:29:27,591
So each of those switches
only allow

502
00:29:27,591 --> 00:29:30,290
a certain number of computers
to talk to each other

503
00:29:30,290 --> 00:29:32,814
rather than every computer
to talk to each other.

504
00:29:32,814 --> 00:29:35,382
But in the case of
the Bank of Bangladesh,

505
00:29:35,382 --> 00:29:38,559
in the back-office network, they
were using these very cheap,

506
00:29:38,559 --> 00:29:42,084
literally $10 switches
that didn't do any segmentation.

507
00:29:42,084 --> 00:29:45,348
Every computer was potentially
connected to each other.

508
00:29:45,348 --> 00:29:48,308
Basically,
it's a cost-cutting exercise.

509
00:29:48,308 --> 00:29:53,530
But that cost-cutting exercise
was what the digger needed.

510
00:29:53,530 --> 00:29:55,489
Those attackers
began to do

511
00:29:55,489 --> 00:29:58,231
what we call a lateral traverse
across the network,

512
00:29:58,231 --> 00:30:01,147
search for other computers
to infect,

513
00:30:01,147 --> 00:30:03,062
look for credentials.

514
00:30:04,585 --> 00:30:06,848
Whenever you log
into a computer,

515
00:30:06,848 --> 00:30:08,676
your credentials are cached.

516
00:30:08,676 --> 00:30:11,331
They're put into the memory
of the computer.

517
00:30:11,331 --> 00:30:14,290
Attackers are able
to filter through that memory

518
00:30:14,290 --> 00:30:16,640
and find used usernames
and passwords.

519
00:30:16,640 --> 00:30:19,469
They don't always know
what they're for,

520
00:30:19,469 --> 00:30:22,385
so they try to collect as many
credentials as they can

521
00:30:22,385 --> 00:30:25,432
and see, "What computers can
I see from this computer?",

522
00:30:25,432 --> 00:30:27,608
and just begin to use them
over and over again

523
00:30:27,608 --> 00:30:28,652
and just try them.

524
00:30:31,264 --> 00:30:32,613
Eventually, they hop on

525
00:30:32,613 --> 00:30:35,050
and are able to connect
to another computer.

526
00:30:35,050 --> 00:30:36,312
They get onto that one.

527
00:30:36,312 --> 00:30:38,271
It's still not what
they're interested in,

528
00:30:38,271 --> 00:30:40,664
but they're able to find more
usernames and passwords

529
00:30:40,664 --> 00:30:42,405
and try those
on all the other computers

530
00:30:42,405 --> 00:30:44,190
they can see
from that advantage point.

531
00:30:44,190 --> 00:30:48,020
That's how they move across
the network over and over again.

532
00:30:48,020 --> 00:30:50,544
They would delete
all traces of themselves

533
00:30:50,544 --> 00:30:52,894
as they moved
across the network,

534
00:30:52,894 --> 00:30:55,636
ultimately jumping from
computer to computer

535
00:30:55,636 --> 00:30:57,681
until they found
the SWIFT terminal,

536
00:30:57,681 --> 00:31:00,815
their ultimate goal in order
to make wire transfers

537
00:31:00,815 --> 00:31:02,817
out of the Bank of Bangladesh.

538
00:31:04,993 --> 00:31:06,777
It takes a long time.

539
00:31:06,777 --> 00:31:10,172
They're there for months.
This is an ongoing process.

540
00:31:10,172 --> 00:31:14,220
If at any moment they're
discovered to be in there,

541
00:31:14,220 --> 00:31:18,137
then the whole
operation is finished.

542
00:31:22,141 --> 00:31:24,056
With the Bangladeshi Bank heist,

543
00:31:24,056 --> 00:31:27,276
you basically have two
operations running in parallel.

544
00:31:27,276 --> 00:31:29,670
You have an offline operation
going on,

545
00:31:29,670 --> 00:31:32,238
which is to do with
the money laundering.

546
00:31:36,895 --> 00:31:38,940
It's the fence's responsibility

547
00:31:38,940 --> 00:31:43,902
to set up
the recipient accounts.

548
00:31:43,902 --> 00:31:46,382
They're gonna end up
with cold, hard cash,

549
00:31:46,382 --> 00:31:48,080
and they need individuals
on the ground

550
00:31:48,080 --> 00:31:50,909
to pick up that cash
and move it.

551
00:31:53,172 --> 00:31:54,434
And so, in May of 2015,

552
00:31:54,434 --> 00:31:56,871
before they'd even got
into the SWIFT terminal,

553
00:31:56,871 --> 00:31:59,656
they were able to recruit
a Chinese individual

554
00:31:59,656 --> 00:32:03,312
to go to the Philippines and
open up four bank accounts there

555
00:32:03,312 --> 00:32:05,227
at a bank called RCBC.

556
00:32:05,227 --> 00:32:08,883
You have to make sure
those people inside the bank

557
00:32:08,883 --> 00:32:10,711
in the Philippines

558
00:32:10,711 --> 00:32:12,974
have been properly corrupted

559
00:32:12,974 --> 00:32:17,674
and properly instructed
as to what their role is.

560
00:32:17,674 --> 00:32:20,068
The fence opens up
these accounts,

561
00:32:20,068 --> 00:32:22,592
puts $500 in each of them,

562
00:32:22,592 --> 00:32:25,726
and then they just go to sleep
for nine months.

563
00:32:28,598 --> 00:32:31,950
These attackers were
inside the Bank of Bangladesh

564
00:32:31,950 --> 00:32:34,822
for a full year,
which is incredible.

565
00:32:41,307 --> 00:32:43,265
They actually got
onto that SWIFT terminal

566
00:32:43,265 --> 00:32:44,788
exactly one year later...

567
00:32:47,617 --> 00:32:50,229
on January 29th, 2016.

568
00:32:55,495 --> 00:32:58,019
In any bank,
you have different employees.

569
00:32:58,019 --> 00:33:01,414
You have back-office employees,
administrative employees,

570
00:33:01,414 --> 00:33:04,330
but you also have computers
that are connected

571
00:33:04,330 --> 00:33:07,159
directly to
financial transactions.

572
00:33:07,159 --> 00:33:11,076
And only users who have specific
access to those machines

573
00:33:11,076 --> 00:33:12,555
are allowed to use them.

574
00:33:12,555 --> 00:33:15,036
When we talk about the case of
the Bank of Bangladesh,

575
00:33:15,036 --> 00:33:18,605
there was a single computer
that had credentials

576
00:33:18,605 --> 00:33:20,085
from a shared employee.

577
00:33:20,085 --> 00:33:23,218
You had an employee that
would use that SWIFT terminal,

578
00:33:23,218 --> 00:33:26,830
but also had their own computer
in the normal back-office area.

579
00:33:26,830 --> 00:33:29,355
Once they got onto
that employee's computer,

580
00:33:29,355 --> 00:33:31,052
they were able to jump across.

581
00:33:31,052 --> 00:33:34,969
They waited. They basically
did a recon on the system.

582
00:33:34,969 --> 00:33:36,579
They crawled around.

583
00:33:36,579 --> 00:33:39,756
They looked and tried to fully
understand how this worked,

584
00:33:39,756 --> 00:33:43,804
how SWIFT worked, how each bank
employee would make a request

585
00:33:43,804 --> 00:33:47,155
into the SWIFT system,
where it would go,

586
00:33:47,155 --> 00:33:49,244
how to direct that to branches

587
00:33:49,244 --> 00:33:52,117
where they had set up
these accounts.

588
00:33:52,117 --> 00:33:55,729
And in this case, it was just
very simple and very clever.

589
00:33:58,166 --> 00:34:00,342
The thief is
not so much someone

590
00:34:00,342 --> 00:34:03,302
who is physically
taking out the money

591
00:34:03,302 --> 00:34:05,695
and stuffing it into a bag.

592
00:34:05,695 --> 00:34:07,610
They're making sure

593
00:34:07,610 --> 00:34:12,572
that every bit on the system
is coordinated.

594
00:34:12,572 --> 00:34:16,228
There are all sorts of things
to get right

595
00:34:16,228 --> 00:34:21,494
before that fatal moment
when the request is made.

596
00:34:21,494 --> 00:34:24,105
Everything has to be

597
00:34:24,105 --> 00:34:26,716
really, really
precisely coordinated

598
00:34:26,716 --> 00:34:29,937
to get all the timing right.
You've got four days.

599
00:34:29,937 --> 00:34:31,547
You can't afford a slip-up.

600
00:34:31,547 --> 00:34:34,333
When the attackers
got into the SWIFT terminal

601
00:34:34,333 --> 00:34:38,728
on January 29th of 2016,
they paused for about five days

602
00:34:38,728 --> 00:34:41,079
to get their malicious
software ready

603
00:34:41,079 --> 00:34:43,168
that allowed them
to cover their tracks

604
00:34:43,168 --> 00:34:45,257
when they were on
that SWIFT terminal.

605
00:34:45,257 --> 00:34:48,173
They decided to wait
until February 4th.

606
00:34:48,173 --> 00:34:49,826
And this is no accident.

607
00:34:52,960 --> 00:34:55,702
They have chosen
a long weekend

608
00:34:55,702 --> 00:34:58,574
due to holidays in different
parts of the world.

609
00:34:58,574 --> 00:35:01,186
That means,
instead of the usual two days

610
00:35:01,186 --> 00:35:02,535
they have to get away with it

611
00:35:02,535 --> 00:35:04,841
before alarms
start going off everywhere,

612
00:35:04,841 --> 00:35:07,931
they've got four days.
It's brilliant.

613
00:35:09,498 --> 00:35:11,935
February 4th, 2016,
was a Thursday.

614
00:35:11,935 --> 00:35:14,634
That's the last day of
the working week in Bangladesh.

615
00:35:14,634 --> 00:35:16,940
In Bangladesh, they work
from Sunday to Thursday.

616
00:35:16,940 --> 00:35:19,421
So, at some point late
in the afternoon,

617
00:35:19,421 --> 00:35:22,685
the SWIFT transaction operator
in the Bangladeshi Bank

618
00:35:22,685 --> 00:35:24,687
logs off his terminal.

619
00:35:28,778 --> 00:35:30,476
But three hours later,

620
00:35:30,476 --> 00:35:33,435
the thief logs into
that terminal

621
00:35:33,435 --> 00:35:35,829
and starts to impersonate him.

622
00:35:35,829 --> 00:35:38,919
They logged into that SWIFT
terminal at 8:36 p.m.,

623
00:35:38,919 --> 00:35:41,051
after they believed,
or really knew,

624
00:35:41,051 --> 00:35:44,403
that all the bank employees
had gone home for the weekend.

