1
00:00:02,000 --> 00:00:07,000
Downloaded from
YTS.MX

2
00:00:08,000 --> 00:00:13,000
Official YIFY movies site:
YTS.MX

3
00:00:52,182 --> 00:00:53,357
[BUTTON CLICKS]

4
00:00:54,402 --> 00:00:56,404
[KEYBOARD KEYS CLICK]

5
00:00:58,188 --> 00:01:00,016
[ELECTRONIC WHIRRING]

6
00:01:09,373 --> 00:01:10,809
[MUEZZIN CALLS]

7
00:01:10,809 --> 00:01:12,115
MAN 1: It's Friday,

8
00:01:12,115 --> 00:01:15,423
and it is, of course,
the Muslim prayer day.

9
00:01:15,423 --> 00:01:18,513
Everyone's off,
except for the skeleton staff

10
00:01:18,513 --> 00:01:20,645
at the Bangladeshi Bank,

11
00:01:20,645 --> 00:01:24,562
including Zubair Bin Huda,
who is the duty manager.

12
00:01:24,562 --> 00:01:26,086
[ELECTRONIC CHIRPING]

13
00:01:27,870 --> 00:01:31,395
MAN 2: He's part of
the elite team of employees

14
00:01:31,395 --> 00:01:35,095
who run
the SWIFT banking system,

15
00:01:35,095 --> 00:01:38,663
which is a highly secure
banking system

16
00:01:38,663 --> 00:01:41,318
that sends money
around the world.

17
00:01:43,538 --> 00:01:47,281
Now, Bin Huda goes,
as he does every day,

18
00:01:47,281 --> 00:01:49,152
to the SWIFT printer

19
00:01:49,152 --> 00:01:53,374
to check up on the transactions
from the day before.

20
00:01:53,374 --> 00:01:56,159
MAN 2:
There are usually printouts

21
00:01:56,159 --> 00:01:58,422
of transactions
that came in overnight.

22
00:01:58,422 --> 00:02:02,774
The SWIFT software would print
out a ledger every single day,

23
00:02:02,774 --> 00:02:06,952
an audit trace of every single
transaction that occurred

24
00:02:06,952 --> 00:02:08,693
on paper.

25
00:02:08,693 --> 00:02:11,392
MAN 4: But when they came in
on February 5th morning,

26
00:02:11,392 --> 00:02:12,871
as they usually do,

27
00:02:12,871 --> 00:02:15,744
they found there were
no SWIFT messages at all.

28
00:02:15,744 --> 00:02:20,009
In fact, the printer's
shut down. It won't work.

29
00:02:20,009 --> 00:02:21,358
They try and turn it on.

30
00:02:21,358 --> 00:02:25,188
Nothing will kick it
back into life.

31
00:02:25,188 --> 00:02:28,148
He assumes it was simply
a technical error,

32
00:02:28,148 --> 00:02:30,193
shrugs, goes home for the night,

33
00:02:30,193 --> 00:02:32,282
comes back in
on Saturday morning

34
00:02:32,282 --> 00:02:34,502
to check the system again.

35
00:02:35,677 --> 00:02:36,939
MAN 5: The next day,

36
00:02:36,939 --> 00:02:40,160
they somehow manually
get the printer to work.

37
00:02:40,160 --> 00:02:42,466
This deputy head manager
walks in the room,

38
00:02:42,466 --> 00:02:46,122
the printer starts working, and
these weird messages come out.

39
00:02:46,122 --> 00:02:49,560
MAN 1: The printer
starts spewing out

40
00:02:49,560 --> 00:02:51,736
all of these transactions,

41
00:02:51,736 --> 00:02:56,306
including individual requests
to the Fed in New York

42
00:02:56,306 --> 00:02:59,353
for $1 billion.

43
00:03:01,268 --> 00:03:04,880
At that moment,
it's panic stations.

44
00:03:10,712 --> 00:03:12,757
[SIRENS WAIL]

45
00:03:22,637 --> 00:03:23,638
[CAR HORN BLARES]

46
00:03:24,465 --> 00:03:26,075
[MODEM DIALS]

47
00:03:36,738 --> 00:03:40,132
[KEYBOARD KEYS CLICK]

48
00:03:44,789 --> 00:03:50,230
When I was growing up,
the biggest crime in Britain

49
00:03:50,230 --> 00:03:52,319
ever recorded
was the Great Train Robbery.

50
00:03:52,319 --> 00:03:56,366
It was an extraordinary thing.
They stole about £2.5 million.

51
00:03:56,366 --> 00:03:58,760
That's about $4 million.

52
00:03:58,760 --> 00:04:04,244
And that story
ran literally for 30 years.

53
00:04:05,245 --> 00:04:06,768
Four million dollars.

54
00:04:07,856 --> 00:04:10,293
What you're about to hear

55
00:04:10,293 --> 00:04:14,036
is the story of an attempt
to steal...

56
00:04:15,037 --> 00:04:17,518
a billion dollars

57
00:04:18,475 --> 00:04:20,434
It's told by world-leading

58
00:04:20,434 --> 00:04:23,959
cybersecurity and legal experts
and journalists:

59
00:04:23,959 --> 00:04:26,309
the very people
who uncovered the facts

60
00:04:26,309 --> 00:04:27,919
and threaded them together

61
00:04:27,919 --> 00:04:32,489
to reveal how dangerous the
world of cybercrime is today.

62
00:04:47,199 --> 00:04:49,898
[DOG BARKS]

63
00:04:49,898 --> 00:04:53,336
MISHA:
So, there are four big threats

64
00:04:53,336 --> 00:04:57,471
to the world
and to the human race.

65
00:04:57,471 --> 00:04:59,603
One of them
we've just experienced,

66
00:04:59,603 --> 00:05:01,736
that's the pandemic.

67
00:05:01,736 --> 00:05:04,826
Then you've got weapons
of mass destruction.

68
00:05:04,826 --> 00:05:08,220
You've got climate change.

69
00:05:08,220 --> 00:05:13,965
But barrelling down towards us
before those is cyber.

70
00:05:18,666 --> 00:05:20,537
[KEYBOARD KEYS CLICK]

71
00:05:24,498 --> 00:05:25,934
This is the possibility

72
00:05:25,934 --> 00:05:30,068
of our overdependency
on network technologies

73
00:05:30,068 --> 00:05:34,943
being undermined, either by
malfunctioning of the system...

74
00:05:34,943 --> 00:05:36,597
NEWSCASTER:
New problems are emerging

75
00:05:36,597 --> 00:05:39,164
the day after an Amazon
web service outage.

76
00:05:39,164 --> 00:05:42,254
Massive and mysterious,
a global outage...

77
00:05:42,254 --> 00:05:45,214
...or by a targeted attack.

78
00:05:45,214 --> 00:05:47,129
NEWSCASTER:
More than a thousand companies

79
00:05:47,129 --> 00:05:49,305
have been crippled
by this attack so far.

80
00:05:49,305 --> 00:05:52,264
Sounds like we're looking
at a 2022 with more hacks,

81
00:05:52,264 --> 00:05:53,570
more lost money.

82
00:05:54,354 --> 00:05:57,095
[MODEMS DIAL]

83
00:05:59,924 --> 00:06:04,233
So, when I started hunting
hackers in the early 1990s...

84
00:06:05,452 --> 00:06:07,671
our enemy was really simple.

85
00:06:07,671 --> 00:06:10,152
All the malware,
all the viruses,

86
00:06:10,152 --> 00:06:13,111
all the attacks were
done by teenage boys.

87
00:06:13,111 --> 00:06:15,462
REPORTER:
What will your parents think?

88
00:06:17,594 --> 00:06:20,815
I've been doing this job
for two decades now.

89
00:06:24,253 --> 00:06:25,472
When we first started,

90
00:06:25,472 --> 00:06:27,909
the people writing viruses
and malware

91
00:06:27,909 --> 00:06:29,476
were doing it for fun,

92
00:06:29,476 --> 00:06:32,392
to get their name in lights,
to say, "Look what I can do."

93
00:06:32,392 --> 00:06:34,655
No flash, please.

94
00:06:34,655 --> 00:06:37,788
When I started analysing
viruses, they looked like this.

95
00:06:37,788 --> 00:06:41,052
Malware was still spread
on floppy disks.

96
00:06:41,052 --> 00:06:44,708
They were spreading at the speed
of people travelling the world

97
00:06:44,708 --> 00:06:47,102
and carrying the viruses
with them.

98
00:06:47,102 --> 00:06:50,540
[IN GERMAN] Michelangelo has
proven less harmful than feared.

99
00:06:50,540 --> 00:06:53,108
All the stuff you've got
in there you may really want,

100
00:06:53,108 --> 00:06:54,414
it's just gone?

101
00:06:54,414 --> 00:06:56,459
Then the internet came around,
and suddenly,

102
00:06:56,459 --> 00:06:59,331
malware outbreaks could
go around the world in seconds.

103
00:06:59,331 --> 00:07:00,942
For the last 36 hours,

104
00:07:00,942 --> 00:07:04,685
the ILOVEYOU virus has been
creating havoc around the world.

105
00:07:04,685 --> 00:07:08,166
Experts have reason to worry.
The first attack, July 19th,

106
00:07:08,166 --> 00:07:11,648
infected about 300,000
systems in nine hours.

107
00:07:11,648 --> 00:07:14,129
First of all, the guys who
make a living doing security

108
00:07:14,129 --> 00:07:16,044
and are trying to protect themselves

109
00:07:16,044 --> 00:07:19,569
are scared shitless of you,
because you can just ruin 'em.

110
00:07:19,569 --> 00:07:20,875
After the period of time

111
00:07:20,875 --> 00:07:22,529
where hackers
were just doing things for fun,

112
00:07:22,529 --> 00:07:26,010
some of them realised that they
could use it to make money.

113
00:07:28,535 --> 00:07:31,668
Prior to, like, the 2000s...

114
00:07:31,668 --> 00:07:35,716
cyber was primarily around
a disruption of websites...

115
00:07:36,630 --> 00:07:38,893
defacement of a webpage.

116
00:07:38,893 --> 00:07:42,505
Just as we got around 2000,
the dot-com boom, the explosion,

117
00:07:42,505 --> 00:07:44,376
we started into
what would become

118
00:07:44,376 --> 00:07:46,161
financially motivated hackers.

119
00:07:46,161 --> 00:07:49,033
This really flourished,
especially in Eastern European,

120
00:07:49,033 --> 00:07:53,124
Russia, CIS bloc countries.

121
00:07:53,124 --> 00:07:55,953
MISHA: This was the time
of gangster capitalism,

122
00:07:55,953 --> 00:08:00,001
when everyone's world in Eastern
Europe was falling apart,

123
00:08:00,001 --> 00:08:02,612
where organised crime and...

124
00:08:02,612 --> 00:08:05,528
former members of
the intelligence services

125
00:08:05,528 --> 00:08:09,314
were taking hold
of the economy.

126
00:08:10,881 --> 00:08:14,276
So you had a lot of young people
in the 1990s

127
00:08:14,276 --> 00:08:17,932
who were very good
mathematicians, physicists,

128
00:08:17,932 --> 00:08:20,282
computer scientists,

129
00:08:20,282 --> 00:08:23,503
who simply took
the logic and the morality

130
00:08:23,503 --> 00:08:26,593
of gangster capitalism online.

131
00:08:30,074 --> 00:08:32,163
MIKKO: Virus writers
were writing viruses

132
00:08:32,163 --> 00:08:33,817
to infect Windows computers,

133
00:08:33,817 --> 00:08:36,951
and those computers were then
sold to email spammers,

134
00:08:36,951 --> 00:08:39,954
who were using those machines
to send Viagra spam

135
00:08:39,954 --> 00:08:42,652
or what have you,
basically making money.

136
00:08:42,652 --> 00:08:44,436
And that changed everything.

137
00:08:44,436 --> 00:08:47,135
[HIP-HOP MUSIC]

138
00:08:48,789 --> 00:08:51,574
ERIC: People at that time
began to use online banking,

139
00:08:51,574 --> 00:08:54,621
and they began to steal people's
online banking credentials,

140
00:08:54,621 --> 00:08:57,275
from there, also get
credit card numbers,

141
00:08:57,275 --> 00:08:59,408
and use that
to basically transfer funds.

142
00:08:59,408 --> 00:09:02,672
Just in hundreds of dollars at
a time from these individuals.

143
00:09:02,672 --> 00:09:05,893
They eventually realised
that going after individuals

144
00:09:05,893 --> 00:09:07,198
was much more difficult

145
00:09:07,198 --> 00:09:10,288
than just going after
the banks themselves.

146
00:09:10,288 --> 00:09:11,942
Get into databases,

147
00:09:11,942 --> 00:09:14,423
those databases held
credit card numbers.

148
00:09:14,423 --> 00:09:17,600
Take those numbers and then
sell them on the black market.

149
00:09:17,600 --> 00:09:19,341
[EVIL LAUGHTER]

150
00:09:19,341 --> 00:09:23,345
NICOLE: Originally, the internet
was set up at the Pentagon...

151
00:09:25,042 --> 00:09:29,003
just to be able to share
resources between computers.