625
00:35:44,403 --> 00:35:48,233
And they put forward
35 different wire transactions

626
00:35:48,233 --> 00:35:52,280
from that SWIFT terminal,
totalling $951 million,

627
00:35:52,280 --> 00:35:55,631
almost $1 billion,
completely unheard of.

628
00:35:58,678 --> 00:36:02,029
Ten hours
behind Bangladesh,

629
00:36:02,029 --> 00:36:03,813
New York is waking up.

630
00:36:04,945 --> 00:36:07,252
The first thing
that the Fed sees

631
00:36:07,252 --> 00:36:09,297
is 35 requests

632
00:36:09,297 --> 00:36:13,214
for almost the entire holdings
of the Bangladeshi Bank.

633
00:36:13,214 --> 00:36:17,523
Usually, it's figures of sort
of $300,000, $500,000.

634
00:36:17,523 --> 00:36:19,525
They want almost a billion!

635
00:36:19,525 --> 00:36:23,746
The operator, perhaps
unsurprisingly, rejects it,

636
00:36:23,746 --> 00:36:26,488
sends it back to Bangladesh.

637
00:36:26,488 --> 00:36:28,751
But he rejects it not because

638
00:36:28,751 --> 00:36:32,581
this is an absolutely crazy
amount of money,

639
00:36:32,581 --> 00:36:36,585
but because the requests
are wrongly formatted.

640
00:36:36,585 --> 00:36:39,153
As much research
that they had done,

641
00:36:39,153 --> 00:36:41,851
they didn't really understand
how to fill out

642
00:36:41,851 --> 00:36:43,331
those SWIFT transfers.

643
00:36:43,331 --> 00:36:45,942
They were missing what's called
an intermediate bank.

644
00:36:45,942 --> 00:36:48,162
New York Federal Reserve
replied to them,

645
00:36:48,162 --> 00:36:50,469
via the SWIFT system,
back to their computer

646
00:36:50,469 --> 00:36:52,688
that they were sitting
in front of, virtually,

647
00:36:52,688 --> 00:36:56,475
saying, "Hey, these transactions
are missing information."

648
00:36:56,475 --> 00:36:58,520
They think on their feet.

649
00:36:58,520 --> 00:37:02,829
They reformat the requests,
send them back...

650
00:37:02,829 --> 00:37:06,006
and hold their breath
to see what happens.

651
00:37:06,006 --> 00:37:08,574
They ultimately corrected
34 of them.

652
00:37:08,574 --> 00:37:09,879
They had forgotten one.

653
00:37:09,879 --> 00:37:12,230
The one did have
the intermediate bank

654
00:37:12,230 --> 00:37:13,448
went to Deutsche Bank.

655
00:37:13,448 --> 00:37:15,581
That order was for $20 million

656
00:37:15,581 --> 00:37:19,802
to a charity called the Shalika
Foundation in Sri Lanka.

657
00:37:19,802 --> 00:37:22,109
But they had made
a typo as well,

658
00:37:22,109 --> 00:37:25,417
and they had misspelled
"foundation" as "fandation".

659
00:37:25,417 --> 00:37:27,680
And so Deutsche Bank
saw that typo

660
00:37:27,680 --> 00:37:29,856
and questioned it and, again,

661
00:37:29,856 --> 00:37:32,293
held that transaction
due to that typo.

662
00:37:34,643 --> 00:37:36,863
We use that
as the poster child

663
00:37:36,863 --> 00:37:40,083
for why you need
to learn how to spell.

664
00:37:40,083 --> 00:37:43,783
Otherwise, you can lose
$20 million.

665
00:37:43,783 --> 00:37:47,265
Ultimately, when
they return the other 34...

666
00:37:48,570 --> 00:37:50,268
Bingo.

667
00:37:50,268 --> 00:37:52,487
The operator approves them.

668
00:37:52,487 --> 00:37:55,795
Four of them went through.

669
00:37:55,795 --> 00:38:00,495
The green light is given.
The heist is on.

670
00:38:00,495 --> 00:38:03,629
Those four went through
to those bank accounts

671
00:38:03,629 --> 00:38:06,066
in the Philippines
that had been opened

672
00:38:06,066 --> 00:38:07,589
more than six months earlier.

673
00:38:07,589 --> 00:38:10,636
And they were able
to transfer out $81 million

674
00:38:10,636 --> 00:38:12,638
to the bank in the Philippines.

675
00:38:34,181 --> 00:38:37,837
Ultimately, they were about
to transfer $1 billion

676
00:38:37,837 --> 00:38:39,534
from the Bank of Bangladesh,

677
00:38:39,534 --> 00:38:42,494
but they didn't want
anyone to find out.

678
00:38:47,847 --> 00:38:51,459
They began to cover
their tracks.

679
00:38:51,459 --> 00:38:53,200
Normally, as a bank employee,

680
00:38:53,200 --> 00:38:55,071
you'll load up
the SWIFT software,

681
00:38:55,071 --> 00:38:57,944
you'll see on the screen
all the latest transactions,

682
00:38:57,944 --> 00:38:59,598
you can make transactions.

683
00:38:59,598 --> 00:39:04,342
And so the attackers deleted all
records of those transactions.

684
00:39:07,083 --> 00:39:08,563
But it's not just digital.

685
00:39:08,563 --> 00:39:13,002
In the world of finance,
everything must be a hard copy.

686
00:39:13,002 --> 00:39:16,005
And the attackers
knew that as well.

687
00:39:20,575 --> 00:39:23,622
Every SWIFT transaction
that takes place

688
00:39:23,622 --> 00:39:28,975
is immediately printed out
locally in the Bangladeshi Bank.

689
00:39:28,975 --> 00:39:31,978
So that printer cannot
be working

690
00:39:31,978 --> 00:39:34,676
when the heist is going on.

691
00:39:34,676 --> 00:39:37,549
The attackers hijacked
all of those print jobs,

692
00:39:37,549 --> 00:39:40,421
replaced all of those
print jobs with zeros

693
00:39:40,421 --> 00:39:43,555
so that nothing would
come out of the printer.

694
00:39:43,555 --> 00:39:48,516
Now, the other 30
wire transactions sat around.

695
00:39:48,516 --> 00:39:51,867
And, ultimately,
the attackers waited,

696
00:39:51,867 --> 00:39:54,261
and they waited...

697
00:39:54,261 --> 00:39:58,874
And they logged out at
3:59 a.m. Bangladesh time.

698
00:39:58,874 --> 00:40:01,442
Potentially, they thought
that in New York,

699
00:40:01,442 --> 00:40:03,096
the business day ended
at five p.m.,

700
00:40:03,096 --> 00:40:04,924
and they weren't gonna hear
any more.

701
00:40:04,924 --> 00:40:06,882
The New York Fed
had actually stopped

702
00:40:06,882 --> 00:40:08,449
the rest of the transactions,

703
00:40:08,449 --> 00:40:11,931
because the address for
the bank in the Philippines

704
00:40:11,931 --> 00:40:15,804
was on Jupiter Street.
J-U-P-I-T-E-R.

705
00:40:15,804 --> 00:40:20,853
Right, now this is when
the story gets really weird.

706
00:40:20,853 --> 00:40:24,857
In a totally unrelated incident
two years earlier,

707
00:40:24,857 --> 00:40:28,469
we have a Greek shipping
magnate, Dimitris Cambis,

708
00:40:28,469 --> 00:40:32,038
and he is buying eight tankers.

709
00:40:32,038 --> 00:40:35,258
What Dimitris knew,
but not many other people,

710
00:40:35,258 --> 00:40:39,872
was that the money
for these eight oil tankers

711
00:40:39,872 --> 00:40:41,917
came from Iran,

712
00:40:41,917 --> 00:40:45,660
and Iran was under US sanctions.

713
00:40:45,660 --> 00:40:48,358
Someone in the US
caught wind of the fact

714
00:40:48,358 --> 00:40:51,710
that the Iranians were
financing Mr Cambis.

715
00:40:51,710 --> 00:40:55,017
His company was put on
the sanctions watch list,

716
00:40:55,017 --> 00:40:58,325
and his company
was called Jupiter Seaways.

717
00:41:00,675 --> 00:41:02,590
It was just their bad luck

718
00:41:02,590 --> 00:41:05,201
that they designated
the money transfers

719
00:41:05,201 --> 00:41:11,338
to go to the Jupiter branch
of the Rizal Bank in Manila.

720
00:41:11,338 --> 00:41:15,211
As the transfers were being sent
out from the New York Reserve

721
00:41:15,211 --> 00:41:16,996
to the Philippines,

722
00:41:16,996 --> 00:41:20,956
the Jupiter name was caught
by the computer system.

723
00:41:20,956 --> 00:41:23,916
It halted these transactions.

724
00:41:23,916 --> 00:41:26,484
The Fed had to take
a second look.

725
00:41:26,484 --> 00:41:28,790
They stopped it
because they realised,

726
00:41:28,790 --> 00:41:31,184
"Wait, we have somewhere
in the order 35 transactions

727
00:41:31,184 --> 00:41:33,229
coming from
the Bank of Bangladesh,

728
00:41:33,229 --> 00:41:37,407
adding up to $1 billion?
You know, this isn't usual."

729
00:41:37,407 --> 00:41:40,062
So they held them
and sent a message back,

730
00:41:40,062 --> 00:41:41,890
asking for confirmation.

731
00:41:44,589 --> 00:41:47,766
Had the attackers waited
just one more hour,

732
00:41:47,766 --> 00:41:50,595
they could have replied to them
via the SWIFT system,

733
00:41:50,595 --> 00:41:53,206
saying these transactions
were not a mistake.

734
00:41:53,206 --> 00:41:55,295
Ultimately,
the Bank of Bangladesh

735
00:41:55,295 --> 00:41:57,253
might have lost
much, much more.

736
00:41:57,253 --> 00:42:01,344
So far, they managed
to get $81 million.

737
00:42:01,344 --> 00:42:05,435
But, boy, did they come close
to hitting the jackpot.

738
00:42:05,435 --> 00:42:07,655
Just under $1 billion

739
00:42:07,655 --> 00:42:11,572
was very, very nearly
stolen from this bank.

740
00:42:22,061 --> 00:42:25,194
The next day,
the bank employees came in,

741
00:42:25,194 --> 00:42:26,587
and the printer wasn't working,

742
00:42:26,587 --> 00:42:28,937
because they installed
their malicious code

743
00:42:28,937 --> 00:42:30,722
to prevent that from happening.

744
00:42:30,722 --> 00:42:32,637
Ultimately,
those bank employees

745
00:42:32,637 --> 00:42:34,900
didn't get it fixed
until February 6,

746
00:42:34,900 --> 00:42:36,554
which would have been a Sunday.