152
00:09:32,136 --> 00:09:35,226
And it was really never
designed to have

153
00:09:35,226 --> 00:09:38,490
banking attached to it,

154
00:09:38,490 --> 00:09:41,711
critical infrastructure
attached to it.

155
00:09:41,711 --> 00:09:44,366
It was really designed
for availability.

156
00:09:44,366 --> 00:09:47,108
It was never designed
for security.

157
00:09:48,500 --> 00:09:50,502
RAFAL:
Whereas in the early 1990s

158
00:09:50,502 --> 00:09:53,505
when there was only 30,000
people connected to it

159
00:09:53,505 --> 00:09:56,813
and several hundred systems,
we've moved to a system

160
00:09:56,813 --> 00:09:59,947
which essentially is the
backbone of global finance.

161
00:10:01,339 --> 00:10:04,560
The fact that
it's able to do that...

162
00:10:04,560 --> 00:10:07,432
the fact that it's able
to sustain currently between

163
00:10:07,432 --> 00:10:10,392
15 and 20 percent
of GDP globally

164
00:10:10,392 --> 00:10:12,742
tells us something about
just how important

165
00:10:12,742 --> 00:10:14,918
this infrastructure is.

166
00:10:14,918 --> 00:10:17,094
Why did people move
into the internet

167
00:10:17,094 --> 00:10:18,661
to seek economic opportunity?

168
00:10:18,661 --> 00:10:21,621
Because that's where the
economic opportunity was,

169
00:10:21,621 --> 00:10:23,579
untethered by norms,

170
00:10:23,579 --> 00:10:25,799
untethered
by national boundaries,

171
00:10:25,799 --> 00:10:28,497
and essentially limited
only by the creativity

172
00:10:28,497 --> 00:10:30,194
that these individuals had.

173
00:10:40,814 --> 00:10:43,817
REPORTER: The user nagged
the Federal Reserve Bank

174
00:10:43,817 --> 00:10:48,386
with 35 payment instructions
worth $951 million.

175
00:10:48,386 --> 00:10:50,867
ERIC: We'd just never heard
of such a thing before.

176
00:10:50,867 --> 00:10:53,043
We'd been investigating cybercrime

177
00:10:53,043 --> 00:10:55,567
for a couple of decades
at that point.

178
00:10:55,567 --> 00:10:57,700
You see cyber criminals go in,

179
00:10:57,700 --> 00:11:01,748
and they try to transfer a few
hundred thousands of dollars,

180
00:11:01,748 --> 00:11:05,055
maybe a million,
a couple of million.

181
00:11:05,055 --> 00:11:09,059
But conducting a cyber-attack
to try to steal one billion?

182
00:11:09,059 --> 00:11:13,020
That was an order of magnitude
that we had never seen before.

183
00:11:13,020 --> 00:11:14,674
It was clear from early on

184
00:11:14,674 --> 00:11:18,112
that it was one of the biggest
cyber heists in the world.

185
00:11:18,112 --> 00:11:20,505
When we first started
hearing rumours

186
00:11:20,505 --> 00:11:23,813
about something affecting
SWIFT network,

187
00:11:23,813 --> 00:11:26,424
I didn't understand
how big it was.

188
00:11:26,424 --> 00:11:28,122
But when we started realising

189
00:11:28,122 --> 00:11:30,646
this is at a completely
different scale,

190
00:11:30,646 --> 00:11:32,561
it just blew my mind.

191
00:11:46,314 --> 00:11:47,445
ERIC: Once they realised

192
00:11:47,445 --> 00:11:49,578
that the money actually
was really gone,

193
00:11:49,578 --> 00:11:51,623
then the panic began to set in.

194
00:11:51,623 --> 00:11:56,890
They lost $81 million instantly
to a bank in the Philippines.

195
00:11:56,890 --> 00:11:59,980
MISHA: They see the $81 million
has already gone

196
00:11:59,980 --> 00:12:05,855
and that nearly $900 million
extra has been requested.

197
00:12:08,815 --> 00:12:13,254
They basically try to figure out
what to do next.

198
00:12:13,254 --> 00:12:15,865
They have no idea what to do.

199
00:12:15,865 --> 00:12:19,129
They hunted for ways to contact
the New York Fed.

200
00:12:19,129 --> 00:12:20,957
[PHONE DIALLING]

201
00:12:20,957 --> 00:12:23,655
Desperate calls are made
by them.

202
00:12:24,395 --> 00:12:26,136
[PHONE RINGS]

203
00:12:27,834 --> 00:12:29,749
MISHA: And it goes
to an answering machine.

204
00:12:29,749 --> 00:12:31,751
<i>You've reached
the Federal Reserve Bank...</i>

205
00:12:31,751 --> 00:12:33,622
Because it's Saturday
in New York,

206
00:12:33,622 --> 00:12:36,016
and nobody's picking
up the phone.

207
00:12:36,016 --> 00:12:39,106
<i>- Please call back...</i>
- It's a complete shitshow.

208
00:12:39,106 --> 00:12:43,153
Total disorganisation,
at both ends, I would stress.

209
00:12:45,503 --> 00:12:49,246
<i>The New York Times Magazine</i>
was planning a true-crime issue,

210
00:12:49,246 --> 00:12:50,421
and my editor came to me

211
00:12:50,421 --> 00:12:52,902
and asked I was interested
in doing it.

212
00:12:54,251 --> 00:12:55,600
I looked into it a bit.

213
00:12:55,600 --> 00:12:58,125
There definitely were
some intriguing elements,

214
00:12:58,125 --> 00:12:59,779
and made me pay attention.

215
00:13:02,129 --> 00:13:04,435
The Federal Reserve
has pretty much

216
00:13:04,435 --> 00:13:07,177
depended on the SWIFT
banking system,

217
00:13:07,177 --> 00:13:11,878
and since there has rarely
been a hack, if ever,

218
00:13:11,878 --> 00:13:14,837
of the SWIFT banking system...

219
00:13:14,837 --> 00:13:18,058
the Federal Reserve
has never instituted

220
00:13:18,058 --> 00:13:20,800
any sort of 24-7 hotline.

221
00:13:20,800 --> 00:13:22,540
[DIALLING]

222
00:13:22,540 --> 00:13:26,501
MISHA: Eventually, they get
hold of somebody at SWIFT,

223
00:13:26,501 --> 00:13:28,155
and SWIFT says,

224
00:13:28,155 --> 00:13:29,765
"Just shut the whole lot down

225
00:13:29,765 --> 00:13:32,507
until we know
what's going on here."

226
00:13:32,507 --> 00:13:36,163
Badrul Khan decides before he
can actually make that decision,

227
00:13:36,163 --> 00:13:39,166
he has to talk to the deputy
governor of the bank,

228
00:13:39,166 --> 00:13:40,820
which he does.

229
00:13:40,820 --> 00:13:43,823
Deputy governor doesn't want to
take the decision upon himself,

230
00:13:43,823 --> 00:13:47,435
so he talks to the governor.
And guess what.

231
00:13:47,435 --> 00:13:50,655
The governor says,
"It's probably a mistake.

232
00:13:50,655 --> 00:13:52,614
We won't shut it down."

233
00:13:56,009 --> 00:13:58,750
JOSHUA: Work week begins
at the Bangladesh Bank

234
00:13:58,750 --> 00:14:00,187
on Sunday morning,

235
00:14:00,187 --> 00:14:02,972
and it's then that the general
manager of the bank

236
00:14:02,972 --> 00:14:05,845
comes in and begins to take
stock of what had happened.

237
00:14:05,845 --> 00:14:07,411
MISHA:
They're running out of options.

238
00:14:07,411 --> 00:14:11,111
They're not sure what to do.
Fed is still closed in New York.

239
00:14:11,111 --> 00:14:13,200
They go through
all the SWIFT material,

240
00:14:13,200 --> 00:14:16,072
discover that most of
the money has gone

241
00:14:16,072 --> 00:14:18,205
to the bank in Manila.

242
00:14:18,205 --> 00:14:21,164
JOSHUA: And these desperate
messages are sent out:

243
00:14:21,164 --> 00:14:22,600
"Stop the transactions.

244
00:14:22,600 --> 00:14:25,168
Hold that money. Do not
allow it to be withdrawn.

245
00:14:25,168 --> 00:14:27,127
It's our money.
It's been stolen."

246
00:14:28,650 --> 00:14:30,260
MISHA: But there's a problem.

247
00:14:30,260 --> 00:14:32,219
ALL: Five, four,

248
00:14:32,219 --> 00:14:35,135
three, two, one!

249
00:14:35,135 --> 00:14:37,920
Happy New Year!

250
00:14:37,920 --> 00:14:39,879
[ALL CHEER]

251
00:14:41,924 --> 00:14:43,795
MISHA: It's Chinese New Year,

252
00:14:43,795 --> 00:14:46,929
and the Rizal Commercial Bank
is closed.

253
00:14:46,929 --> 00:14:48,975
[SOMBRE MUSIC]

254
00:14:51,673 --> 00:14:56,199
JOSHUA: The thieves chose
a sequence of days...

255
00:14:56,199 --> 00:15:00,638
from Friday, Saturday,
Sunday and Monday,

256
00:15:00,638 --> 00:15:03,815
when one or another
of the three countries

257
00:15:03,815 --> 00:15:06,557
that would be communicating
with one another

258
00:15:06,557 --> 00:15:09,169
was shut down for a holiday.

259
00:15:15,566 --> 00:15:17,612
MISHA: You've got to hand it
to these guys.

260
00:15:17,612 --> 00:15:19,005
They knew it.

261
00:15:19,005 --> 00:15:21,703
They knew that if they did it
over that weekend,

262
00:15:21,703 --> 00:15:23,966
with the Friday,
the Muslim holiday,

263
00:15:23,966 --> 00:15:27,187
the Sunday and the Saturday,
everything closed in New York,

264
00:15:27,187 --> 00:15:30,538
and the Monday,
Chinese New Year.

265
00:15:32,322 --> 00:15:37,110
They've got four days
to get the heist done.

266
00:15:37,110 --> 00:15:39,373
This is really classy planning.

267
00:15:41,375 --> 00:15:45,422
JOSHUA: In that respect,
it was really an ingenious plan.

268
00:15:45,422 --> 00:15:49,426
It's kind of like a great film
director in a malevolent way,

269
00:15:49,426 --> 00:15:53,082
planning out, you know,
a very complex film.

270
00:15:56,433 --> 00:15:58,131
ERIC: The country of Bangladesh

271
00:15:58,131 --> 00:16:01,873
is the 170th poorest country
in the world.

272
00:16:01,873 --> 00:16:04,267
One billion dollars
is huge to them.

273
00:16:04,267 --> 00:16:06,356
When we talk
about cyber-attacks,

274
00:16:06,356 --> 00:16:08,054
they're not just zeros and ones.

275
00:16:08,054 --> 00:16:10,186
We're not just talking
about people

276
00:16:10,186 --> 00:16:13,755
moving around zeros and ones,
deleting zeros and ones.

277
00:16:15,539 --> 00:16:18,107
One billion dollars
to Bangladesh

278
00:16:18,107 --> 00:16:21,545
potentially means that people
starve in the country.

279
00:16:21,545 --> 00:16:25,245
These things have potential
serious repercussions.

280
00:16:27,725 --> 00:16:30,206
MISHA: The Bangladesh Bank
heist was significant

281
00:16:30,206 --> 00:16:34,297
because it showed how fragile
global banking was as a whole.

282
00:16:36,169 --> 00:16:40,260
Banks don't just operate
as single isolated entities.

283
00:16:40,260 --> 00:16:42,784
They're part of a system.

284
00:16:42,784 --> 00:16:45,482
And that system is vulnerable.

285
00:16:47,702 --> 00:16:52,402
The US Federal Reserve holds
trillions of dollars in accounts

286
00:16:52,402 --> 00:16:55,579
kept by central banks
all around the world.

287
00:16:55,579 --> 00:16:59,279
Its computer security systems
are state of the art, making it

288
00:16:59,279 --> 00:17:03,587
one of the most difficult
financial institutions to hack.

289
00:17:07,287 --> 00:17:10,551
The criminals realise
that it can't get into

290
00:17:10,551 --> 00:17:14,076
the network system of the Fed,

291
00:17:14,076 --> 00:17:17,906
but the Fed has to talk
to other central banks

292
00:17:17,906 --> 00:17:19,777
around the world,

293
00:17:19,777 --> 00:17:23,390
and this is
where they find a flaw.

294
00:17:23,390 --> 00:17:25,305
[KEYBOARD KEYS CLICK SOFTLY]

295
00:17:25,305 --> 00:17:27,437
The criminals turn
their attention

296
00:17:27,437 --> 00:17:30,440
to the banks'
communication systems.

297
00:17:31,963 --> 00:17:35,402
Every day, the Fed places
thousands of transactions

298
00:17:35,402 --> 00:17:39,058
on behalf of the central banks
that hold US dollar reserves

299
00:17:39,058 --> 00:17:40,320
at the Fed.