747
00:42:38,251 --> 00:42:41,297
When the printer started,
all these messages came out,

748
00:42:41,297 --> 00:42:42,908
messages from the Fed asking,

749
00:42:42,908 --> 00:42:46,041
"What are these 30 transactions?
Did you mean to make these?"

750
00:42:46,041 --> 00:42:48,304
That triggered
the Bank of Bangladesh

751
00:42:48,304 --> 00:42:51,003
to realise something
had gone wrong.

752
00:42:51,003 --> 00:42:53,658
It was very clear
that they were in deep,

753
00:42:53,658 --> 00:42:57,357
such that the bank manager...
This is the Bank of Bangladesh,

754
00:42:57,357 --> 00:43:00,534
the federal bank, the national
bank of the country,

755
00:43:00,534 --> 00:43:04,103
did not notify the leaders,

756
00:43:04,103 --> 00:43:07,236
the government of Bangladesh.
He kept it under wraps.

757
00:43:07,236 --> 00:43:10,544
He notified someone he knew
who knew about security.

758
00:43:10,544 --> 00:43:12,372
"Get on a plane,
get to Bangladesh.

759
00:43:12,372 --> 00:43:14,940
I need you to look at
these computer systems."

760
00:43:20,467 --> 00:43:22,948
Initially, the governor
and his whole team

761
00:43:22,948 --> 00:43:24,166
were quite perplexed.

762
00:43:24,166 --> 00:43:27,343
They didn't quite know
what had happened.

763
00:43:27,343 --> 00:43:30,216
So they thought that
some money had been routed

764
00:43:30,216 --> 00:43:33,045
to a wrong account;
it would come back.

765
00:43:36,309 --> 00:43:39,921
I get this strange phone call
from the governor's office

766
00:43:39,921 --> 00:43:42,707
asking me if I would
drop everything

767
00:43:42,707 --> 00:43:45,274
and come to Dhaka, Bangladesh.

768
00:43:49,061 --> 00:43:51,237
So I assembled a team...

769
00:43:52,107 --> 00:43:53,892
and we flew down.

770
00:43:57,896 --> 00:44:02,596
When we arrived there, we met
with the Bangladesh Bank team.

771
00:44:02,596 --> 00:44:06,121
And that's when I discovered
all the horrifying details

772
00:44:06,121 --> 00:44:08,471
of what had actually happened.

773
00:44:12,388 --> 00:44:15,217
They decide,
"Let's look at the CCTV.

774
00:44:15,217 --> 00:44:17,393
What's that going to tell us?"

775
00:44:17,393 --> 00:44:20,309
There were eight
hours' worth of tapes

776
00:44:20,309 --> 00:44:23,138
that had to be gone through.

777
00:44:23,138 --> 00:44:26,054
Your gut instinct is,
you have a malicious insider.

778
00:44:26,054 --> 00:44:27,708
A physical person had to go in,

779
00:44:27,708 --> 00:44:30,842
log into that machine
and try to make these transfers,

780
00:44:30,842 --> 00:44:34,715
because this attack
hadn't happened before.

781
00:44:34,715 --> 00:44:37,631
They had a SWIFT room,
which was locked.

782
00:44:37,631 --> 00:44:39,938
And typically when
the SWIFT operators

783
00:44:39,938 --> 00:44:43,724
needed to do something on SWIFT,
they had to go into the room,

784
00:44:43,724 --> 00:44:47,467
sit in that chair and terminal,

785
00:44:47,467 --> 00:44:52,037
and there was only
one shadow we could find.

786
00:44:52,037 --> 00:44:54,779
We eventually decided
it was the person

787
00:44:54,779 --> 00:44:58,391
sweeping the place after hours.

788
00:45:00,741 --> 00:45:04,310
They were saying, "How could
somebody process the transaction

789
00:45:04,310 --> 00:45:05,964
when there was nobody there?"

790
00:45:05,964 --> 00:45:10,577
I mean, even after the payment
instructions had been sent,

791
00:45:10,577 --> 00:45:15,408
they had no idea for a very long
time what was happening.

792
00:45:15,408 --> 00:45:19,412
They didn't think it was a hack.
They had no traces of a hack.

793
00:45:19,412 --> 00:45:22,632
But they watched eight hours of
that footage over that weekend

794
00:45:22,632 --> 00:45:25,635
and realised there was
no one at that computer.

795
00:45:25,635 --> 00:45:26,941
Nothing.

796
00:45:26,941 --> 00:45:29,248
They had no idea that
the Bank of Bangladesh

797
00:45:29,248 --> 00:45:31,859
had been breached by hackers.

798
00:45:31,859 --> 00:45:35,384
Only after we see these things
happen over and over again,

799
00:45:35,384 --> 00:45:39,171
we realise that cyber
has such capabilities.

800
00:45:44,045 --> 00:45:47,440
Bangladesh was a bit of
a bombshell for all of us.

801
00:45:49,311 --> 00:45:52,097
Hackers and most cybercrime,

802
00:45:52,097 --> 00:45:54,055
it's like smash-and-grab crime.

803
00:45:54,055 --> 00:45:56,492
Quickly grab something
and monetise it

804
00:45:56,492 --> 00:45:58,103
as swiftly as you can.

805
00:45:58,103 --> 00:46:01,236
You know, storm a bank
with shotguns, blow a safe,

806
00:46:01,236 --> 00:46:03,978
fill some bags with cash.

807
00:46:03,978 --> 00:46:06,024
Cybercrime...

808
00:46:06,024 --> 00:46:09,418
It doesn't lend itself well
to long conspiracy

809
00:46:09,418 --> 00:46:11,856
and lots of investigation
and investment

810
00:46:11,856 --> 00:46:13,596
into understanding your target.

811
00:46:13,596 --> 00:46:15,903
I mean, you couldn't
do Bangladesh

812
00:46:15,903 --> 00:46:19,037
unless you really understood
the internal workings

813
00:46:19,037 --> 00:46:21,909
of the central bank
and all the actors involved.

814
00:46:21,909 --> 00:46:24,607
That's not something
that freelance hackers

815
00:46:24,607 --> 00:46:26,827
really are good at.

816
00:46:26,827 --> 00:46:29,917
That requires a level of
investment into resources

817
00:46:29,917 --> 00:46:34,095
and frankly intelligence
that has to be sustained.

818
00:46:34,095 --> 00:46:38,012
To organise something
of that complexity

819
00:46:38,012 --> 00:46:40,841
and for it not to be noticed

820
00:46:40,841 --> 00:46:43,539
by the intelligence agencies
of the state

821
00:46:43,539 --> 00:46:46,020
where that is being planned

822
00:46:46,020 --> 00:46:50,285
would be very,
very difficult indeed.

823
00:46:50,285 --> 00:46:53,419
These hackers went in
and looked at the zeros and ones

824
00:46:53,419 --> 00:46:55,725
in the software
and reverse engineered it,

825
00:46:55,725 --> 00:46:58,380
turned it back into
understandable code.

826
00:46:58,380 --> 00:47:00,905
That's not something
that happens overnight.

827
00:47:00,905 --> 00:47:02,384
It was pretty clear

828
00:47:02,384 --> 00:47:04,865
that this isn't just
normal criminals.

829
00:47:04,865 --> 00:47:07,128
This has to be something bigger.

830
00:47:10,044 --> 00:47:13,961
Once attackers have gained
access to their target network,

831
00:47:13,961 --> 00:47:16,007
they want to stay undetected.

832
00:47:18,487 --> 00:47:20,968
And we've seen many
interesting examples

833
00:47:20,968 --> 00:47:23,014
of how exactly this is done.

834
00:47:26,278 --> 00:47:27,801
What exactly happened

835
00:47:27,801 --> 00:47:30,195
at the Natanz nuclear facility
last week?

836
00:47:30,195 --> 00:47:32,806
It's a question people in Iran
around the world

837
00:47:32,806 --> 00:47:35,461
have been asking
since a fire was reported

838
00:47:35,461 --> 00:47:38,856
at Iran's main uranium
enrichment facility on Thursday.

839
00:47:38,856 --> 00:47:41,902
We're used to Trojans
and viruses on the internet,

840
00:47:41,902 --> 00:47:43,338
but this is the first worm

841
00:47:43,338 --> 00:47:46,907
designed to damage
the physical world.

842
00:47:46,907 --> 00:47:51,042
In 2010, attackers created
a piece of malicious software

843
00:47:51,042 --> 00:47:55,350
that was designed to infiltrate
Iran's nuclear programme,

844
00:47:55,350 --> 00:47:57,004
to get into their centrifuges,

845
00:47:57,004 --> 00:47:59,050
in particular,
get onto computers

846
00:47:59,050 --> 00:48:00,921
that controlled
their centrifuges.

847
00:48:00,921 --> 00:48:04,142
Iran says it will
retaliate against any country

848
00:48:04,142 --> 00:48:06,884
that conducts cyber-attacks
on its nuclear sites.

849
00:48:06,884 --> 00:48:09,538
The intention
was to spin the centrifuges

850
00:48:09,538 --> 00:48:12,150
of Iran's nuclear capabilities
out of control,

851
00:48:12,150 --> 00:48:14,152
make the centrifuges explode

852
00:48:14,152 --> 00:48:15,414
and push them ten years back

853
00:48:15,414 --> 00:48:17,372
in the uranium enrichment programme.

854
00:48:17,372 --> 00:48:18,721
As a piece of malware,

855
00:48:18,721 --> 00:48:21,768
it was 40 times larger
than any piece of malware

856
00:48:21,768 --> 00:48:24,336
that had ever been
encountered before.

857
00:48:24,336 --> 00:48:28,514
It would have taken
the most advanced,

858
00:48:28,514 --> 00:48:30,995
brilliant computer engineers

859
00:48:30,995 --> 00:48:34,085
years and years of human
working hours

860
00:48:34,085 --> 00:48:35,956
to produce this.

861
00:48:35,956 --> 00:48:38,089
Why was it so big?

862
00:48:38,089 --> 00:48:42,310
Because it needed
to cover itself up.

863
00:48:44,834 --> 00:48:47,794
The attackers
were actually recording

864
00:48:47,794 --> 00:48:52,320
the network traffic,
the normal network traffic,

865
00:48:52,320 --> 00:48:55,062
and then playing it back
to the sensors

866
00:48:55,062 --> 00:48:58,848
when they started modifying the
operations of the centrifuges

867
00:48:58,848 --> 00:49:00,720
they were trying to break.

868
00:49:04,463 --> 00:49:06,900
This is the equivalent of,
in the real world,

869
00:49:06,900 --> 00:49:09,903
recording the CCTV footage
from a security camera

870
00:49:09,903 --> 00:49:12,166
and then playing it back
to the camera

871
00:49:12,166 --> 00:49:14,125
when you're doing
something bad.