300
00:17:40,320 --> 00:17:42,757
The Federal Reserve
has pretty much depended

301
00:17:42,757 --> 00:17:45,107
on the SWIFT banking system

302
00:17:45,107 --> 00:17:48,067
to get its instructions
about transfers.

303
00:17:48,067 --> 00:17:51,026
SWIFT sends money
around the world

304
00:17:51,026 --> 00:17:52,941
to thousands of member banks.

305
00:17:52,941 --> 00:17:57,946
It's the main way that banks
dispatch money to one another.

306
00:17:59,165 --> 00:18:01,602
ERIC: SWIFT allows you
to transfer money

307
00:18:01,602 --> 00:18:02,777
from one bank to another,

308
00:18:02,777 --> 00:18:04,561
no matter where you are
in the world.

309
00:18:04,561 --> 00:18:07,347
Make international
wire transfers.

310
00:18:07,347 --> 00:18:11,568
MISHA: The whole banking system
is integrated,

311
00:18:11,568 --> 00:18:15,659
and they depend
above all else on SWIFT,

312
00:18:15,659 --> 00:18:21,143
the international transaction
mechanisms, to work.

313
00:18:21,143 --> 00:18:23,319
ERIC: What it means is,
all it takes

314
00:18:23,319 --> 00:18:28,803
is a single weak link
to bring down the whole network.

315
00:18:30,370 --> 00:18:33,373
So although the target
is the Fed,

316
00:18:33,373 --> 00:18:37,725
they are looking for a bank
with which the Fed communicates,

317
00:18:37,725 --> 00:18:42,338
which holds a lot
of its reserves in New York.

318
00:18:42,338 --> 00:18:44,123
But it's a long way away,

319
00:18:44,123 --> 00:18:48,562
in a distant time zone
from the Fed,

320
00:18:48,562 --> 00:18:51,304
and it's likely to have

321
00:18:51,304 --> 00:18:56,396
patchy security systems in place
in its computer network.

322
00:18:58,963 --> 00:19:00,791
KRISHNA: My colleagues in Dhaka,

323
00:19:00,791 --> 00:19:04,012
they were chasing it
for a long time.

324
00:19:04,012 --> 00:19:07,450
It was a robbery of a scale
that we hadn't heard of.

325
00:19:09,235 --> 00:19:11,585
The first thought
that came to my mind was,

326
00:19:11,585 --> 00:19:14,631
because it was the
Bangladeshi Central Bank,

327
00:19:14,631 --> 00:19:17,243
I thought the hackers found it

328
00:19:17,243 --> 00:19:19,549
somehow easier to target it.

329
00:19:19,549 --> 00:19:21,377
Because it was Bangladesh,

330
00:19:21,377 --> 00:19:24,424
I suspected they would
be more vulnerable

331
00:19:24,424 --> 00:19:26,774
to cyber-attacks as such.

332
00:19:28,515 --> 00:19:31,344
JOSHUA:
"Hmm. A Bangladeshi bank.

333
00:19:31,344 --> 00:19:33,998
Probably doesn't have
the same level of security

334
00:19:33,998 --> 00:19:36,218
and if they do,
it's probably one or two people,

335
00:19:36,218 --> 00:19:40,222
not a team of 6,000
working on it.

336
00:19:41,136 --> 00:19:42,355
Let's go for it."

337
00:19:42,355 --> 00:19:44,661
ERIC: These attackers
weren't just skilled

338
00:19:44,661 --> 00:19:45,923
in breaching networks,

339
00:19:45,923 --> 00:19:47,838
figuring out how
to get into an organisation.

340
00:19:47,838 --> 00:19:52,016
They had to study that
SWIFT software deeply.

341
00:19:52,016 --> 00:19:55,194
This attack happened
well before that February 5th,

342
00:19:55,194 --> 00:19:56,847
when the bank employee walked in

343
00:19:56,847 --> 00:19:59,894
and saw that printer hadn't
printed out the audit jobs

344
00:19:59,894 --> 00:20:01,939
and couldn't figure out
what was going on.

345
00:20:01,939 --> 00:20:04,812
This attack started more
than a year prior to that.

346
00:20:04,812 --> 00:20:07,293
These attackers had been
working for months

347
00:20:07,293 --> 00:20:09,120
in the build-up until that day.

348
00:20:09,120 --> 00:20:11,253
It is a mistake
for people to think

349
00:20:11,253 --> 00:20:13,560
that this was something
that happened overnight.

350
00:20:13,560 --> 00:20:15,649
It is a mistake
for people to think

351
00:20:15,649 --> 00:20:18,956
that this happened in a month,
or two months or three months.

352
00:20:18,956 --> 00:20:21,394
It is a slow,
methodical approach,

353
00:20:21,394 --> 00:20:25,528
because it's a business,
all right? You build it.

354
00:20:32,274 --> 00:20:35,146
Bank robberies used to be
something that happened

355
00:20:35,146 --> 00:20:37,497
in the real world.

356
00:20:37,497 --> 00:20:40,630
Now they only happen
in the online world.

357
00:20:42,806 --> 00:20:46,767
If you would try to steal
$100 million in banknotes,

358
00:20:46,767 --> 00:20:49,160
that would be, like,
ten trucks full of notes.

359
00:20:49,160 --> 00:20:51,511
If you drive ten trucks
full of notes out of the bank,

360
00:20:51,511 --> 00:20:54,035
someone would notice.

361
00:20:54,035 --> 00:20:57,299
But when you do the same thing
online, no one notices anything.

362
00:20:57,299 --> 00:21:01,042
Every movie you've ever seen
of them breaking into a bank

363
00:21:01,042 --> 00:21:03,436
is them doing it
over a bank holiday

364
00:21:03,436 --> 00:21:05,394
or something of that nature.

365
00:21:05,394 --> 00:21:07,222
Same concept here.

366
00:21:12,096 --> 00:21:15,361
This isn't Matthew Broderick
sitting in front of a computer,

367
00:21:15,361 --> 00:21:17,450
like <i>War Games</i>
back in the 1980s,

368
00:21:17,450 --> 00:21:19,321
some kid in their basement.

369
00:21:21,105 --> 00:21:24,370
These are
criminal organisations.

370
00:21:24,370 --> 00:21:26,023
Each person has a skill set.

371
00:21:26,023 --> 00:21:29,070
It's kind of like that
<i>Ocean's Eleven</i>-type thing.

372
00:21:30,593 --> 00:21:33,074
You know,
"This guy could crack the bank,

373
00:21:33,074 --> 00:21:35,337
this guy could do
the surveillance cameras,

374
00:21:35,337 --> 00:21:37,774
this is the getaway,
this is the conman."

375
00:21:37,774 --> 00:21:39,559
You all have a role to play,

376
00:21:39,559 --> 00:21:42,301
and you need everybody
to execute their role

377
00:21:42,301 --> 00:21:44,085
to the best of their abilities

378
00:21:44,085 --> 00:21:46,870
for you to be
successful and get it out.

379
00:21:48,742 --> 00:21:53,007
MISHA: So how do you pull off
a heist of this magnitude?

380
00:21:53,007 --> 00:21:58,317
It takes the right crew of
highly skilled specialists.

381
00:21:58,317 --> 00:22:03,191
And it all starts not with ones
and zeros, but with people.

382
00:22:07,151 --> 00:22:10,590
Cybercrime is about
gaining credentials

383
00:22:10,590 --> 00:22:12,635
to gain access,

384
00:22:12,635 --> 00:22:15,421
stealing the keys.

385
00:22:15,421 --> 00:22:19,816
The social engineer
is critical to a hack.

386
00:22:19,816 --> 00:22:22,253
It's how you get in,
and you get in

387
00:22:22,253 --> 00:22:26,388
not through digital means,
you get in through human means.

388
00:22:26,388 --> 00:22:28,956
It's to do with psychology.

389
00:22:31,306 --> 00:22:35,528
The criminals have to ensnare
one of the employees

390
00:22:35,528 --> 00:22:38,052
of the Bangladeshi Bank,

391
00:22:38,052 --> 00:22:41,882
beginning by going through
their social media profiles

392
00:22:41,882 --> 00:22:44,711
and looking
for suitable targets.

393
00:22:45,929 --> 00:22:48,932
Our relationship
with the computer

394
00:22:48,932 --> 00:22:51,848
is one of perceived intimacy;

395
00:22:51,848 --> 00:22:54,373
that when we're using
a computer,

396
00:22:54,373 --> 00:22:57,767
no one else can see
what we're doing, we believe,

397
00:22:57,767 --> 00:23:00,379
and it's just us and the screen.

398
00:23:02,119 --> 00:23:05,819
And if we were to read
an email from a friend,

399
00:23:05,819 --> 00:23:08,909
we tend to believe it
at face value.

400
00:23:12,216 --> 00:23:15,219
ERIC: They found
close to three dozen employees.

401
00:23:15,219 --> 00:23:18,832
And they constructed
a simple spear-phish email:

402
00:23:18,832 --> 00:23:21,748
an email message that pretended
to be from a guy

403
00:23:21,748 --> 00:23:24,446
named Rasal Alam.

404
00:23:24,446 --> 00:23:26,056
And Rasal Alam said,

405
00:23:26,056 --> 00:23:28,581
"Hey, I just wanna
work at your company.

406
00:23:28,581 --> 00:23:31,410
Here's a résumé attached.
Have a look."

407
00:23:31,410 --> 00:23:34,108
And it turned out
that they mailed that

408
00:23:34,108 --> 00:23:36,893
to about 36 different employees,
and three of them

409
00:23:36,893 --> 00:23:39,722
opened that attachment
connected to that email.

410
00:23:40,984 --> 00:23:42,333
It was a zip file,

411
00:23:42,333 --> 00:23:44,640
and the zip file contained
just a document inside.

412
00:23:44,640 --> 00:23:47,295
They opened up the document
and it was his résumé.

413
00:23:47,295 --> 00:23:50,733
It was a résumé for Rasel Ahlam,
who wanted to work at the bank,

414
00:23:50,733 --> 00:23:52,996
but unbeknownst
to those individuals,

415
00:23:52,996 --> 00:23:56,826
also contained
malicious code inside.

416
00:23:56,826 --> 00:23:58,741
MIKKO:
We can look at any data breach,

417
00:23:58,741 --> 00:24:01,222
and the root cause
has either been

418
00:24:01,222 --> 00:24:03,311
a technical problem

419
00:24:03,311 --> 00:24:05,400
or a people problem.

420
00:24:05,400 --> 00:24:08,229
And the technical problems
can be really hard

421
00:24:08,229 --> 00:24:10,536
and really expensive
and really slow to fix,

422
00:24:10,536 --> 00:24:12,581
but at least we can fix them.

423
00:24:12,581 --> 00:24:16,150
But in the end, we have
no patch for human brains.

424
00:24:17,804 --> 00:24:22,243
There's no way to fix the people
who do stupid mistakes.

425
00:24:22,243 --> 00:24:23,723
When attackers try to send

426
00:24:23,723 --> 00:24:27,030
these spear-phishing emails,
they try to do two things.

427
00:24:27,030 --> 00:24:30,512
They try to look very normal.
It was just a résumé.

428
00:24:30,512 --> 00:24:31,818
They try to fly under the radar,

429
00:24:31,818 --> 00:24:33,515
to look as legitimate
as possible.

430
00:24:33,515 --> 00:24:37,476
And the second is they often
try to use enticing techniques.

431
00:24:43,612 --> 00:24:47,050
New dangers tonight from
the Love Bug computer virus,

432
00:24:47,050 --> 00:24:49,966
this time disguised
as a friendlier email.

433
00:24:49,966 --> 00:24:53,579
The first internet virus
that went around the world

434
00:24:53,579 --> 00:24:57,887
in less than 48 hours was
called the ILOVEYOU virus.

435
00:24:57,887 --> 00:25:00,499
And already,
business interruption costs

436
00:25:00,499 --> 00:25:03,676
are estimated at more than
a billion dollars.

437
00:25:03,676 --> 00:25:06,592
MISHA: You would be sitting
there working away,

438
00:25:06,592 --> 00:25:08,507
and then suddenly,
in your inbox,

439
00:25:08,507 --> 00:25:12,554
you get an email which says,
"I love you."

440
00:25:12,554 --> 00:25:15,252
And it could well be
that this is a person

441
00:25:15,252 --> 00:25:17,820
who you've always
held a torch for.

442
00:25:17,820 --> 00:25:20,344
And so, of course,
you're very excited,

443
00:25:20,344 --> 00:25:24,087
and you press on the link,
and then you're doomed.

444
00:25:24,087 --> 00:25:26,873
What happens is,
the virus infects your machine

445
00:25:26,873 --> 00:25:29,963
and proceeds to email everyone
you've ever emailed.

446
00:25:29,963 --> 00:25:32,618
The end result of that
is the mail servers

447
00:25:32,618 --> 00:25:33,706
get bogged down,

448
00:25:33,706 --> 00:25:36,143
and the only way
to solve the problem

449
00:25:36,143 --> 00:25:39,276
is to shut the servers down,
hence the interruption.

450
00:25:39,276 --> 00:25:42,323
The ILOVEYOU virus
was one of the first viruses

451
00:25:42,323 --> 00:25:45,065
that had really
worldwide impact.

452
00:25:45,065 --> 00:25:47,110
[CLAMOURING]

453
00:25:47,110 --> 00:25:49,722
It was still a virus
written by a guy

454
00:25:49,722 --> 00:25:52,594
that just wanted to get
his name in lights.

455
00:25:52,594 --> 00:25:53,813
He wanted to see his virus

456
00:25:53,813 --> 00:25:55,597
travel around the world
a little bit

457
00:25:55,597 --> 00:25:57,381
and maybe get
in the news somewhere,

458
00:25:57,381 --> 00:25:59,819
and then him be able to say,
"Oh, I wrote that."

459
00:25:59,819 --> 00:26:03,083
REPORTER: Mr de Guzman hardly
seemed to comprehend the chaos

460
00:26:03,083 --> 00:26:05,041
inflicted on
the world's computers.

461
00:26:05,041 --> 00:26:08,610
But what happened was, it
spread so quickly and so fast,

462
00:26:08,610 --> 00:26:11,265
it brought down email
all over the world,

463
00:26:11,265 --> 00:26:13,920
and having email go down
was monumental.

464
00:26:13,920 --> 00:26:17,358
Experts say that the ILOVEYOU
virus could end up costing

465
00:26:17,358 --> 00:26:21,580
the world economy $10 billion
in lost work time.

466
00:26:21,580 --> 00:26:25,627
It became the first sign to show
that we relied on the internet.

467
00:26:25,627 --> 00:26:29,196
The internet was the basis for
our financial transactions,

468
00:26:29,196 --> 00:26:31,154
for the way we do business.

469
00:26:32,460 --> 00:26:33,635
I would talk to people

470
00:26:33,635 --> 00:26:35,332
and remind them
and educate them and say,

471
00:26:35,332 --> 00:26:36,899
"Look, you can't just click

472
00:26:36,899 --> 00:26:39,380
on any attachment
that comes to you in an email."

473
00:26:39,380 --> 00:26:42,818
I remember talking to a guy
about the Anna Kournikova virus

474
00:26:42,818 --> 00:26:45,995
that purported to be nude
pictures of Anna Kournikova.

475
00:26:45,995 --> 00:26:48,955
And he told me, he said,
"Yeah, I knew it was a virus.

476
00:26:48,955 --> 00:26:52,088
I thought it was probably
a virus. But what if it wasn't?

477
00:26:52,088 --> 00:26:53,960
What if it really was
nude pictures?

478
00:26:53,960 --> 00:26:55,788
So I double-clicked on it."

479
00:26:56,919 --> 00:26:58,399
People just don't realise

480
00:26:58,399 --> 00:27:02,055
what clicking on that
attachment means.

481
00:27:02,055 --> 00:27:06,102
Cyber criminals and hackers
realised a long time ago

482
00:27:06,102 --> 00:27:09,018
that your username and password,

483
00:27:09,018 --> 00:27:11,804
particularly to
your email account,

484
00:27:11,804 --> 00:27:15,285
could get them into your
stock brokerage account,

485
00:27:15,285 --> 00:27:18,201
to your online
banking account,

486
00:27:18,201 --> 00:27:23,903
to send phishing emails
to other contacts.

487
00:27:23,903 --> 00:27:27,994
MISHA: If you protect
yourself properly,

488
00:27:27,994 --> 00:27:31,214
the chances are
you won't be a victim

489
00:27:31,214 --> 00:27:35,218
of what one would call
"drive-by hacking".

490
00:27:35,218 --> 00:27:39,483
If, however, you're being
specifically targeted

491
00:27:39,483 --> 00:27:42,965
by a hacking group,
they will follow that trace.

492
00:27:43,879 --> 00:27:45,533
And they will get you.

493
00:27:46,839 --> 00:27:48,449
[MOUSE CLICKS]

494
00:27:48,449 --> 00:27:53,280
Now, we know that at least three
members of the Bangladeshi Bank

495
00:27:53,280 --> 00:27:56,587
were targeted by this after
the social engineer

496
00:27:56,587 --> 00:27:58,981
had scanned
all of their social media,

497
00:27:58,981 --> 00:28:00,722
and at least three of them

498
00:28:00,722 --> 00:28:04,073
opened the letter
and took the bait.

499
00:28:04,073 --> 00:28:06,249
ERIC: Once that code
began executing

500
00:28:06,249 --> 00:28:08,295
on those bank employees'
computers,

501
00:28:08,295 --> 00:28:10,906
it would reach out back
to the attackers

502
00:28:10,906 --> 00:28:13,866
and tell them that
these machines are now infected

503
00:28:13,866 --> 00:28:15,302
and give them full control,

504
00:28:15,302 --> 00:28:18,044
as if they were sitting
in front of the keyboard,

505
00:28:18,044 --> 00:28:21,134
just like those employees.

506
00:28:21,134 --> 00:28:23,745
KRISHNA: There was malware
in the system

507
00:28:23,745 --> 00:28:26,574
that was actually
copying screenshots,

508
00:28:28,358 --> 00:28:33,450
copying keystrokes of employees,
and no one knew.

509
00:28:33,450 --> 00:28:35,801
MISHA: They've got
their foot in the door.

510
00:28:35,801 --> 00:28:38,760
This is the essential
first step.

511
00:28:38,760 --> 00:28:42,677
The first layer of security
has been breached.

512
00:28:48,639 --> 00:28:52,339
And the digger, the person who
is getting deeper and deeper

513
00:28:52,339 --> 00:28:54,558
into the computer network,

514
00:28:54,558 --> 00:28:58,258
has to be a very
advanced hacker.

515
00:28:58,258 --> 00:29:02,958
This is when you need
a real professional.

516
00:29:02,958 --> 00:29:05,656
They're like ghosts.
Nobody can see them,

517
00:29:05,656 --> 00:29:10,009
but they're mapping every
single bit of that network.

518
00:29:11,967 --> 00:29:13,577
In the Bank of Bangladesh,

519
00:29:13,577 --> 00:29:16,145
you had computers that are all
interconnected to each other,

520
00:29:16,145 --> 00:29:19,279
and they're connected
using what's called a switch.

521
00:29:19,279 --> 00:29:23,022
In your average bank, that has
a good security program,

522
00:29:23,022 --> 00:29:25,676
those switches are
what's called segmented.

523
00:29:25,676 --> 00:29:27,591
So each of those switches
only allow

524
00:29:27,591 --> 00:29:30,290
a certain number of computers
to talk to each other

525
00:29:30,290 --> 00:29:32,814
rather than every computer
to talk to each other.

526
00:29:32,814 --> 00:29:35,382
But in the case of
the Bank of Bangladesh,

527
00:29:35,382 --> 00:29:38,559
in the back-office network, they
were using these very cheap,

528
00:29:38,559 --> 00:29:42,084
literally $10 switches
that didn't do any segmentation.

529
00:29:42,084 --> 00:29:45,348
Every computer was potentially
connected to each other.

530
00:29:45,348 --> 00:29:48,308
Basically,
it's a cost-cutting exercise.

531
00:29:48,308 --> 00:29:53,530
But that cost-cutting exercise
was what the digger needed.

532
00:29:53,530 --> 00:29:55,489
ERIC: Those attackers
began to do

533
00:29:55,489 --> 00:29:58,231
what we call a lateral traverse
across the network,

534
00:29:58,231 --> 00:30:01,147
search for other computers
to infect,

535
00:30:01,147 --> 00:30:03,062
look for credentials.

536
00:30:04,585 --> 00:30:06,848
Whenever you log
into a computer,

537
00:30:06,848 --> 00:30:08,676
your credentials are cached.

538
00:30:08,676 --> 00:30:11,331
They're put into the memory
of the computer.

539
00:30:11,331 --> 00:30:14,290
Attackers are able
to filter through that memory

540
00:30:14,290 --> 00:30:16,640
and find used usernames
and passwords.

541
00:30:16,640 --> 00:30:19,469
They don't always know
what they're for,

542
00:30:19,469 --> 00:30:22,385
so they try to collect as many
credentials as they can

543
00:30:22,385 --> 00:30:25,432
and see, "What computers can
I see from this computer?",

544
00:30:25,432 --> 00:30:27,608
and just begin to use them
over and over again

545
00:30:27,608 --> 00:30:28,652
and just try them.

546
00:30:28,652 --> 00:30:31,264
[VIDEO GAME MUSIC]

547
00:30:31,264 --> 00:30:32,613
Eventually, they hop on

548
00:30:32,613 --> 00:30:35,050
and are able to connect
to another computer.

549
00:30:35,050 --> 00:30:36,312
They get onto that one.

550
00:30:36,312 --> 00:30:38,271
It's still not what
they're interested in,

551
00:30:38,271 --> 00:30:40,664
but they're able to find more
usernames and passwords

552
00:30:40,664 --> 00:30:42,405
and try those
on all the other computers

553
00:30:42,405 --> 00:30:44,190
they can see
from that advantage point.

554
00:30:44,190 --> 00:30:48,020
That's how they move across
the network over and over again.

555
00:30:48,020 --> 00:30:50,544
They would delete
all traces of themselves

556
00:30:50,544 --> 00:30:52,894
as they moved
across the network,

557
00:30:52,894 --> 00:30:55,636
ultimately jumping from
computer to computer

558
00:30:55,636 --> 00:30:57,681
until they found
the SWIFT terminal,

559
00:30:57,681 --> 00:31:00,815
their ultimate goal in order
to make wire transfers

560
00:31:00,815 --> 00:31:02,817
out of the Bank of Bangladesh.

561
00:31:04,993 --> 00:31:06,777
MISHA: It takes a long time.

562
00:31:06,777 --> 00:31:10,172
They're there for months.
This is an ongoing process.

563
00:31:10,172 --> 00:31:14,220
If at any moment they're
discovered to be in there,

564
00:31:14,220 --> 00:31:18,137
then the whole
operation is finished.

565
00:31:22,141 --> 00:31:24,056
With the Bangladeshi Bank heist,

566
00:31:24,056 --> 00:31:27,276
you basically have two
operations running in parallel.

567
00:31:27,276 --> 00:31:29,670
You have an offline operation
going on,

568
00:31:29,670 --> 00:31:32,238
which is to do with
the money laundering.

569
00:31:36,895 --> 00:31:38,940
It's the fence's responsibility

570
00:31:38,940 --> 00:31:43,902
to set up
the recipient accounts.

571
00:31:43,902 --> 00:31:46,382
ERIC: They're gonna end up
with cold, hard cash,

572
00:31:46,382 --> 00:31:48,080
and they need individuals
on the ground

573
00:31:48,080 --> 00:31:50,909
to pick up that cash
and move it.

574
00:31:53,172 --> 00:31:54,434
And so, in May of 2015,

575
00:31:54,434 --> 00:31:56,871
before they'd even got
into the SWIFT terminal,

576
00:31:56,871 --> 00:31:59,656
they were able to recruit
a Chinese individual

577
00:31:59,656 --> 00:32:03,312
to go to the Philippines and
open up four bank accounts there

578
00:32:03,312 --> 00:32:05,227
at a bank called RCBC.

579
00:32:05,227 --> 00:32:08,883
MISHA: You have to make sure
those people inside the bank

580
00:32:08,883 --> 00:32:10,711
in the Philippines

581
00:32:10,711 --> 00:32:12,974
have been properly corrupted

582
00:32:12,974 --> 00:32:17,674
and properly instructed
as to what their role is.

583
00:32:17,674 --> 00:32:20,068
The fence opens up
these accounts,

584
00:32:20,068 --> 00:32:22,592
puts $500 in each of them,

585
00:32:22,592 --> 00:32:25,726
and then they just go to sleep
for nine months.

586
00:32:28,598 --> 00:32:31,950
ERIC: These attackers were
inside the Bank of Bangladesh

587
00:32:31,950 --> 00:32:34,822
for a full year,
which is incredible.

588
00:32:41,307 --> 00:32:43,265
They actually got
onto that SWIFT terminal

589
00:32:43,265 --> 00:32:44,788
exactly one year later...

590
00:32:47,617 --> 00:32:50,229
on January 29th, 2016.

591
00:32:55,495 --> 00:32:58,019
In any bank,
you have different employees.

592
00:32:58,019 --> 00:33:01,414
You have back-office employees,
administrative employees,

593
00:33:01,414 --> 00:33:04,330
but you also have computers
that are connected

594
00:33:04,330 --> 00:33:07,159
directly to
financial transactions.

595
00:33:07,159 --> 00:33:11,076
And only users who have specific
access to those machines

596
00:33:11,076 --> 00:33:12,555
are allowed to use them.

597
00:33:12,555 --> 00:33:15,036
When we talk about the case of
the Bank of Bangladesh,

598
00:33:15,036 --> 00:33:18,605
there was a single computer
that had credentials

599
00:33:18,605 --> 00:33:20,085
from a shared employee.

600
00:33:20,085 --> 00:33:23,218
You had an employee that
would use that SWIFT terminal,

601
00:33:23,218 --> 00:33:26,830
but also had their own computer
in the normal back-office area.