872
00:49:14,125 --> 00:49:16,301
That's what Stuxnet was doing.

873
00:49:16,301 --> 00:49:18,042
And in the Bangladesh heist,

874
00:49:18,042 --> 00:49:20,218
they were doing
something similar.

875
00:49:20,218 --> 00:49:22,872
Once they made
their transactions,

876
00:49:22,872 --> 00:49:26,311
they wanted to make sure no one
realised they had happened.

877
00:49:26,311 --> 00:49:29,053
They were actually falsifying
the information

878
00:49:29,053 --> 00:49:30,576
about transactions.

879
00:49:30,576 --> 00:49:33,405
The recording of the
transactions were being done

880
00:49:33,405 --> 00:49:34,972
both in electronic format,

881
00:49:34,972 --> 00:49:38,540
but also falsifying the data
being sent to the printers,

882
00:49:38,540 --> 00:49:41,021
which actually looked like
everything was fine.

883
00:49:41,021 --> 00:49:44,242
So you find out how
you're being tracked,

884
00:49:44,242 --> 00:49:46,984
and then you try
to cover your tracks.

885
00:49:46,984 --> 00:49:48,246
Stuxnet did that.

886
00:49:48,246 --> 00:49:50,770
The Bangladeshi heist
did it as well.

887
00:49:53,207 --> 00:49:56,950
Once that money
arrived in the Philippines,

888
00:49:56,950 --> 00:50:00,519
they needed to change
that money into cold, hard cash.

889
00:50:00,519 --> 00:50:02,912
Right now, it's still in
digital ones and zeros,

890
00:50:02,912 --> 00:50:05,437
just a transaction that said
the money has moved

891
00:50:05,437 --> 00:50:06,829
from the Bank of Bangladesh

892
00:50:06,829 --> 00:50:10,094
to these accounts at RCBC.
Four accounts.

893
00:50:10,094 --> 00:50:13,532
The thieves had to
get it out of the Philippines,

894
00:50:13,532 --> 00:50:15,621
make it disappear.

895
00:50:15,621 --> 00:50:18,450
So how were they going
to do that?

896
00:50:18,450 --> 00:50:20,843
There is one industry
in the Philippines

897
00:50:20,843 --> 00:50:23,237
where there is absolutely
no oversight,

898
00:50:23,237 --> 00:50:27,241
where it's a cash-only business.
There are no records, no names.

899
00:50:27,241 --> 00:50:29,113
That is the casino industry.

900
00:50:41,125 --> 00:50:43,257
When we talk about
laundering funds,

901
00:50:43,257 --> 00:50:45,955
we're talking about
taking dirty, illicit funds,

902
00:50:45,955 --> 00:50:49,481
running them through
a legal business

903
00:50:49,481 --> 00:50:52,049
so that if I came
to you and said,

904
00:50:52,049 --> 00:50:55,400
"Hey, where'd you get
that $81 million?",

905
00:50:55,400 --> 00:51:00,318
you could have a paper trail
to show that you won it back.

906
00:51:00,318 --> 00:51:03,103
The hard part
is not stealing the money.

907
00:51:03,103 --> 00:51:06,628
The hard part is moving the
money into a form you can use

908
00:51:06,628 --> 00:51:08,152
without getting caught.

909
00:51:10,241 --> 00:51:15,202
And one method we've seen
for quite a while is gambling.

910
00:51:15,202 --> 00:51:17,074
It was very clear that,

911
00:51:17,074 --> 00:51:20,251
if, at all, there was a place
for you to do that,

912
00:51:20,251 --> 00:51:22,166
it would have been
the Philippines,

913
00:51:22,166 --> 00:51:25,038
because the casinos
are not regulated at all.

914
00:51:27,171 --> 00:51:30,304
It's like a lot of
high-flying gamblers

915
00:51:30,304 --> 00:51:33,307
who'd kind of fly to Manila,

916
00:51:33,307 --> 00:51:37,050
crowd these numerous casinos
in Manila,

917
00:51:37,050 --> 00:51:38,399
lots of money coming in.

918
00:51:38,399 --> 00:51:41,315
People don't question
that kind of money.

919
00:51:41,315 --> 00:51:42,795
I mean, you know...

920
00:51:42,795 --> 00:51:44,753
"Well, as long as
it's coming to us,

921
00:51:44,753 --> 00:51:47,887
we don't bother too much
about where it is coming from."

922
00:51:49,323 --> 00:51:52,283
The thieves knew
if they could get that money

923
00:51:52,283 --> 00:51:55,547
into the casinos,
it would essentially be lost.

924
00:51:56,809 --> 00:51:58,115
What happened was,

925
00:51:58,115 --> 00:52:00,421
the manager from
the Philippines bank,

926
00:52:00,421 --> 00:52:03,381
she was the one who'd opened
those four accounts

927
00:52:03,381 --> 00:52:05,557
using fraudulent IDs.

928
00:52:05,557 --> 00:52:09,952
She got the money withdrawn from
the bank in the Philippines.

929
00:52:11,563 --> 00:52:12,955
From there, it started to go

930
00:52:12,955 --> 00:52:14,566
through something
called Philrem.

931
00:52:14,566 --> 00:52:18,004
It's a bit like a Western Union
in the Philippines,

932
00:52:18,004 --> 00:52:20,180
transferred into pesos.

933
00:52:20,180 --> 00:52:22,487
I don't know
if you've ever used

934
00:52:22,487 --> 00:52:24,010
Philippine pesos before,

935
00:52:24,010 --> 00:52:28,057
but that's one hell
of a lot of pesos, $22 million.

936
00:52:28,057 --> 00:52:33,454
In fact,
it's over one million banknotes.

937
00:52:33,454 --> 00:52:35,630
They actually had
to request that cash

938
00:52:35,630 --> 00:52:38,981
to come from a sister
branch location,

939
00:52:38,981 --> 00:52:40,853
that arrived in boxes.

940
00:52:40,853 --> 00:52:44,422
The bank manager was seen by
one of the other bank employees

941
00:52:44,422 --> 00:52:47,599
collecting those boxes
and literally going outside

942
00:52:47,599 --> 00:52:49,862
and loading them up
into a Lexus.

943
00:52:50,993 --> 00:52:53,344
And that money
was driven away.

944
00:52:59,785 --> 00:53:03,702
So, we're talking stacks
of bills carried in vans

945
00:53:03,702 --> 00:53:07,227
to the Solaire Casino
right by the airport.

946
00:53:07,227 --> 00:53:10,448
It allows the Chinese gamblers
to come off the plane.

947
00:53:10,448 --> 00:53:13,320
Five minutes, they're on
the floor playing baccarat.

948
00:53:16,410 --> 00:53:19,979
The money goes to this place.
It's wheeled in wheelbarrows

949
00:53:19,979 --> 00:53:24,113
across the casino floor
up to this guarded escalator.

950
00:53:35,255 --> 00:53:38,215
There's so much
physical cash involved,

951
00:53:38,215 --> 00:53:41,305
they've enlisted their
own crew of gamblers

952
00:53:41,305 --> 00:53:44,830
to launder the stolen funds.

953
00:53:44,830 --> 00:53:47,093
And they just played baccarat,

954
00:53:47,093 --> 00:53:49,617
all day long.

955
00:53:49,617 --> 00:53:51,140
They had individuals,

956
00:53:51,140 --> 00:53:54,231
mostly appeared to be Chinese
nationals that they had,

957
00:53:54,231 --> 00:53:57,538
I assume, hired to take
those funds and launder them.

958
00:53:57,538 --> 00:54:01,499
You change that cash
into casino chips,

959
00:54:01,499 --> 00:54:03,152
play a few games,

960
00:54:03,152 --> 00:54:04,937
cash in the chips.

961
00:54:04,937 --> 00:54:10,595
And when you get that cash back,
that is then laundered.

962
00:54:10,595 --> 00:54:13,119
And this wouldn't
have been unusual.

963
00:54:13,119 --> 00:54:15,513
This was the Chinese lunar week.

964
00:54:15,513 --> 00:54:18,298
That would've been very common
for individuals,

965
00:54:18,298 --> 00:54:20,561
high rollers, to come
into the Philippines

966
00:54:20,561 --> 00:54:22,868
and play at the casinos
during that time.

967
00:54:22,868 --> 00:54:26,611
Spending $22 million in
a casino over a weekend,

968
00:54:26,611 --> 00:54:28,569
let's face it, could be fun.

969
00:54:32,878 --> 00:54:36,708
Doing this story
and trying to figure out

970
00:54:36,708 --> 00:54:40,407
where in history
to sort of place this thing.

971
00:54:40,407 --> 00:54:43,323
Was this the biggest
heist of all time?

972
00:54:43,323 --> 00:54:47,327
No, but it certainly looked
to be the biggest cyber heist

973
00:54:47,327 --> 00:54:50,243
of a bank in history.

974
00:54:50,243 --> 00:54:54,378
And over the next few days,
I just remember

975
00:54:54,378 --> 00:54:58,425
calling up my sources
at Symantec

976
00:54:58,425 --> 00:55:00,993
and a couple other
cybersecurity firms

977
00:55:00,993 --> 00:55:04,257
and getting in touch with
a guy named Eric Chien.

978
00:55:06,085 --> 00:55:09,131
We have all kinds of
sensors sitting on networks

979
00:55:09,131 --> 00:55:10,785
and computers
all over the world.

980
00:55:10,785 --> 00:55:14,136
Any time some sort of
cyber criminal, some attacker,

981
00:55:14,136 --> 00:55:18,053
is trying to breach a computer,
they're leaving traces behind.

982
00:55:19,577 --> 00:55:23,537
Every attack
has a signature.

983
00:55:23,537 --> 00:55:25,104
If you look at it long enough,

984
00:55:25,104 --> 00:55:27,454
if you study it,
if you work it long enough,

985
00:55:27,454 --> 00:55:29,717
you can understand
the way they do things.

986
00:55:29,717 --> 00:55:31,284
The way they state something,

987
00:55:31,284 --> 00:55:34,461
the way they code
a particular way,

988
00:55:34,461 --> 00:55:39,901
the methodology of the attack,
the step-by-step approaches.

989
00:55:39,901 --> 00:55:42,904
It might be considered
like Sherlock Holmesian

990
00:55:42,904 --> 00:55:44,384
to come up with this idea.

991
00:55:44,384 --> 00:55:46,778
"Because he walks
with a gait this way,

992
00:55:46,778 --> 00:55:48,954
and he does this..."
But it is true.

993
00:55:48,954 --> 00:55:53,262
We see those signatures.
We see those patterns.