602
00:33:26,830 --> 00:33:29,355
Once they got onto
that employee's computer,

603
00:33:29,355 --> 00:33:31,052
they were able to jump across.

604
00:33:31,052 --> 00:33:34,969
They waited. They basically
did a recon on the system.

605
00:33:34,969 --> 00:33:36,579
They crawled around.

606
00:33:36,579 --> 00:33:39,756
They looked and tried to fully
understand how this worked,

607
00:33:39,756 --> 00:33:43,804
how SWIFT worked, how each bank
employee would make a request

608
00:33:43,804 --> 00:33:47,155
into the SWIFT system,
where it would go,

609
00:33:47,155 --> 00:33:49,244
how to direct that to branches

610
00:33:49,244 --> 00:33:52,117
where they had set up
these accounts.

611
00:33:52,117 --> 00:33:55,729
And in this case, it was just
very simple and very clever.

612
00:33:58,166 --> 00:34:00,342
The thief is
not so much someone

613
00:34:00,342 --> 00:34:03,302
who is physically
taking out the money

614
00:34:03,302 --> 00:34:05,695
and stuffing it into a bag.

615
00:34:05,695 --> 00:34:07,610
They're making sure

616
00:34:07,610 --> 00:34:12,572
that every bit on the system
is coordinated.

617
00:34:12,572 --> 00:34:16,228
There are all sorts of things
to get right

618
00:34:16,228 --> 00:34:21,494
before that fatal moment
when the request is made.

619
00:34:21,494 --> 00:34:24,105
Everything has to be

620
00:34:24,105 --> 00:34:26,716
really, really
precisely coordinated

621
00:34:26,716 --> 00:34:29,937
to get all the timing right.
You've got four days.

622
00:34:29,937 --> 00:34:31,547
You can't afford a slip-up.

623
00:34:31,547 --> 00:34:34,333
When the attackers
got into the SWIFT terminal

624
00:34:34,333 --> 00:34:38,728
on January 29th of 2016,
they paused for about five days

625
00:34:38,728 --> 00:34:41,079
to get their malicious
software ready

626
00:34:41,079 --> 00:34:43,168
that allowed them
to cover their tracks

627
00:34:43,168 --> 00:34:45,257
when they were on
that SWIFT terminal.

628
00:34:45,257 --> 00:34:48,173
They decided to wait
until February 4th.

629
00:34:48,173 --> 00:34:49,826
And this is no accident.

630
00:34:52,960 --> 00:34:55,702
MISHA: They have chosen
a long weekend

631
00:34:55,702 --> 00:34:58,574
due to holidays in different
parts of the world.

632
00:34:58,574 --> 00:35:01,186
That means,
instead of the usual two days

633
00:35:01,186 --> 00:35:02,535
they have to get away with it

634
00:35:02,535 --> 00:35:04,841
before alarms
start going off everywhere,

635
00:35:04,841 --> 00:35:07,931
they've got four days.
It's brilliant.

636
00:35:09,498 --> 00:35:11,935
ERIC: February 4th, 2016,
was a Thursday.

637
00:35:11,935 --> 00:35:14,634
That's the last day of
the working week in Bangladesh.

638
00:35:14,634 --> 00:35:16,940
In Bangladesh, they work
from Sunday to Thursday.

639
00:35:16,940 --> 00:35:19,421
So, at some point late
in the afternoon,

640
00:35:19,421 --> 00:35:22,685
the SWIFT transaction operator
in the Bangladeshi Bank

641
00:35:22,685 --> 00:35:24,687
logs off his terminal.

642
00:35:28,778 --> 00:35:30,476
But three hours later,

643
00:35:30,476 --> 00:35:33,435
the thief logs into
that terminal

644
00:35:33,435 --> 00:35:35,829
and starts to impersonate him.

645
00:35:35,829 --> 00:35:38,919
They logged into that SWIFT
terminal at 8:36 p.m.,

646
00:35:38,919 --> 00:35:41,051
after they believed,
or really knew,

647
00:35:41,051 --> 00:35:44,403
that all the bank employees
had gone home for the weekend.

648
00:35:44,403 --> 00:35:48,233
And they put forward
35 different wire transactions

649
00:35:48,233 --> 00:35:52,280
from that SWIFT terminal,
totalling $951 million,

650
00:35:52,280 --> 00:35:55,631
almost $1 billion,
completely unheard of.

651
00:35:58,678 --> 00:36:02,029
MISHA: Ten hours
behind Bangladesh,

652
00:36:02,029 --> 00:36:03,813
New York is waking up.

653
00:36:04,945 --> 00:36:07,252
The first thing
that the Fed sees

654
00:36:07,252 --> 00:36:09,297
is 35 requests

655
00:36:09,297 --> 00:36:13,214
for almost the entire holdings
of the Bangladeshi Bank.

656
00:36:13,214 --> 00:36:17,523
Usually, it's figures of sort
of $300,000, $500,000.

657
00:36:17,523 --> 00:36:19,525
They want almost a billion!

658
00:36:19,525 --> 00:36:23,746
The operator, perhaps
unsurprisingly, rejects it,

659
00:36:23,746 --> 00:36:26,488
sends it back to Bangladesh.

660
00:36:26,488 --> 00:36:28,751
But he rejects it not because

661
00:36:28,751 --> 00:36:32,581
this is an absolutely crazy
amount of money,

662
00:36:32,581 --> 00:36:36,585
but because the requests
are wrongly formatted.

663
00:36:36,585 --> 00:36:39,153
ERIC: As much research
that they had done,

664
00:36:39,153 --> 00:36:41,851
they didn't really understand
how to fill out

665
00:36:41,851 --> 00:36:43,331
those SWIFT transfers.

666
00:36:43,331 --> 00:36:45,942
They were missing what's called
an intermediate bank.

667
00:36:45,942 --> 00:36:48,162
New York Federal Reserve
replied to them,

668
00:36:48,162 --> 00:36:50,469
via the SWIFT system,
back to their computer

669
00:36:50,469 --> 00:36:52,688
that they were sitting
in front of, virtually,

670
00:36:52,688 --> 00:36:56,475
saying, "Hey, these transactions
are missing information."

671
00:36:56,475 --> 00:36:58,520
They think on their feet.

672
00:36:58,520 --> 00:37:02,829
They reformat the requests,
send them back...

673
00:37:02,829 --> 00:37:06,006
and hold their breath
to see what happens.

674
00:37:06,006 --> 00:37:08,574
ERIC: They ultimately corrected
34 of them.

675
00:37:08,574 --> 00:37:09,879
They had forgotten one.

676
00:37:09,879 --> 00:37:12,230
The one did have
the intermediate bank

677
00:37:12,230 --> 00:37:13,448
went to Deutsche Bank.

678
00:37:13,448 --> 00:37:15,581
That order was for $20 million

679
00:37:15,581 --> 00:37:19,802
to a charity called the Shalika
Foundation in Sri Lanka.

680
00:37:19,802 --> 00:37:22,109
But they had made
a typo as well,

681
00:37:22,109 --> 00:37:25,417
and they had misspelled
"foundation" as "fandation".

682
00:37:25,417 --> 00:37:27,680
And so Deutsche Bank
saw that typo

683
00:37:27,680 --> 00:37:29,856
and questioned it and, again,

684
00:37:29,856 --> 00:37:32,293
held that transaction
due to that typo.

685
00:37:32,293 --> 00:37:34,643
- [POP]
- [MELODIC CHIME]

686
00:37:34,643 --> 00:37:36,863
RAKESH: We use that
as the poster child

687
00:37:36,863 --> 00:37:40,083
for why you need
to learn how to spell.

688
00:37:40,083 --> 00:37:43,783
Otherwise, you can lose
$20 million. [CHUCKLES]

689
00:37:43,783 --> 00:37:47,265
ERIC: Ultimately, when
they return the other 34...

690
00:37:48,570 --> 00:37:50,268
MISHA: Bingo.

691
00:37:50,268 --> 00:37:52,487
The operator approves them.

692
00:37:52,487 --> 00:37:55,795
ERIC: Four of them went through.

693
00:37:55,795 --> 00:38:00,495
MISHA: The green light is given.
The heist is on.

694
00:38:00,495 --> 00:38:03,629
ERIC: Those four went through
to those bank accounts

695
00:38:03,629 --> 00:38:06,066
in the Philippines
that had been opened

696
00:38:06,066 --> 00:38:07,589
more than six months earlier.

697
00:38:07,589 --> 00:38:10,636
And they were able
to transfer out $81 million

698
00:38:10,636 --> 00:38:12,638
to the bank in the Philippines.

699
00:38:34,181 --> 00:38:37,837
Ultimately, they were about
to transfer $1 billion

700
00:38:37,837 --> 00:38:39,534
from the Bank of Bangladesh,

701
00:38:39,534 --> 00:38:42,494
but they didn't want
anyone to find out.

702
00:38:47,847 --> 00:38:51,459
They began to cover
their tracks.

703
00:38:51,459 --> 00:38:53,200
Normally, as a bank employee,

704
00:38:53,200 --> 00:38:55,071
you'll load up
the SWIFT software,

705
00:38:55,071 --> 00:38:57,944
you'll see on the screen
all the latest transactions,

706
00:38:57,944 --> 00:38:59,598
you can make transactions.

707
00:38:59,598 --> 00:39:04,342
And so the attackers deleted all
records of those transactions.

708
00:39:07,083 --> 00:39:08,563
But it's not just digital.

709
00:39:08,563 --> 00:39:13,002
In the world of finance,
everything must be a hard copy.

710
00:39:13,002 --> 00:39:16,005
And the attackers
knew that as well.

711
00:39:20,575 --> 00:39:23,622
Every SWIFT transaction
that takes place

712
00:39:23,622 --> 00:39:28,975
is immediately printed out
locally in the Bangladeshi Bank.

713
00:39:28,975 --> 00:39:31,978
So that printer cannot
be working

714
00:39:31,978 --> 00:39:34,676
when the heist is going on.

715
00:39:34,676 --> 00:39:37,549
ERIC: The attackers hijacked
all of those print jobs,

716
00:39:37,549 --> 00:39:40,421
replaced all of those
print jobs with zeros

717
00:39:40,421 --> 00:39:43,555
so that nothing would
come out of the printer.

718
00:39:43,555 --> 00:39:48,516
Now, the other 30
wire transactions sat around.

719
00:39:48,516 --> 00:39:51,867
And, ultimately,
the attackers waited,

720
00:39:51,867 --> 00:39:54,261
and they waited...

721
00:39:54,261 --> 00:39:58,874
And they logged out at
3:59 a.m. Bangladesh time.

722
00:39:58,874 --> 00:40:01,442
Potentially, they thought
that in New York,

723
00:40:01,442 --> 00:40:03,096
the business day ended
at five p.m.,

724
00:40:03,096 --> 00:40:04,924
and they weren't gonna hear
any more.

725
00:40:04,924 --> 00:40:06,882
The New York Fed
had actually stopped

726
00:40:06,882 --> 00:40:08,449
the rest of the transactions,

727
00:40:08,449 --> 00:40:11,931
because the address for
the bank in the Philippines

728
00:40:11,931 --> 00:40:15,804
was on Jupiter Street.
J-U-P-I-T-E-R.

729
00:40:15,804 --> 00:40:20,853
Right, now this is when
the story gets really weird.

730
00:40:20,853 --> 00:40:24,857
In a totally unrelated incident
two years earlier,

731
00:40:24,857 --> 00:40:28,469
we have a Greek shipping
magnate, Dimitris Cambis,

732
00:40:28,469 --> 00:40:32,038
and he is buying eight tankers.

733
00:40:32,038 --> 00:40:35,258
What Dimitris knew,
but not many other people,

734
00:40:35,258 --> 00:40:39,872
was that the money
for these eight oil tankers

735
00:40:39,872 --> 00:40:41,917
came from Iran,

736
00:40:41,917 --> 00:40:45,660
and Iran was under US sanctions.

737
00:40:45,660 --> 00:40:48,358
Someone in the US
caught wind of the fact

738
00:40:48,358 --> 00:40:51,710
that the Iranians were
financing Mr Cambis.

739
00:40:51,710 --> 00:40:55,017
His company was put on
the sanctions watch list,

740
00:40:55,017 --> 00:40:58,325
and his company
was called Jupiter Seaways.

741
00:40:58,325 --> 00:41:00,675
[SHIP HORN BLARES]

742
00:41:00,675 --> 00:41:02,590
JOSHUA:
It was just their bad luck

743
00:41:02,590 --> 00:41:05,201
that they designated
the money transfers

744
00:41:05,201 --> 00:41:11,338
to go to the Jupiter branch
of the Rizal Bank in Manila.

745
00:41:11,338 --> 00:41:15,211
As the transfers were being sent
out from the New York Reserve

746
00:41:15,211 --> 00:41:16,996
to the Philippines,

747
00:41:16,996 --> 00:41:20,956
the Jupiter name was caught
by the computer system.

748
00:41:20,956 --> 00:41:23,916
It halted these transactions.

749
00:41:23,916 --> 00:41:26,484
ERIC: The Fed had to take
a second look.

750
00:41:26,484 --> 00:41:28,790
They stopped it
because they realised,

751
00:41:28,790 --> 00:41:31,184
"Wait, we have somewhere
in the order 35 transactions

752
00:41:31,184 --> 00:41:33,229
coming from
the Bank of Bangladesh,

753
00:41:33,229 --> 00:41:37,407
adding up to $1 billion?
You know, this isn't usual."

754
00:41:37,407 --> 00:41:40,062
So they held them
and sent a message back,

755
00:41:40,062 --> 00:41:41,890
asking for confirmation.

756
00:41:44,589 --> 00:41:47,766
Had the attackers waited
just one more hour,

757
00:41:47,766 --> 00:41:50,595
they could have replied to them
via the SWIFT system,

758
00:41:50,595 --> 00:41:53,206
saying these transactions
were not a mistake.

759
00:41:53,206 --> 00:41:55,295
Ultimately,
the Bank of Bangladesh

760
00:41:55,295 --> 00:41:57,253
might have lost
much, much more.

761
00:41:57,253 --> 00:42:01,344
MISHA: So far, they managed
to get $81 million.

762
00:42:01,344 --> 00:42:05,435
But, boy, did they come close
to hitting the jackpot.

763
00:42:05,435 --> 00:42:07,655
Just under $1 billion

764
00:42:07,655 --> 00:42:11,572
was very, very nearly
stolen from this bank.

765
00:42:22,061 --> 00:42:25,194
ERIC: The next day,
the bank employees came in,

766
00:42:25,194 --> 00:42:26,587
and the printer wasn't working,

767
00:42:26,587 --> 00:42:28,937
because they installed
their malicious code

768
00:42:28,937 --> 00:42:30,722
to prevent that from happening.

769
00:42:30,722 --> 00:42:32,637
Ultimately,
those bank employees

770
00:42:32,637 --> 00:42:34,900
didn't get it fixed
until February 6,

771
00:42:34,900 --> 00:42:36,554
which would have been a Sunday.

772
00:42:38,251 --> 00:42:41,297
When the printer started,
all these messages came out,

773
00:42:41,297 --> 00:42:42,908
messages from the Fed asking,

774
00:42:42,908 --> 00:42:46,041
"What are these 30 transactions?
Did you mean to make these?"

775
00:42:46,041 --> 00:42:48,304
That triggered
the Bank of Bangladesh

776
00:42:48,304 --> 00:42:51,003
to realise something
had gone wrong.

777
00:42:51,003 --> 00:42:53,658
It was very clear
that they were in deep,

778
00:42:53,658 --> 00:42:57,357
such that the bank manager...
This is the Bank of Bangladesh,

779
00:42:57,357 --> 00:43:00,534
the federal bank, the national
bank of the country,

780
00:43:00,534 --> 00:43:04,103
did not notify the leaders,

781
00:43:04,103 --> 00:43:07,236
the government of Bangladesh.
He kept it under wraps.

782
00:43:07,236 --> 00:43:10,544
He notified someone he knew
who knew about security.

783
00:43:10,544 --> 00:43:12,372
"Get on a plane,
get to Bangladesh.

784
00:43:12,372 --> 00:43:14,940
I need you to look at
these computer systems."

785
00:43:20,467 --> 00:43:22,948
Initially, the governor
and his whole team

786
00:43:22,948 --> 00:43:24,166
were quite perplexed.

787
00:43:24,166 --> 00:43:27,343
They didn't quite know
what had happened.

788
00:43:27,343 --> 00:43:30,216
So they thought that
some money had been routed

789
00:43:30,216 --> 00:43:33,045
to a wrong account;
it would come back.

790
00:43:36,309 --> 00:43:39,921
I get this strange phone call
from the governor's office

791
00:43:39,921 --> 00:43:42,707
asking me if I would
drop everything

792
00:43:42,707 --> 00:43:45,274
and come to Dhaka, Bangladesh.

793
00:43:49,061 --> 00:43:51,237
So I assembled a team...

794
00:43:52,107 --> 00:43:53,892
and we flew down.

795
00:43:55,937 --> 00:43:57,896
[TYRES SCREECH]

796
00:43:57,896 --> 00:44:02,596
When we arrived there, we met
with the Bangladesh Bank team.

797
00:44:02,596 --> 00:44:06,121
And that's when I discovered
all the horrifying details

798
00:44:06,121 --> 00:44:08,471
of what had actually happened.

799
00:44:12,388 --> 00:44:15,217
MISHA: They decide,
"Let's look at the CCTV.

800
00:44:15,217 --> 00:44:17,393
What's that going to tell us?"

801
00:44:17,393 --> 00:44:20,309
RAKESH: There were eight
hours' worth of tapes

802
00:44:20,309 --> 00:44:23,138
that had to be gone through.

803
00:44:23,138 --> 00:44:26,054
Your gut instinct is,
you have a malicious insider.

804
00:44:26,054 --> 00:44:27,708
A physical person had to go in,

805
00:44:27,708 --> 00:44:30,842
log into that machine
and try to make these transfers,

806
00:44:30,842 --> 00:44:34,715
because this attack
hadn't happened before.

807
00:44:34,715 --> 00:44:37,631
RAKESH: They had a SWIFT room,
which was locked.

808
00:44:37,631 --> 00:44:39,938
And typically when
the SWIFT operators

809
00:44:39,938 --> 00:44:43,724
needed to do something on SWIFT,
they had to go into the room,

810
00:44:43,724 --> 00:44:47,467
sit in that chair and terminal,

811
00:44:47,467 --> 00:44:52,037
and there was only
one shadow we could find.

812
00:44:52,037 --> 00:44:54,779
We eventually decided
it was the person

813
00:44:54,779 --> 00:44:58,391
sweeping the place after hours.

814
00:45:00,741 --> 00:45:04,310
They were saying, "How could
somebody process the transaction

815
00:45:04,310 --> 00:45:05,964
when there was nobody there?"

816
00:45:05,964 --> 00:45:10,577
I mean, even after the payment
instructions had been sent,

817
00:45:10,577 --> 00:45:15,408
they had no idea for a very long
time what was happening.

818
00:45:15,408 --> 00:45:19,412
They didn't think it was a hack.
They had no traces of a hack.

819
00:45:19,412 --> 00:45:22,632
But they watched eight hours of
that footage over that weekend

820
00:45:22,632 --> 00:45:25,635
and realised there was
no one at that computer.

821
00:45:25,635 --> 00:45:26,941
MISHA: Nothing.

822
00:45:26,941 --> 00:45:29,248
They had no idea that
the Bank of Bangladesh

823
00:45:29,248 --> 00:45:31,859
had been breached by hackers.

824
00:45:31,859 --> 00:45:35,384
Only after we see these things
happen over and over again,

825
00:45:35,384 --> 00:45:39,171
we realise that cyber
has such capabilities.

826
00:45:44,045 --> 00:45:47,440
Bangladesh was a bit of
a bombshell for all of us.

827
00:45:49,311 --> 00:45:52,097
Hackers and most cybercrime,

828
00:45:52,097 --> 00:45:54,055
it's like smash-and-grab crime.

829
00:45:54,055 --> 00:45:56,492
Quickly grab something
and monetise it

830
00:45:56,492 --> 00:45:58,103
as swiftly as you can.

831
00:45:58,103 --> 00:46:01,236
MISHA: You know, storm a bank
with shotguns, blow a safe,

832
00:46:01,236 --> 00:46:03,978
fill some bags with cash.

833
00:46:03,978 --> 00:46:06,024
RAFAL: Cybercrime...

834
00:46:06,024 --> 00:46:09,418
It doesn't lend itself well
to long conspiracy

835
00:46:09,418 --> 00:46:11,856
and lots of investigation
and investment

836
00:46:11,856 --> 00:46:13,596
into understanding your target.

837
00:46:13,596 --> 00:46:15,903
I mean, you couldn't
do Bangladesh

838
00:46:15,903 --> 00:46:19,037
unless you really understood
the internal workings

839
00:46:19,037 --> 00:46:21,909
of the central bank
and all the actors involved.

840
00:46:21,909 --> 00:46:24,607
That's not something
that freelance hackers

841
00:46:24,607 --> 00:46:26,827
really are good at.

842
00:46:26,827 --> 00:46:29,917
That requires a level of
investment into resources

843
00:46:29,917 --> 00:46:34,095
and frankly intelligence
that has to be sustained.

844
00:46:34,095 --> 00:46:38,012
To organise something
of that complexity

845
00:46:38,012 --> 00:46:40,841
and for it not to be noticed

846
00:46:40,841 --> 00:46:43,539
by the intelligence agencies
of the state

847
00:46:43,539 --> 00:46:46,020
where that is being planned

848
00:46:46,020 --> 00:46:50,285
would be very,
very difficult indeed.

849
00:46:50,285 --> 00:46:53,419
ERIC: These hackers went in
and looked at the zeros and ones

850
00:46:53,419 --> 00:46:55,725
in the software
and reverse engineered it,

851
00:46:55,725 --> 00:46:58,380
turned it back into
understandable code.

852
00:46:58,380 --> 00:47:00,905
That's not something
that happens overnight.

853
00:47:00,905 --> 00:47:02,384
MIKKO: It was pretty clear

854
00:47:02,384 --> 00:47:04,865
that this isn't just
normal criminals.

855
00:47:04,865 --> 00:47:07,128
This has to be something bigger.

856
00:47:10,044 --> 00:47:13,961
Once attackers have gained
access to their target network,

857
00:47:13,961 --> 00:47:16,007
they want to stay undetected.

858
00:47:18,487 --> 00:47:20,968
And we've seen many
interesting examples

859
00:47:20,968 --> 00:47:23,014
of how exactly this is done.

860
00:47:26,278 --> 00:47:27,801
REPORTER: What exactly happened

861
00:47:27,801 --> 00:47:30,195
at the Natanz nuclear facility
last week?

862
00:47:30,195 --> 00:47:32,806
It's a question people in Iran
around the world

863
00:47:32,806 --> 00:47:35,461
have been asking
since a fire was reported

864
00:47:35,461 --> 00:47:38,856
at Iran's main uranium
enrichment facility on Thursday.

865
00:47:38,856 --> 00:47:41,902
We're used to Trojans
and viruses on the internet,

866
00:47:41,902 --> 00:47:43,338
but this is the first worm

867
00:47:43,338 --> 00:47:46,907
designed to damage
the physical world.

868
00:47:46,907 --> 00:47:51,042
ERIC: In 2010, attackers created
a piece of malicious software

869
00:47:51,042 --> 00:47:55,350
that was designed to infiltrate
Iran's nuclear programme,

870
00:47:55,350 --> 00:47:57,004
to get into their centrifuges,

871
00:47:57,004 --> 00:47:59,050
in particular,
get onto computers

872
00:47:59,050 --> 00:48:00,921
that controlled
their centrifuges.

873
00:48:00,921 --> 00:48:04,142
REPORTER: Iran says it will
retaliate against any country

874
00:48:04,142 --> 00:48:06,884
that conducts cyber-attacks
on its nuclear sites.

875
00:48:06,884 --> 00:48:09,538
JOSHUA: The intention
was to spin the centrifuges

876
00:48:09,538 --> 00:48:12,150
of Iran's nuclear capabilities
out of control,

877
00:48:12,150 --> 00:48:14,152
make the centrifuges explode

878
00:48:14,152 --> 00:48:15,414
and push them ten years back

879
00:48:15,414 --> 00:48:17,372
in the uranium enrichment programme.

880
00:48:17,372 --> 00:48:18,721
As a piece of malware,

881
00:48:18,721 --> 00:48:21,768
it was 40 times larger
than any piece of malware

882
00:48:21,768 --> 00:48:24,336
that had ever been
encountered before.

883
00:48:24,336 --> 00:48:28,514
It would have taken
the most advanced,

884
00:48:28,514 --> 00:48:30,995
brilliant computer engineers

885
00:48:30,995 --> 00:48:34,085
years and years of human
working hours

886
00:48:34,085 --> 00:48:35,956
to produce this.

887
00:48:35,956 --> 00:48:38,089
Why was it so big?

888
00:48:38,089 --> 00:48:42,310
Because it needed
to cover itself up.

889
00:48:44,834 --> 00:48:47,794
MIKKO: The attackers
were actually recording

890
00:48:47,794 --> 00:48:52,320
the network traffic,
the normal network traffic,

891
00:48:52,320 --> 00:48:55,062
and then playing it back
to the sensors

892
00:48:55,062 --> 00:48:58,848
when they started modifying the
operations of the centrifuges

893
00:48:58,848 --> 00:49:00,720
they were trying to break.

894
00:49:03,201 --> 00:49:04,463
[CAMERA CLICKS]

895
00:49:04,463 --> 00:49:06,900
This is the equivalent of,
in the real world,

896
00:49:06,900 --> 00:49:09,903
recording the CCTV footage
from a security camera

897
00:49:09,903 --> 00:49:12,166
and then playing it back
to the camera

898
00:49:12,166 --> 00:49:14,125
when you're doing
something bad.

899
00:49:14,125 --> 00:49:16,301
That's what Stuxnet was doing.