994
00:55:54,220 --> 00:55:56,004
What we discovered was,

995
00:55:56,004 --> 00:55:59,443
by looking at the artefacts
that these attackers had used,

996
00:55:59,443 --> 00:56:01,880
the malicious binaries
they had used,

997
00:56:01,880 --> 00:56:03,185
the code inside of it,

998
00:56:03,185 --> 00:56:05,753
as well as the email accounts
that they used

999
00:56:05,753 --> 00:56:07,929
to send the initial
spear-phishing messages,

1000
00:56:07,929 --> 00:56:12,499
we were able to map this back
to an attacker back in 2014.

1001
00:56:15,415 --> 00:56:18,505
Sony Pictures is mainly housed
in Culver City.

1002
00:56:18,505 --> 00:56:20,507
And in 2014,

1003
00:56:20,507 --> 00:56:24,598
Sony Pictures went down,
which was unheard of.

1004
00:56:24,598 --> 00:56:26,078
On that day in November,

1005
00:56:26,078 --> 00:56:28,559
people would have come in,
tried to swipe their badge

1006
00:56:28,559 --> 00:56:30,778
and not even be able
to get into the office.

1007
00:56:30,778 --> 00:56:32,780
They get
into the building finally

1008
00:56:32,780 --> 00:56:35,957
and then they discover that
nothing else is working either.

1009
00:56:35,957 --> 00:56:40,005
Printers aren't working,
computers aren't working.

1010
00:56:40,005 --> 00:56:43,225
People who had laptops
connected to the network

1011
00:56:43,225 --> 00:56:44,966
would have immediately seen

1012
00:56:44,966 --> 00:56:47,926
skulls and crossbones
show up on their screens,

1013
00:56:47,926 --> 00:56:51,016
scrolling with scary
<i>Halloween</i>-type music

1014
00:56:51,016 --> 00:56:52,496
playing in the background.

1015
00:56:52,496 --> 00:56:55,716
And it said,
"Hacked by the GOP."

1016
00:56:55,716 --> 00:56:58,980
Guardians of the Peace.

1017
00:56:58,980 --> 00:57:02,027
A mysterious crew of hackers,

1018
00:57:02,027 --> 00:57:05,987
also known as the Lazarus Group.

1019
00:57:05,987 --> 00:57:08,120
We'd call them
the Lazarus Group.

1020
00:57:08,120 --> 00:57:09,251
They've been responsible

1021
00:57:09,251 --> 00:57:11,123
for many, many attacks
over the years.

1022
00:57:11,123 --> 00:57:13,342
You know, political statements

1023
00:57:13,342 --> 00:57:15,954
and bringing down some
websites in South Korea

1024
00:57:15,954 --> 00:57:20,306
and also the White House in the
United States and the Pentagon.

1025
00:57:20,306 --> 00:57:23,875
Now, at this point,
the penny has dropped.

1026
00:57:23,875 --> 00:57:26,007
Sony has been hacked.

1027
00:57:26,007 --> 00:57:28,662
The hack attack
has had a devastating effect

1028
00:57:28,662 --> 00:57:31,491
on the entertainment company,
with an avalanche of leaks

1029
00:57:31,491 --> 00:57:34,189
revealing personal information
of employees

1030
00:57:34,189 --> 00:57:37,497
and salacious email exchanges
of A-list celebrities.

1031
00:57:37,497 --> 00:57:40,500
They ultimately compromised
Sony Pictures Network,

1032
00:57:40,500 --> 00:57:43,851
got inside
and wiped 10,000 computers.

1033
00:57:43,851 --> 00:57:45,592
On top of that,
they actually stole

1034
00:57:45,592 --> 00:57:48,682
all kinds of documents
and emails from Sony Pictures.

1035
00:57:48,682 --> 00:57:50,815
The hack
on Sony Pictures

1036
00:57:50,815 --> 00:57:53,382
is rocking Hollywood's
very foundation;

1037
00:57:53,382 --> 00:57:56,037
the industry,
warts and all, exposed.

1038
00:57:56,037 --> 00:57:59,258
Initially, we had no link
between the SWIFT attack

1039
00:57:59,258 --> 00:58:01,956
and the Sony Pictures attack.

1040
00:58:01,956 --> 00:58:04,481
But when we were looking
at the malware,

1041
00:58:04,481 --> 00:58:06,395
we found an interesting detail.

1042
00:58:06,395 --> 00:58:09,573
There was a component
called an indexing manager,

1043
00:58:09,573 --> 00:58:13,011
which was saving the logs
during the SWIFT attack

1044
00:58:13,011 --> 00:58:15,492
into an encrypted file.

1045
00:58:15,492 --> 00:58:18,538
The file was encrypted
with a really long key,

1046
00:58:18,538 --> 00:58:22,063
and when we just
googled for the key,

1047
00:58:22,063 --> 00:58:25,284
we found that the same key, exactly,

1048
00:58:25,284 --> 00:58:30,594
was used 18 months earlier
in the Sony Pictures attack.

1049
00:58:31,769 --> 00:58:34,119
This was
the moment we realised

1050
00:58:34,119 --> 00:58:36,077
the Bangladeshi SWIFT attack

1051
00:58:36,077 --> 00:58:39,733
was probably perpetrated
by the Lazarus Group.

1052
00:58:40,691 --> 00:58:42,301
So, who is Lazarus?

1053
00:58:42,301 --> 00:58:43,781
Well, from what we know,

1054
00:58:43,781 --> 00:58:46,740
they're a trans-global
criminal organisation

1055
00:58:46,740 --> 00:58:51,571
that's been trained
at a nation-state level.

1056
00:58:51,571 --> 00:58:55,444
The nation states really started
coming in on a criminal side...

1057
00:58:57,055 --> 00:58:59,231
when sanctions started.

1058
00:58:59,231 --> 00:59:02,277
When we start limiting
the capability of a nation

1059
00:59:02,277 --> 00:59:05,411
to get cash, and we up
the methodology

1060
00:59:05,411 --> 00:59:07,979
to monitor
the way they're getting cash,

1061
00:59:07,979 --> 00:59:11,025
they turn to different approaches.

1062
00:59:11,025 --> 00:59:13,898
So if you're a country
that's under sanction

1063
00:59:13,898 --> 00:59:17,162
and your ability to get funds
has been compromised,

1064
00:59:17,162 --> 00:59:20,121
you may be motivated to
go to the Lazarus Group

1065
00:59:20,121 --> 00:59:23,429
to fix your problem.

1066
00:59:23,429 --> 00:59:25,649
It's like a job for them.
It <i>is</i> a job for them.

1067
00:59:25,649 --> 00:59:27,694
They get recruited.
It's a nine-to-five job.

1068
00:59:27,694 --> 00:59:30,958
They come in, and each
of them has their specialties.

1069
00:59:30,958 --> 00:59:32,351
They have managers,

1070
00:59:32,351 --> 00:59:35,223
they have targets that
they're told to go after.

1071
00:59:35,223 --> 00:59:37,356
When you talk about
nation states,

1072
00:59:37,356 --> 00:59:39,619
obviously,
for your average nation state,

1073
00:59:39,619 --> 00:59:42,927
most cyber offensive campaigns
are under the military.

1074
00:59:42,927 --> 00:59:45,712
It's very similar to how
a military organisation

1075
00:59:45,712 --> 00:59:49,020
would be organised for their
cyber offensive campaigns.

1076
00:59:49,020 --> 00:59:51,457
There is a hotel,
for example, in China

1077
00:59:51,457 --> 00:59:53,590
where they've taken over
multiple floors

1078
00:59:53,590 --> 00:59:55,635
where they essentially
have dormitories.

1079
00:59:55,635 --> 00:59:59,073
They go to sleep in that hotel,
they eat in that hotel,

1080
00:59:59,073 --> 01:00:01,423
and they don't come
out of that hotel.

1081
01:00:01,423 --> 01:00:04,078
They just move from
one room to another,

1082
01:00:04,078 --> 01:00:05,863
hack all day and night.

1083
01:00:08,039 --> 01:00:10,650
And the Lazarus Group
is thought to be made up

1084
01:00:10,650 --> 01:00:13,392
of these state-trained hackers.

1085
01:00:18,745 --> 01:00:21,226
What's amazing about cyber,

1086
01:00:21,226 --> 01:00:23,794
when you talk about
nation states,

1087
01:00:23,794 --> 01:00:27,319
is the cost to entry
is extremely low.

1088
01:00:27,319 --> 01:00:29,713
We have nation states
who have been

1089
01:00:29,713 --> 01:00:33,194
trying to create
nuclear missiles,

1090
01:00:33,194 --> 01:00:35,066
tried to create
a nuclear programme.

1091
01:00:35,066 --> 01:00:36,981
Places like Iran, for example.

1092
01:00:36,981 --> 01:00:41,507
The dollars it costs to do so,
it's extraordinary.

1093
01:00:41,507 --> 01:00:44,684
But if you want to build
a cyber offensive campaign,

1094
01:00:44,684 --> 01:00:46,991
you get two, three,
four, five guys

1095
01:00:46,991 --> 01:00:50,472
and potentially threaten
to disable the power grid

1096
01:00:50,472 --> 01:00:52,039
in some country.

1097
01:00:52,039 --> 01:00:54,476
When you talk about
trying to rob a bank

1098
01:00:54,476 --> 01:00:57,175
or produce illicit drugs
and sell them,

1099
01:00:57,175 --> 01:00:59,830
the amount of people
required on the ground,

1100
01:00:59,830 --> 01:01:01,266
the amount of connections,

1101
01:01:01,266 --> 01:01:03,442
and for the dollars
that you would receive,

1102
01:01:03,442 --> 01:01:04,922
is nothing compared to,

1103
01:01:04,922 --> 01:01:07,446
"Let's get three guys,
break into a bank

1104
01:01:07,446 --> 01:01:10,667
and potentially
transfer $1 billion."

1105
01:01:16,063 --> 01:01:20,502
Back in the VIP room
of the Solaire Casino in Manila,

1106
01:01:20,502 --> 01:01:24,942
the money-laundering operation
is in full flight.

1107
01:01:26,683 --> 01:01:29,729
They just spend hours
upon hours gambling away,

1108
01:01:29,729 --> 01:01:31,296
collecting chips.

1109
01:01:31,296 --> 01:01:33,733
They transfer those chips
back into cold, hard currency.

1110
01:01:33,733 --> 01:01:36,693
You put a hundred
gamblers into the VIP lounge

1111
01:01:36,693 --> 01:01:40,784
playing cash, so maybe the house
has a one or two percent margin.

1112
01:01:40,784 --> 01:01:43,743
But all the rest is untraceable
money that they walk out with.

1113
01:01:43,743 --> 01:01:46,006
What's interesting
about these individuals,

1114
01:01:46,006 --> 01:01:47,704
they weren't interested
in winning.

1115
01:01:47,704 --> 01:01:50,184
They were just interested
in playing.

1116
01:01:50,184 --> 01:01:51,620
If you lose the money,

1117
01:01:51,620 --> 01:01:53,405
the money doesn't go
to the casino,

1118
01:01:53,405 --> 01:01:54,928
it goes to the other players.

1119
01:01:54,928 --> 01:01:58,410
So you can play the table
where the other players are,

1120
01:01:58,410 --> 01:01:59,846
your partners.

1121
01:01:59,846 --> 01:02:02,196
Then you can lose
the dirty money on purpose,

1122
01:02:02,196 --> 01:02:04,024
moving the money
to your partners.

1123
01:02:04,024 --> 01:02:05,678
Now it's cashed out.

1124
01:02:05,678 --> 01:02:09,073
Now it looks like it came from a
great win in a poker tournament

1125
01:02:09,073 --> 01:02:11,640
instead of being stolen
from somewhere.

1126
01:02:11,640 --> 01:02:14,513
So, casinos are a good way
of laundering money.

1127
01:02:14,513 --> 01:02:17,342
Real-world criminals have
done that for decades.

1128
01:02:17,342 --> 01:02:20,606
Online criminals
are doing it today.

1129
01:02:20,606 --> 01:02:23,740
They played for a whole week,
that whole lunar week,

1130
01:02:23,740 --> 01:02:25,698
every day, like workers,

1131
01:02:25,698 --> 01:02:28,309
nine to five, essentially,
in that casino.

1132
01:02:33,358 --> 01:02:36,361
Finally, the Chinese
New Year celebrations

1133
01:02:36,361 --> 01:02:37,884
have come to an end.

1134
01:02:37,884 --> 01:02:42,280
The staff at the RCBC bank
in Manila are back at work.

1135
01:02:44,369 --> 01:02:47,328
Now, the Bangladesh Bank
is still desperately trying

1136
01:02:47,328 --> 01:02:49,417
to put a stop
on any further withdrawals

1137
01:02:49,417 --> 01:02:52,159
from those accounts
in the Bank of the Philippines.

1138
01:02:52,159 --> 01:02:54,509
They've lost
$22 million already,

1139
01:02:54,509 --> 01:02:58,818
but there's still $59 million
left that they can save.

1140
01:02:58,818 --> 01:03:01,865
They're firing message
after message to Manila,

1141
01:03:01,865 --> 01:03:04,737
"Hold all transactions."

1142
01:03:04,737 --> 01:03:07,087
In the Philippines,
they got those messages.

1143
01:03:07,087 --> 01:03:08,567
They got those messages

1144
01:03:08,567 --> 01:03:10,830
as part of many other
transaction messages they got

1145
01:03:10,830 --> 01:03:12,701
that were sitting in
a printer queue

1146
01:03:12,701 --> 01:03:14,051
at the bottom of the stack,

1147
01:03:14,051 --> 01:03:16,357
and ultimately, they never
saw those messages.

1148
01:03:16,357 --> 01:03:20,797
At this point, the fence
gets in touch with the manager

1149
01:03:20,797 --> 01:03:22,799
of the bank in Jupiter Street.

1150
01:03:22,799 --> 01:03:26,672
"Can you please authorise
the transfer of $59 million?"

1151
01:03:26,672 --> 01:03:29,849
She authorises that $59 million.

1152
01:03:29,849 --> 01:03:34,114
It goes straight
to the Solaire Casino.

1153
01:03:34,114 --> 01:03:36,029
More money laundering.

1154
01:03:37,901 --> 01:03:39,424
Five hours later,

1155
01:03:39,424 --> 01:03:44,037
after increasingly urgent calls
from the Bangladesh Bank,

1156
01:03:44,037 --> 01:03:50,000
the manager finally puts a block
on all of the accounts.

1157
01:03:50,000 --> 01:03:52,829
But, really, it's too late.

1158
01:03:52,829 --> 01:03:54,831
The money's gone.

1159
01:03:59,139 --> 01:04:02,273
It's incredible when you think
what the Lazarus Group

1160
01:04:02,273 --> 01:04:05,885
was able to pull off with
just some ones and zeros.

1161
01:04:05,885 --> 01:04:07,756
They guide their bespoke malware

1162
01:04:07,756 --> 01:04:10,020
into the computer network
of a bank,

1163
01:04:10,020 --> 01:04:11,717
and then a year later,

1164
01:04:11,717 --> 01:04:15,025
they're literally washing
$100 million

1165
01:04:15,025 --> 01:04:17,331
through a casino
in the Philippines.

1166
01:04:17,331 --> 01:04:19,856
It's astonishing.

1167
01:04:19,856 --> 01:04:22,336
But what's really, really scary

1168
01:04:22,336 --> 01:04:25,687
is what happened
just a year later.

1169
01:04:27,428 --> 01:04:29,561
Now back to
the major cyber-attack,

1170
01:04:29,561 --> 01:04:34,087
the ransomware crippling 200,000
computers in 150 countries.

1171
01:04:34,087 --> 01:04:37,699
The thousands of targets all
received this ominous message

1172
01:04:37,699 --> 01:04:39,745
in English on their screens:

1173
01:04:49,276 --> 01:04:54,151
Everyone was basically locked up
with this malware

1174
01:04:54,151 --> 01:04:58,329
that we discovered had been
launched by the same attackers

1175
01:04:58,329 --> 01:05:01,158
as the Central Bank
of Bangladesh.

1176
01:05:01,158 --> 01:05:03,377
So they design this malware,

1177
01:05:03,377 --> 01:05:05,989
and then they lose
control of it entirely.

1178
01:05:05,989 --> 01:05:08,121
And that caused chaos.

1179
01:05:08,121 --> 01:05:11,385
Ambulances were
diverted to other hospitals.

1180
01:05:11,385 --> 01:05:14,823
Patients were turned away,
their operations cancelled.

1181
01:05:14,823 --> 01:05:17,696
You know,
the first sign that something

1182
01:05:17,696 --> 01:05:21,961
was seriously wrong was when
hospitals in the United Kingdom

1183
01:05:21,961 --> 01:05:24,529
started telling patients,
"Don't come."

1184
01:05:24,529 --> 01:05:28,533
That their systems had been
locked up with ransomware.

1185
01:05:28,533 --> 01:05:33,625
It's unclear if it was
accidentally released too early,

1186
01:05:33,625 --> 01:05:35,018
it appears so,

1187
01:05:35,018 --> 01:05:37,890
or if it was
designed not to work

1188
01:05:37,890 --> 01:05:41,241
and just begin wiping computers,
because it didn't matter.

1189
01:05:41,241 --> 01:05:44,157
Even if you paid them, you would
not get the decryption key.

1190
01:05:44,157 --> 01:05:45,985
They didn't have
the decryption key.

1191
01:05:45,985 --> 01:05:48,118
They couldn't decrypt your files anymore.

1192
01:05:48,118 --> 01:05:50,816
Japan, Turkey
and the Philippines

1193
01:05:50,816 --> 01:05:54,733
were also affected.
In the US, FedEx was hit.

1194
01:05:54,733 --> 01:05:59,694
That virulent virus
spiralled out of control.

1195
01:05:59,694 --> 01:06:04,047
In Germany, it attacked the
network of the Deutsche Bahn,

1196
01:06:04,047 --> 01:06:05,439
German Railway.

1197
01:06:05,439 --> 01:06:09,400
In Spain,
WannaCry hit Telefonica,

1198
01:06:09,400 --> 01:06:12,359
the biggest telecommunications company.

1199
01:06:12,359 --> 01:06:16,537
It hit the banking systems,
and ATMs didn't work.

1200
01:06:16,537 --> 01:06:21,847
This thing was hitting companies
in something like 150 countries.

1201
01:06:21,847 --> 01:06:23,588
Other targets in the US

1202
01:06:23,588 --> 01:06:26,025
include Merck Pharmaceutical
in New Jersey.

1203
01:06:26,025 --> 01:06:28,810
Even the company that makes
Oreo cookies may have been hit.

1204
01:06:28,810 --> 01:06:32,945
So, you had the health
service, you had transport,

1205
01:06:32,945 --> 01:06:36,470
you had communications,
you had the finance system,

1206
01:06:36,470 --> 01:06:37,906
and you had governance

1207
01:06:37,906 --> 01:06:42,824
all with one tiny piece
of crappy malware, WannaCry.

1208
01:06:42,824 --> 01:06:44,130
In other attacks,

1209
01:06:44,130 --> 01:06:46,002
they have to send you
a spear-phishing email,

1210
01:06:46,002 --> 01:06:48,047
trick you into double-clicking
on an attachment.

1211
01:06:48,047 --> 01:06:50,180
In this case, your computer
just had to be on,

1212
01:06:50,180 --> 01:06:51,485
connected to the internet,

1213
01:06:51,485 --> 01:06:54,053
and it would have got infected
by WannaCry.

1214
01:06:54,053 --> 01:06:57,274
It succeeded because
the crappy malware

1215
01:06:57,274 --> 01:07:00,407
was being infiltrated
into the systems

1216
01:07:00,407 --> 01:07:03,193
on the back
of a much more powerful tool

1217
01:07:03,193 --> 01:07:04,803
called EternalBlue,

1218
01:07:04,803 --> 01:07:08,459
which had been developed by
the National Security Agency

1219
01:07:08,459 --> 01:07:10,417
in the United States.

1220
01:07:10,417 --> 01:07:12,637
The thing the NSA
never wanted to talk about

1221
01:07:12,637 --> 01:07:15,640
was the fact that it was
travelling on a digital missile

1222
01:07:15,640 --> 01:07:19,426
that had been built
at its own intelligence agency.

1223
01:07:19,426 --> 01:07:22,560
They repurposed something
created by the US government,

1224
01:07:22,560 --> 01:07:24,170
leaked
by the Russian government,

1225
01:07:24,170 --> 01:07:26,825
put it into their ransomware
that allowed it to spread

1226
01:07:26,825 --> 01:07:30,742
all over the world,
any computer on at that time.

1227
01:07:30,742 --> 01:07:34,006
So one crappy piece
of malware

1228
01:07:34,006 --> 01:07:36,878
can hit every single aspect

1229
01:07:36,878 --> 01:07:39,142
of the critical national infrastructure

1230
01:07:39,142 --> 01:07:42,971
within the space
of about ten days

1231
01:07:42,971 --> 01:07:44,886
in different countries.

1232
01:07:57,508 --> 01:08:00,728
Eventually, there's a court case
after about a month.