900
00:49:16,301 --> 00:49:18,042
And in the Bangladesh heist,

901
00:49:18,042 --> 00:49:20,218
they were doing
something similar.

902
00:49:20,218 --> 00:49:22,872
ERIC: Once they made
their transactions,

903
00:49:22,872 --> 00:49:26,311
they wanted to make sure no one
realised they had happened.

904
00:49:26,311 --> 00:49:29,053
They were actually falsifying
the information

905
00:49:29,053 --> 00:49:30,576
about transactions.

906
00:49:30,576 --> 00:49:33,405
The recording of the
transactions were being done

907
00:49:33,405 --> 00:49:34,972
both in electronic format,

908
00:49:34,972 --> 00:49:38,540
but also falsifying the data
being sent to the printers,

909
00:49:38,540 --> 00:49:41,021
which actually looked like
everything was fine.

910
00:49:41,021 --> 00:49:44,242
So you find out how
you're being tracked,

911
00:49:44,242 --> 00:49:46,984
and then you try
to cover your tracks.

912
00:49:46,984 --> 00:49:48,246
Stuxnet did that.

913
00:49:48,246 --> 00:49:50,770
The Bangladeshi heist
did it as well.

914
00:49:53,207 --> 00:49:56,950
ERIC: Once that money
arrived in the Philippines,

915
00:49:56,950 --> 00:50:00,519
they needed to change
that money into cold, hard cash.

916
00:50:00,519 --> 00:50:02,912
Right now, it's still in
digital ones and zeros,

917
00:50:02,912 --> 00:50:05,437
just a transaction that said
the money has moved

918
00:50:05,437 --> 00:50:06,829
from the Bank of Bangladesh

919
00:50:06,829 --> 00:50:10,094
to these accounts at RCBC.
Four accounts.

920
00:50:10,094 --> 00:50:13,532
JOSHUA: The thieves had to
get it out of the Philippines,

921
00:50:13,532 --> 00:50:15,621
make it disappear.

922
00:50:15,621 --> 00:50:18,450
So how were they going
to do that?

923
00:50:18,450 --> 00:50:20,843
There is one industry
in the Philippines

924
00:50:20,843 --> 00:50:23,237
where there is absolutely
no oversight,

925
00:50:23,237 --> 00:50:27,241
where it's a cash-only business.
There are no records, no names.

926
00:50:27,241 --> 00:50:29,113
That is the casino industry.

927
00:50:41,125 --> 00:50:43,257
When we talk about
laundering funds,

928
00:50:43,257 --> 00:50:45,955
we're talking about
taking dirty, illicit funds,

929
00:50:45,955 --> 00:50:49,481
running them through
a legal business

930
00:50:49,481 --> 00:50:52,049
so that if I came
to you and said,

931
00:50:52,049 --> 00:50:55,400
"Hey, where'd you get
that $81 million?",

932
00:50:55,400 --> 00:51:00,318
you could have a paper trail
to show that you won it back.

933
00:51:00,318 --> 00:51:03,103
MIKKO: The hard part
is not stealing the money.

934
00:51:03,103 --> 00:51:06,628
The hard part is moving the
money into a form you can use

935
00:51:06,628 --> 00:51:08,152
without getting caught.

936
00:51:10,241 --> 00:51:15,202
And one method we've seen
for quite a while is gambling.

937
00:51:15,202 --> 00:51:17,074
KRISHNA: It was very clear that,

938
00:51:17,074 --> 00:51:20,251
if, at all, there was a place
for you to do that,

939
00:51:20,251 --> 00:51:22,166
it would have been
the Philippines,

940
00:51:22,166 --> 00:51:25,038
because the casinos
are not regulated at all.

941
00:51:27,171 --> 00:51:30,304
It's like a lot of
high-flying gamblers

942
00:51:30,304 --> 00:51:33,307
who'd kind of fly to Manila,

943
00:51:33,307 --> 00:51:37,050
crowd these numerous casinos
in Manila,

944
00:51:37,050 --> 00:51:38,399
lots of money coming in.

945
00:51:38,399 --> 00:51:41,315
People don't question
that kind of money.

946
00:51:41,315 --> 00:51:42,795
I mean, you know...

947
00:51:42,795 --> 00:51:44,753
"Well, as long as
it's coming to us,

948
00:51:44,753 --> 00:51:47,887
we don't bother too much
about where it is coming from."

949
00:51:49,323 --> 00:51:52,283
JOSHUA: The thieves knew
if they could get that money

950
00:51:52,283 --> 00:51:55,547
into the casinos,
it would essentially be lost.

951
00:51:56,809 --> 00:51:58,115
ERIC: What happened was,

952
00:51:58,115 --> 00:52:00,421
the manager from
the Philippines bank,

953
00:52:00,421 --> 00:52:03,381
she was the one who'd opened
those four accounts

954
00:52:03,381 --> 00:52:05,557
using fraudulent IDs.

955
00:52:05,557 --> 00:52:09,952
She got the money withdrawn from
the bank in the Philippines.

956
00:52:11,563 --> 00:52:12,955
From there, it started to go

957
00:52:12,955 --> 00:52:14,566
through something
called Philrem.

958
00:52:14,566 --> 00:52:18,004
It's a bit like a Western Union
in the Philippines,

959
00:52:18,004 --> 00:52:20,180
transferred into pesos.

960
00:52:20,180 --> 00:52:22,487
MISHA: I don't know
if you've ever used

961
00:52:22,487 --> 00:52:24,010
Philippine pesos before,

962
00:52:24,010 --> 00:52:28,057
but that's one hell
of a lot of pesos, $22 million.

963
00:52:28,057 --> 00:52:33,454
In fact,
it's over one million banknotes.

964
00:52:33,454 --> 00:52:35,630
ERIC: They actually had
to request that cash

965
00:52:35,630 --> 00:52:38,981
to come from a sister
branch location,

966
00:52:38,981 --> 00:52:40,853
that arrived in boxes.

967
00:52:40,853 --> 00:52:44,422
The bank manager was seen by
one of the other bank employees

968
00:52:44,422 --> 00:52:47,599
collecting those boxes
and literally going outside

969
00:52:47,599 --> 00:52:49,862
and loading them up
into a Lexus.

970
00:52:49,862 --> 00:52:50,993
[CAR ENGINE STARTS]

971
00:52:50,993 --> 00:52:53,344
And that money
was driven away.

972
00:52:59,785 --> 00:53:03,702
JOSHUA: So, we're talking stacks
of bills carried in vans

973
00:53:03,702 --> 00:53:07,227
to the Solaire Casino
right by the airport.

974
00:53:07,227 --> 00:53:10,448
It allows the Chinese gamblers
to come off the plane.

975
00:53:10,448 --> 00:53:13,320
Five minutes, they're on
the floor playing baccarat.

976
00:53:16,410 --> 00:53:19,979
The money goes to this place.
It's wheeled in wheelbarrows

977
00:53:19,979 --> 00:53:24,113
across the casino floor
up to this guarded escalator.

978
00:53:24,113 --> 00:53:26,420
[RAP MUSIC]

979
00:53:35,255 --> 00:53:38,215
MISHA: There's so much
physical cash involved,

980
00:53:38,215 --> 00:53:41,305
they've enlisted their
own crew of gamblers

981
00:53:41,305 --> 00:53:44,830
to launder the stolen funds.

982
00:53:44,830 --> 00:53:47,093
ERIC:
And they just played baccarat,

983
00:53:47,093 --> 00:53:49,617
all day long.

984
00:53:49,617 --> 00:53:51,140
They had individuals,

985
00:53:51,140 --> 00:53:54,231
mostly appeared to be Chinese
nationals that they had,

986
00:53:54,231 --> 00:53:57,538
I assume, hired to take
those funds and launder them.

987
00:53:57,538 --> 00:54:01,499
MISHA: You change that cash
into casino chips,

988
00:54:01,499 --> 00:54:03,152
play a few games,

989
00:54:03,152 --> 00:54:04,937
cash in the chips.

990
00:54:04,937 --> 00:54:10,595
And when you get that cash back,
that is then laundered.

991
00:54:10,595 --> 00:54:13,119
And this wouldn't
have been unusual.

992
00:54:13,119 --> 00:54:15,513
This was the Chinese lunar week.

993
00:54:15,513 --> 00:54:18,298
That would've been very common
for individuals,

994
00:54:18,298 --> 00:54:20,561
high rollers, to come
into the Philippines

995
00:54:20,561 --> 00:54:22,868
and play at the casinos
during that time.

996
00:54:22,868 --> 00:54:26,611
Spending $22 million in
a casino over a weekend,

997
00:54:26,611 --> 00:54:28,569
let's face it, could be fun.

998
00:54:32,878 --> 00:54:36,708
NICOLE: Doing this story
and trying to figure out

999
00:54:36,708 --> 00:54:40,407
where in history
to sort of place this thing.

1000
00:54:40,407 --> 00:54:43,323
Was this the biggest
heist of all time?

1001
00:54:43,323 --> 00:54:47,327
No, but it certainly looked
to be the biggest cyber heist

1002
00:54:47,327 --> 00:54:50,243
of a bank in history.

1003
00:54:50,243 --> 00:54:54,378
And over the next few days,
I just remember

1004
00:54:54,378 --> 00:54:58,425
calling up my sources
at Symantec

1005
00:54:58,425 --> 00:55:00,993
and a couple other
cybersecurity firms

1006
00:55:00,993 --> 00:55:04,257
and getting in touch with
a guy named Eric Chien.

1007
00:55:06,085 --> 00:55:09,131
ERIC: We have all kinds of
sensors sitting on networks

1008
00:55:09,131 --> 00:55:10,785
and computers
all over the world.

1009
00:55:10,785 --> 00:55:14,136
Any time some sort of
cyber criminal, some attacker,

1010
00:55:14,136 --> 00:55:18,053
is trying to breach a computer,
they're leaving traces behind.

1011
00:55:19,577 --> 00:55:23,537
EJ: Every attack
has a signature.

1012
00:55:23,537 --> 00:55:25,104
If you look at it long enough,

1013
00:55:25,104 --> 00:55:27,454
if you study it,
if you work it long enough,

1014
00:55:27,454 --> 00:55:29,717
you can understand
the way they do things.

1015
00:55:29,717 --> 00:55:31,284
The way they state something,

1016
00:55:31,284 --> 00:55:34,461
the way they code
a particular way,

1017
00:55:34,461 --> 00:55:39,901
the methodology of the attack,
the step-by-step approaches.

1018
00:55:39,901 --> 00:55:42,904
It might be considered
like Sherlock Holmesian

1019
00:55:42,904 --> 00:55:44,384
to come up with this idea.

1020
00:55:44,384 --> 00:55:46,778
"Because he walks
with a gait this way,

1021
00:55:46,778 --> 00:55:48,954
and he does this..."
But it is true.

1022
00:55:48,954 --> 00:55:53,262
We see those signatures.
We see those patterns.

1023
00:55:54,220 --> 00:55:56,004
ERIC: What we discovered was,

1024
00:55:56,004 --> 00:55:59,443
by looking at the artefacts
that these attackers had used,

1025
00:55:59,443 --> 00:56:01,880
the malicious binaries
they had used,

1026
00:56:01,880 --> 00:56:03,185
the code inside of it,

1027
00:56:03,185 --> 00:56:05,753
as well as the email accounts
that they used

1028
00:56:05,753 --> 00:56:07,929
to send the initial
spear-phishing messages,

1029
00:56:07,929 --> 00:56:12,499
we were able to map this back
to an attacker back in 2014.

1030
00:56:15,415 --> 00:56:18,505
Sony Pictures is mainly housed
in Culver City.

1031
00:56:18,505 --> 00:56:20,507
And in 2014,

1032
00:56:20,507 --> 00:56:24,598
Sony Pictures went down,
which was unheard of.

1033
00:56:24,598 --> 00:56:26,078
On that day in November,

1034
00:56:26,078 --> 00:56:28,559
people would have come in,
tried to swipe their badge

1035
00:56:28,559 --> 00:56:30,778
and not even be able
to get into the office.

1036
00:56:30,778 --> 00:56:32,780
MISHA: They get
into the building finally

1037
00:56:32,780 --> 00:56:35,957
and then they discover that
nothing else is working either.

1038
00:56:35,957 --> 00:56:40,005
Printers aren't working,
computers aren't working.

1039
00:56:40,005 --> 00:56:43,225
ERIC: People who had laptops
connected to the network

1040
00:56:43,225 --> 00:56:44,966
would have immediately seen

1041
00:56:44,966 --> 00:56:47,926
skulls and crossbones
show up on their screens,

1042
00:56:47,926 --> 00:56:51,016
scrolling with scary
<i>Halloween</i>-type music

1043
00:56:51,016 --> 00:56:52,496
playing in the background.

1044
00:56:52,496 --> 00:56:55,716
And it said,
"Hacked by the GOP."

1045
00:56:55,716 --> 00:56:58,980
MISHA: Guardians of the Peace.

1046
00:56:58,980 --> 00:57:02,027
A mysterious crew of hackers,

1047
00:57:02,027 --> 00:57:05,987
also known as the Lazarus Group.