1233
01:08:00,728 --> 01:08:03,601
There's a court case in Manila.

1234
01:08:03,601 --> 01:08:06,908
Ultimately, the bank manager
didn't want anyone to find out.

1235
01:08:06,908 --> 01:08:08,388
But when he finally got in touch

1236
01:08:08,388 --> 01:08:10,825
with the Bank
of the Philippines, they said,

1237
01:08:10,825 --> 01:08:12,827
"If you need this money returned,

1238
01:08:12,827 --> 01:08:15,700
you need to get a court order."
So he files a court order,

1239
01:08:15,700 --> 01:08:18,006
but court orders are public
in the Philippines,

1240
01:08:18,006 --> 01:08:19,573
like in many other countries.

1241
01:08:19,573 --> 01:08:22,576
A reporter spots it and realised
that this has happened,

1242
01:08:22,576 --> 01:08:25,101
publishes it in a newspaper,
and it all comes out.

1243
01:08:25,101 --> 01:08:28,016
The $81 million
money-laundering scandal

1244
01:08:28,016 --> 01:08:31,672
is now considered one of
the biggest bank heists in Asia.

1245
01:08:31,672 --> 01:08:33,805
But how exactly
did thieves steal

1246
01:08:33,805 --> 01:08:35,981
such a huge amount of money?

1247
01:08:35,981 --> 01:08:37,461
Not just known
in the Philippines

1248
01:08:37,461 --> 01:08:38,679
and the Bank of Bangladesh,

1249
01:08:38,679 --> 01:08:40,377
when the Bangladesh
government finds out

1250
01:08:40,377 --> 01:08:42,901
the bank manager has been
doing this behind the scenes,

1251
01:08:42,901 --> 01:08:44,337
but the whole world finds out.

1252
01:08:44,337 --> 01:08:46,774
And ultimately,
the Bangladesh Bank

1253
01:08:46,774 --> 01:08:48,863
needs to get assistance
from the FBI.

1254
01:08:48,863 --> 01:08:52,171
The New York Fed is involved.
The United States is involved.

1255
01:08:52,171 --> 01:08:54,304
This becomes
a whole worldwide issue

1256
01:08:54,304 --> 01:08:57,220
and begins to ripple across
the financial industry

1257
01:08:57,220 --> 01:08:58,743
that this was even possible.

1258
01:08:58,743 --> 01:09:00,527
Experts believe that hackers

1259
01:09:00,527 --> 01:09:04,183
were able to break into the
New York Federal Reserve's

1260
01:09:04,183 --> 01:09:06,403
special account for Bangladesh,

1261
01:09:06,403 --> 01:09:09,754
getting away with $81 million.

1262
01:09:09,754 --> 01:09:13,236
Now, Bangladesh's Central Bank
governor, Atiur Rahman,

1263
01:09:13,236 --> 01:09:16,935
has resigned after hackers stole
tens of millions of dollars

1264
01:09:16,935 --> 01:09:19,198
from the nation's
foreign reserves.

1265
01:09:19,198 --> 01:09:23,159
The bank was criticised for
its handling of the breach...

1266
01:09:23,159 --> 01:09:26,162
The governor was
an excellent central banker.

1267
01:09:26,162 --> 01:09:27,902
I have a lot of respect for him.

1268
01:09:27,902 --> 01:09:32,298
He was deemed one of the top
bankers by the Asia <i>MoneyWeek.</i>

1269
01:09:32,298 --> 01:09:34,126
And poor fellow, that time,

1270
01:09:34,126 --> 01:09:36,737
he was faced with
this sort of scenario

1271
01:09:36,737 --> 01:09:39,827
which he honestly
didn't understand.

1272
01:09:39,827 --> 01:09:42,787
He had really pushed
the financial system

1273
01:09:42,787 --> 01:09:45,529
in Bangladesh into
the 21st century.

1274
01:09:45,529 --> 01:09:48,575
He had to essentially fall
on his sword and resign

1275
01:09:48,575 --> 01:09:51,404
in disgrace,
and his career was ruined.

1276
01:09:51,404 --> 01:09:54,190
Many others at the bank
had to resign as well.

1277
01:09:54,190 --> 01:09:57,758
An emotional Maia Deguito,
the manager of the RCBC branch

1278
01:09:57,758 --> 01:10:01,153
in Jupiter Street in Makati,
insists she is innocent

1279
01:10:01,153 --> 01:10:02,763
in the face of accusations

1280
01:10:02,763 --> 01:10:05,636
she is involved in the
money-laundering scheme.

1281
01:10:05,636 --> 01:10:08,247
So far, only the branch manager

1282
01:10:08,247 --> 01:10:11,468
has been charged by the
Anti-Money Laundering Council.

1283
01:10:11,468 --> 01:10:14,384
One of the great
injustices of this whole scandal

1284
01:10:14,384 --> 01:10:17,343
is that the only person who
got convicted of anything

1285
01:10:17,343 --> 01:10:18,953
was Maia Deguito,

1286
01:10:18,953 --> 01:10:22,696
and she was just the mid-level
branch manager of the RCBC,

1287
01:10:22,696 --> 01:10:26,874
the bank in the Philippines
that received the actual funds.

1288
01:10:26,874 --> 01:10:28,180
Typical, isn't it?

1289
01:10:28,180 --> 01:10:30,965
A crime that was conceived
and carried out

1290
01:10:30,965 --> 01:10:32,402
by a whole bunch of men,

1291
01:10:32,402 --> 01:10:35,535
and the only person who
gets done for it is a woman

1292
01:10:35,535 --> 01:10:38,538
who probably wasn't that
guilty in the first place.

1293
01:10:38,538 --> 01:10:41,802
But she received a sentence
of 56 years in jail

1294
01:10:41,802 --> 01:10:44,979
and a fine of $109 million,

1295
01:10:44,979 --> 01:10:49,506
which is significantly more
than the thieves actually stole.

1296
01:10:50,985 --> 01:10:52,291
To my mind,

1297
01:10:52,291 --> 01:10:54,424
there's no question
that she was a scapegoat.

1298
01:10:54,424 --> 01:10:58,297
I mean, the currency traders
who turned that $81 million

1299
01:10:58,297 --> 01:11:01,300
into pesos got off scot-free.

1300
01:11:01,300 --> 01:11:03,737
There are a couple of
Chinese operators

1301
01:11:03,737 --> 01:11:06,566
who brought these gamblers
in from China.

1302
01:11:06,566 --> 01:11:10,396
We know that they received tens
of millions of dollars in cash.

1303
01:11:10,396 --> 01:11:15,314
They vanished back to Macau.
No trace of them was ever found.

1304
01:11:15,314 --> 01:11:17,751
We can't say for sure,
but certainly it looks like

1305
01:11:17,751 --> 01:11:20,798
people at the Rizal Bank headquarters

1306
01:11:20,798 --> 01:11:23,888
buried these requests
to stop these transactions.

1307
01:11:23,888 --> 01:11:27,239
But nobody else at the Rizal
Bank was ever accused.

1308
01:11:27,239 --> 01:11:31,199
Oddly enough, in this giant
scheme that involved

1309
01:11:31,199 --> 01:11:34,986
a half a dozen countries,
nearly $1 billion,

1310
01:11:34,986 --> 01:11:40,208
only one bank employee
in a small branch in Manila

1311
01:11:40,208 --> 01:11:42,646
was ever convicted of
doing anything wrong.

1312
01:11:42,646 --> 01:11:46,040
It's incredible. Total impunity.

1313
01:11:52,395 --> 01:11:54,788
I think the most
important lesson

1314
01:11:54,788 --> 01:11:57,878
of the Bangladesh Bank

1315
01:11:57,878 --> 01:11:59,880
is a lesson of scale.

1316
01:11:59,880 --> 01:12:01,882
The internet is
a fantastic thing.

1317
01:12:01,882 --> 01:12:04,320
It's made our world
much, much smaller.

1318
01:12:04,320 --> 01:12:07,061
You can do all sorts of things.
It's fantastic.

1319
01:12:07,061 --> 01:12:08,933
But that interconnectivity,

1320
01:12:08,933 --> 01:12:11,805
where everything
is linked to everything else,

1321
01:12:11,805 --> 01:12:15,418
means that if you get bad actors
in that system,

1322
01:12:15,418 --> 01:12:17,245
then the damage

1323
01:12:17,245 --> 01:12:22,076
is infinitely more immense
than it was before.

1324
01:12:23,687 --> 01:12:25,993
When I started this job
two decades ago,

1325
01:12:25,993 --> 01:12:29,083
you had to explain to people,
what is a virus?

1326
01:12:29,083 --> 01:12:31,042
What is a cyber-attack?

1327
01:12:31,042 --> 01:12:33,392
Today, we don't talk about

1328
01:12:33,392 --> 01:12:36,439
making sure this file doesn't
get deleted any more.

1329
01:12:36,439 --> 01:12:40,573
We literally talk about making
sure the supply chain is up,

1330
01:12:40,573 --> 01:12:42,619
food can reach people's tables.

1331
01:12:42,619 --> 01:12:45,665
Our job is not just to protect
people's computers.

1332
01:12:45,665 --> 01:12:49,060
Our job is to ensure
society is up and running.

1333
01:12:49,060 --> 01:12:52,063
Everything
that we use now,

1334
01:12:52,063 --> 01:12:53,978
water, electricity,

1335
01:12:53,978 --> 01:12:56,937
the financial system,
the comms system,

1336
01:12:56,937 --> 01:12:58,548
depends on the integrity

1337
01:12:58,548 --> 01:13:03,683
of unbelievably complex
networked computer systems.

1338
01:13:03,683 --> 01:13:07,992
And our dependence
is becoming such

1339
01:13:07,992 --> 01:13:10,386
that, should anything go wrong,

1340
01:13:10,386 --> 01:13:13,171
be it a technical hitch
or be it a hack,

1341
01:13:13,171 --> 01:13:17,131
it can actually lead
to our lives grinding to a halt

1342
01:13:17,131 --> 01:13:19,525
in a very short space of time.

1343
01:13:20,483 --> 01:13:22,136
We're sort of in a state

1344
01:13:22,136 --> 01:13:24,617
where we're increasing
our vulnerability

1345
01:13:24,617 --> 01:13:27,359
and our attack surface
every single day.

1346
01:13:27,359 --> 01:13:29,796
And instead of pausing

1347
01:13:29,796 --> 01:13:32,799
and thinking about
how to lock up our power grid,

1348
01:13:32,799 --> 01:13:37,848
really, where our energy has
been focused is on escalation.

1349
01:13:37,848 --> 01:13:41,373
Countries like the United
States, China and Russia

1350
01:13:41,373 --> 01:13:44,550
have already arrogated
the right to themselves

1351
01:13:44,550 --> 01:13:47,335
to attack with full force,

1352
01:13:47,335 --> 01:13:50,034
whether cyber
or conventional weapons,

1353
01:13:50,034 --> 01:13:51,905
against anyone who brings down

1354
01:13:51,905 --> 01:13:56,519
a serious piece of critical
national infrastructure.

1355
01:13:56,519 --> 01:14:01,480
We've had Stuxnet blowing
up the Natanz centrifuge plant.

1356
01:14:01,480 --> 01:14:04,962
We've had ransomware attacks,
which hit the Eastern Seaboard.

1357
01:14:04,962 --> 01:14:07,007
There was no gas
to the Eastern Seaboard

1358
01:14:07,007 --> 01:14:09,619
for a whole week
in the United States.

1359
01:14:09,619 --> 01:14:11,751
We had Russia
against the Ukraine,

1360
01:14:11,751 --> 01:14:14,537
shutting out the power
in the middle of winter.

1361
01:14:14,537 --> 01:14:17,453
We're talking about
people losing their lives.

1362
01:14:17,453 --> 01:14:19,019
We've also had cyber-attacks

1363
01:14:19,019 --> 01:14:21,413
that potentially affected
US elections.

1364
01:14:21,413 --> 01:14:23,763
We had the healthcare in the UK
brought down,

1365
01:14:23,763 --> 01:14:25,939
dialysis machines
no longer working.

1366
01:14:25,939 --> 01:14:29,421
This is an extremely
fragile situation,

1367
01:14:29,421 --> 01:14:33,599
much more fragile
than the period of détente,

1368
01:14:33,599 --> 01:14:37,255
because so many more
countries have these weapons.

1369
01:14:37,255 --> 01:14:41,389
Malware is much more difficult
to control than nuclear weapons.

1370
01:14:41,389 --> 01:14:44,871
People always warn me
of the cyber Pearl Harbor

1371
01:14:44,871 --> 01:14:47,091
or the cyber 9/11,

1372
01:14:47,091 --> 01:14:49,746
but it's almost worse than that.

1373
01:14:49,746 --> 01:14:53,619
Every day, there are thousands
of cyber-attacks,

1374
01:14:53,619 --> 01:14:58,232
and we're just getting more and
more and more inured to them.

1375
01:14:59,016 --> 01:15:00,887
It's like a plague.

1376
01:15:00,887 --> 01:15:05,152
I think we'll see much
more hostile cyber activity,

1377
01:15:05,152 --> 01:15:07,851
much more cyber bank robberies,

1378
01:15:07,851 --> 01:15:09,983
much more cyber espionage.

1379
01:15:09,983 --> 01:15:13,030
We'll see much more cyber war.

1380
01:15:13,030 --> 01:15:15,815
In many ways,
I think we've seen nothing yet.

1381
01:15:15,815 --> 01:15:19,253
As attacks increase
in their sophistication

1382
01:15:19,253 --> 01:15:21,386
and their range,

1383
01:15:21,386 --> 01:15:25,346
then the impact
can be ever greater.

1384
01:15:25,346 --> 01:15:29,873
There is a cyber-attack on
critical national infrastructure

1385
01:15:29,873 --> 01:15:31,744
coming to a place near you

1386
01:15:31,744 --> 01:15:35,269
within the next
five to ten years.

1387
01:15:35,269 --> 01:15:38,708
If it's done well,
and if it's really malicious,

1388
01:15:38,708 --> 01:15:41,232
that could be catastrophic.

1389
01:15:43,016 --> 01:15:47,586
What's amazing about the
Bank of Bangladesh heist is...

1390
01:15:47,586 --> 01:15:51,285
they almost walked away
with $1 billion.

1391
01:15:54,071 --> 01:15:56,203
The mistakes that they made

1392
01:15:56,203 --> 01:15:59,990
that led to them only walking
with $81 million

1393
01:15:59,990 --> 01:16:02,862
were literally a typo in a name

1394
01:16:02,862 --> 01:16:05,082
and potentially
not being patient enough,

1395
01:16:05,082 --> 01:16:06,562
waiting just one more hour.

1396
01:16:06,562 --> 01:16:09,913
We could be telling
a completely different story.

1397
01:16:09,913 --> 01:16:11,828
Presumably, these guys

1398
01:16:11,828 --> 01:16:15,309
kept perhaps 95 percent
of that cash.

1399
01:16:15,309 --> 01:16:16,528
You could walk out

1400
01:16:16,528 --> 01:16:18,399
with 95 percent
of what you came in with,

1401
01:16:18,399 --> 01:16:21,838
have nobody trace that money,
no record of it whatsoever,

1402
01:16:21,838 --> 01:16:26,233
and get on a plane with it,
and you're home free.

1403
01:16:26,233 --> 01:16:30,760
Even if you had invested
a year's work,

1404
01:16:30,760 --> 01:16:35,460
that you had recruited
a really decent set of hackers,

1405
01:16:35,460 --> 01:16:39,899
that you had corrupted
bank officials,

1406
01:16:39,899 --> 01:16:43,947
you'll be looking at a profit
of about $75 million.

1407
01:16:43,947 --> 01:16:47,037
For a year's work,
not a bad pay-off.

1408
01:16:49,126 --> 01:16:52,999
The Bank of Bangladesh heist
showed them what was possible.

1409
01:16:54,392 --> 01:16:56,742
They proved that
they could do it.

1410
01:17:01,617 --> 01:17:03,662
After that attack,
it didn't stop.

1411
01:17:03,662 --> 01:17:07,840
We saw continued attacks
on various banks across Asia,

1412
01:17:07,840 --> 01:17:10,451
I think in
the Philippines again.

1413
01:17:10,451 --> 01:17:14,673
And also, they started hacking
the cryptocurrency exchanges,

1414
01:17:14,673 --> 01:17:18,546
where people store their Bitcoin
and Monero digital currency,

1415
01:17:18,546 --> 01:17:21,724
which has proved to be
incredibly lucrative for them.

1416
01:17:23,726 --> 01:17:25,684
In 2017,
Lazarus was thought

1417
01:17:25,684 --> 01:17:27,338
to have successfully attacked

1418
01:17:27,338 --> 01:17:31,995
at least five Asian
cryptocurrency exchanges.

1419
01:17:31,995 --> 01:17:37,827
That's a total of
$571 million that was lost.

1420
01:17:37,827 --> 01:17:41,134
Cryptocurrency exchanges
just have the bare minimum

1421
01:17:41,134 --> 01:17:43,659
of security, we're learning now.

1422
01:17:43,659 --> 01:17:46,923
In 2020, as the global
pandemic spiralled,

1423
01:17:46,923 --> 01:17:50,143
AstraZeneca, makers of
one of the key vaccines,

1424
01:17:50,143 --> 01:17:53,538
was hit by an attack,
extorting the company

1425
01:17:53,538 --> 01:17:56,846
and stealing sensitive
information for profit.

1426
01:17:58,064 --> 01:18:00,632
The sums involved
are astronomical,

1427
01:18:00,632 --> 01:18:03,940
and Lazarus is still
very much at large.

1428
01:18:06,246 --> 01:18:11,774
They have been designated
by the United States an APT;

1429
01:18:11,774 --> 01:18:13,863
that's an
advanced persistent threat.

1430
01:18:13,863 --> 01:18:16,692
Now, the fundamental criteria

1431
01:18:16,692 --> 01:18:20,478
is that they represent a threat

1432
01:18:20,478 --> 01:18:24,612
to US national security
and national infrastructure.

1433
01:18:24,612 --> 01:18:28,486
So, just by dint of it
being called an APT

1434
01:18:28,486 --> 01:18:33,404
means that the Lazarus Group
is serious stuff.

1435
01:18:33,404 --> 01:18:35,623
Marvel fans,
think HYDRA.

1436
01:18:35,623 --> 01:18:38,801
James Bond films,
think of SPECTRE.

1437
01:18:38,801 --> 01:18:40,237
It's something like that.

1438
01:18:43,762 --> 01:18:47,635
Now, it's tempting to
think this comparison is absurd,

1439
01:18:47,635 --> 01:18:51,074
but this is the scale
that Lazarus operates on.

1440
01:18:51,074 --> 01:18:54,294
Arguably, they're the most
potent cyber criminals

1441
01:18:54,294 --> 01:18:56,427
in business today.

1442
01:18:56,427 --> 01:19:00,300
So the nation state's
involvement in cybercrime

1443
01:19:00,300 --> 01:19:02,955
means that cybercrime
has actually morphed

1444
01:19:02,955 --> 01:19:05,653
into cyber warfare.

1445
01:19:05,653 --> 01:19:08,613
You can have zero trust
in these systems.

1446
01:19:08,613 --> 01:19:12,095
You need to assume that
everything has been broken,

1447
01:19:12,095 --> 01:19:14,010
everything is being listened to,

1448
01:19:14,010 --> 01:19:17,274
that everything can be captured,
and operate accordingly.

1449
01:19:19,580 --> 01:19:22,453
If a small group
can plan something

1450
01:19:22,453 --> 01:19:25,499
and get away with $81 million,

1451
01:19:25,499 --> 01:19:27,937
which involved
the Fed in New York,

1452
01:19:27,937 --> 01:19:29,765
SWIFT in Brussels,

1453
01:19:29,765 --> 01:19:32,550
the Bangladeshi Bank in Dhaka,

1454
01:19:32,550 --> 01:19:36,032
and then all the peripherals
in Manila,

1455
01:19:36,032 --> 01:19:40,427
just think about what one of the
really professional operations

1456
01:19:40,427 --> 01:19:42,560
in China, Russia,

1457
01:19:42,560 --> 01:19:44,518
the NSA, GCHQ,

1458
01:19:44,518 --> 01:19:48,871
just think what havoc
they could wreak.

1459
01:19:48,871 --> 01:19:52,613
And every year, the hacks get
bigger, the damage greater,

1460
01:19:52,613 --> 01:19:54,702
the implications graver.

1461
01:19:56,139 --> 01:20:00,447
Armies literally have hackers
hammering at the gates.

1462
01:20:00,447 --> 01:20:02,710
And it just takes
a simple breach,

1463
01:20:02,710 --> 01:20:05,583
one person, one weak link,

1464
01:20:05,583 --> 01:20:08,238
and those armies
will storm the defences

1465
01:20:08,238 --> 01:20:12,851
and bring down a network
that our way of life depends on.

1466
01:20:12,851 --> 01:20:15,593
It happened in Bangladesh
in 2016.

1467
01:20:15,593 --> 01:20:21,033
And believe you me, it's going
to happen again very soon.

1468
01:21:14,957 --> 01:21:17,916
Iyuno