1048
00:57:05,987 --> 00:57:08,120
We'd call them
the Lazarus Group.

1049
00:57:08,120 --> 00:57:09,251
They've been responsible

1050
00:57:09,251 --> 00:57:11,123
for many, many attacks
over the years.

1051
00:57:11,123 --> 00:57:13,342
You know, political statements

1052
00:57:13,342 --> 00:57:15,954
and bringing down some
websites in South Korea

1053
00:57:15,954 --> 00:57:20,306
and also the White House in the
United States and the Pentagon.

1054
00:57:20,306 --> 00:57:23,875
MISHA: Now, at this point,
the penny has dropped.

1055
00:57:23,875 --> 00:57:26,007
Sony has been hacked.

1056
00:57:26,007 --> 00:57:28,662
REPORTER: The hack attack
has had a devastating effect

1057
00:57:28,662 --> 00:57:31,491
on the entertainment company,
with an avalanche of leaks

1058
00:57:31,491 --> 00:57:34,189
revealing personal information
of employees

1059
00:57:34,189 --> 00:57:37,497
and salacious email exchanges
of A-list celebrities.

1060
00:57:37,497 --> 00:57:40,500
They ultimately compromised
Sony Pictures Network,

1061
00:57:40,500 --> 00:57:43,851
got inside
and wiped 10,000 computers.

1062
00:57:43,851 --> 00:57:45,592
On top of that,
they actually stole

1063
00:57:45,592 --> 00:57:48,682
all kinds of documents
and emails from Sony Pictures.

1064
00:57:48,682 --> 00:57:50,815
REPORTER: The hack
on Sony Pictures

1065
00:57:50,815 --> 00:57:53,382
is rocking Hollywood's
very foundation;

1066
00:57:53,382 --> 00:57:56,037
the industry,
warts and all, exposed.

1067
00:57:56,037 --> 00:57:59,258
Initially, we had no link
between the SWIFT attack

1068
00:57:59,258 --> 00:58:01,956
and the Sony Pictures attack.

1069
00:58:01,956 --> 00:58:04,481
But when we were looking
at the malware,

1070
00:58:04,481 --> 00:58:06,395
we found an interesting detail.

1071
00:58:06,395 --> 00:58:09,573
There was a component
called an indexing manager,

1072
00:58:09,573 --> 00:58:13,011
which was saving the logs
during the SWIFT attack

1073
00:58:13,011 --> 00:58:15,492
into an encrypted file.

1074
00:58:15,492 --> 00:58:18,538
The file was encrypted
with a really long key,

1075
00:58:18,538 --> 00:58:22,063
and when we just
googled for the key,

1076
00:58:22,063 --> 00:58:25,284
we found that the same key, exactly,

1077
00:58:25,284 --> 00:58:30,594
was used 18 months earlier
in the Sony Pictures attack.

1078
00:58:31,769 --> 00:58:34,119
MISHA: This was
the moment we realised

1079
00:58:34,119 --> 00:58:36,077
the Bangladeshi SWIFT attack

1080
00:58:36,077 --> 00:58:39,733
was probably perpetrated
by the Lazarus Group.

1081
00:58:40,691 --> 00:58:42,301
So, who is Lazarus?

1082
00:58:42,301 --> 00:58:43,781
Well, from what we know,

1083
00:58:43,781 --> 00:58:46,740
they're a trans-global
criminal organisation

1084
00:58:46,740 --> 00:58:51,571
that's been trained
at a nation-state level.

1085
00:58:51,571 --> 00:58:55,444
The nation states really started
coming in on a criminal side...

1086
00:58:57,055 --> 00:58:59,231
when sanctions started.

1087
00:58:59,231 --> 00:59:02,277
When we start limiting
the capability of a nation

1088
00:59:02,277 --> 00:59:05,411
to get cash, and we up
the methodology

1089
00:59:05,411 --> 00:59:07,979
to monitor
the way they're getting cash,

1090
00:59:07,979 --> 00:59:11,025
they turn to different approaches.

1091
00:59:11,025 --> 00:59:13,898
MISHA: So if you're a country
that's under sanction

1092
00:59:13,898 --> 00:59:17,162
and your ability to get funds
has been compromised,

1093
00:59:17,162 --> 00:59:20,121
you may be motivated to
go to the Lazarus Group

1094
00:59:20,121 --> 00:59:23,429
to fix your problem.

1095
00:59:23,429 --> 00:59:25,649
It's like a job for them.
It <i>is</i> a job for them.

1096
00:59:25,649 --> 00:59:27,694
They get recruited.
It's a nine-to-five job.

1097
00:59:27,694 --> 00:59:30,958
They come in, and each
of them has their specialties.

1098
00:59:30,958 --> 00:59:32,351
They have managers,

1099
00:59:32,351 --> 00:59:35,223
they have targets that
they're told to go after.

1100
00:59:35,223 --> 00:59:37,356
When you talk about
nation states,

1101
00:59:37,356 --> 00:59:39,619
obviously,
for your average nation state,

1102
00:59:39,619 --> 00:59:42,927
most cyber offensive campaigns
are under the military.

1103
00:59:42,927 --> 00:59:45,712
It's very similar to how
a military organisation

1104
00:59:45,712 --> 00:59:49,020
would be organised for their
cyber offensive campaigns.

1105
00:59:49,020 --> 00:59:51,457
There is a hotel,
for example, in China

1106
00:59:51,457 --> 00:59:53,590
where they've taken over
multiple floors

1107
00:59:53,590 --> 00:59:55,635
where they essentially
have dormitories.

1108
00:59:55,635 --> 00:59:59,073
They go to sleep in that hotel,
they eat in that hotel,

1109
00:59:59,073 --> 01:00:01,423
and they don't come
out of that hotel.

1110
01:00:01,423 --> 01:00:04,078
They just move from
one room to another,

1111
01:00:04,078 --> 01:00:05,863
hack all day and night.

1112
01:00:08,039 --> 01:00:10,650
MISHA: And the Lazarus Group
is thought to be made up

1113
01:00:10,650 --> 01:00:13,392
of these state-trained hackers.

1114
01:00:18,745 --> 01:00:21,226
What's amazing about cyber,

1115
01:00:21,226 --> 01:00:23,794
when you talk about
nation states,

1116
01:00:23,794 --> 01:00:27,319
is the cost to entry
is extremely low.

1117
01:00:27,319 --> 01:00:29,713
We have nation states
who have been

1118
01:00:29,713 --> 01:00:33,194
trying to create
nuclear missiles,

1119
01:00:33,194 --> 01:00:35,066
tried to create
a nuclear programme.

1120
01:00:35,066 --> 01:00:36,981
Places like Iran, for example.

1121
01:00:36,981 --> 01:00:41,507
The dollars it costs to do so,
it's extraordinary.

1122
01:00:41,507 --> 01:00:44,684
But if you want to build
a cyber offensive campaign,

1123
01:00:44,684 --> 01:00:46,991
you get two, three,
four, five guys

1124
01:00:46,991 --> 01:00:50,472
and potentially threaten
to disable the power grid

1125
01:00:50,472 --> 01:00:52,039
in some country.

1126
01:00:52,039 --> 01:00:54,476
When you talk about
trying to rob a bank

1127
01:00:54,476 --> 01:00:57,175
or produce illicit drugs
and sell them,

1128
01:00:57,175 --> 01:00:59,830
the amount of people
required on the ground,

1129
01:00:59,830 --> 01:01:01,266
the amount of connections,

1130
01:01:01,266 --> 01:01:03,442
and for the dollars
that you would receive,

1131
01:01:03,442 --> 01:01:04,922
is nothing compared to,

1132
01:01:04,922 --> 01:01:07,446
"Let's get three guys,
break into a bank

1133
01:01:07,446 --> 01:01:10,667
and potentially
transfer $1 billion."

1134
01:01:16,063 --> 01:01:20,502
MISHA: Back in the VIP room
of the Solaire Casino in Manila,

1135
01:01:20,502 --> 01:01:24,942
the money-laundering operation
is in full flight.

1136
01:01:26,683 --> 01:01:29,729
They just spend hours
upon hours gambling away,

1137
01:01:29,729 --> 01:01:31,296
collecting chips.

1138
01:01:31,296 --> 01:01:33,733
They transfer those chips
back into cold, hard currency.

1139
01:01:33,733 --> 01:01:36,693
JOSHUA: You put a hundred
gamblers into the VIP lounge

1140
01:01:36,693 --> 01:01:40,784
playing cash, so maybe the house
has a one or two percent margin.

1141
01:01:40,784 --> 01:01:43,743
But all the rest is untraceable
money that they walk out with.

1142
01:01:43,743 --> 01:01:46,006
ERIC: What's interesting
about these individuals,

1143
01:01:46,006 --> 01:01:47,704
they weren't interested
in winning.

1144
01:01:47,704 --> 01:01:50,184
They were just interested
in playing.

1145
01:01:50,184 --> 01:01:51,620
MIKKO: If you lose the money,

1146
01:01:51,620 --> 01:01:53,405
the money doesn't go
to the casino,

1147
01:01:53,405 --> 01:01:54,928
it goes to the other players.

1148
01:01:54,928 --> 01:01:58,410
So you can play the table
where the other players are,

1149
01:01:58,410 --> 01:01:59,846
your partners.

1150
01:01:59,846 --> 01:02:02,196
Then you can lose
the dirty money on purpose,

1151
01:02:02,196 --> 01:02:04,024
moving the money
to your partners.

1152
01:02:04,024 --> 01:02:05,678
Now it's cashed out.

1153
01:02:05,678 --> 01:02:09,073
Now it looks like it came from a
great win in a poker tournament

1154
01:02:09,073 --> 01:02:11,640
instead of being stolen
from somewhere.

1155
01:02:11,640 --> 01:02:14,513
So, casinos are a good way
of laundering money.

1156
01:02:14,513 --> 01:02:17,342
Real-world criminals have
done that for decades.

1157
01:02:17,342 --> 01:02:20,606
Online criminals
are doing it today.

1158
01:02:20,606 --> 01:02:23,740
They played for a whole week,
that whole lunar week,

1159
01:02:23,740 --> 01:02:25,698
every day, like workers,

1160
01:02:25,698 --> 01:02:28,309
nine to five, essentially,
in that casino.

1161
01:02:33,358 --> 01:02:36,361
MISHA: Finally, the Chinese
New Year celebrations

1162
01:02:36,361 --> 01:02:37,884
have come to an end.

1163
01:02:37,884 --> 01:02:42,280
The staff at the RCBC bank
in Manila are back at work.

1164
01:02:44,369 --> 01:02:47,328
Now, the Bangladesh Bank
is still desperately trying

1165
01:02:47,328 --> 01:02:49,417
to put a stop
on any further withdrawals

1166
01:02:49,417 --> 01:02:52,159
from those accounts
in the Bank of the Philippines.

1167
01:02:52,159 --> 01:02:54,509
They've lost
$22 million already,

1168
01:02:54,509 --> 01:02:58,818
but there's still $59 million
left that they can save.

1169
01:02:58,818 --> 01:03:01,865
They're firing message
after message to Manila,

1170
01:03:01,865 --> 01:03:04,737
"Hold all transactions."

1171
01:03:04,737 --> 01:03:07,087
In the Philippines,
they got those messages.

1172
01:03:07,087 --> 01:03:08,567
They got those messages

1173
01:03:08,567 --> 01:03:10,830
as part of many other
transaction messages they got

1174
01:03:10,830 --> 01:03:12,701
that were sitting in
a printer queue

1175
01:03:12,701 --> 01:03:14,051
at the bottom of the stack,

1176
01:03:14,051 --> 01:03:16,357
and ultimately, they never
saw those messages.

1177
01:03:16,357 --> 01:03:20,797
MISHA: At this point, the fence
gets in touch with the manager

1178
01:03:20,797 --> 01:03:22,799
of the bank in Jupiter Street.

1179
01:03:22,799 --> 01:03:26,672
"Can you please authorise
the transfer of $59 million?"

1180
01:03:26,672 --> 01:03:29,849
She authorises that $59 million.

1181
01:03:29,849 --> 01:03:34,114
It goes straight
to the Solaire Casino.

1182
01:03:34,114 --> 01:03:36,029
More money laundering.

1183
01:03:37,901 --> 01:03:39,424
Five hours later,

1184
01:03:39,424 --> 01:03:44,037
after increasingly urgent calls
from the Bangladesh Bank,

1185
01:03:44,037 --> 01:03:50,000
the manager finally puts a block
on all of the accounts.

1186
01:03:50,000 --> 01:03:52,829
But, really, it's too late.

1187
01:03:52,829 --> 01:03:54,831
The money's gone.

1188
01:03:59,139 --> 01:04:02,273
It's incredible when you think
what the Lazarus Group

1189
01:04:02,273 --> 01:04:05,885
was able to pull off with
just some ones and zeros.

1190
01:04:05,885 --> 01:04:07,756
They guide their bespoke malware

1191
01:04:07,756 --> 01:04:10,020
into the computer network
of a bank,

1192
01:04:10,020 --> 01:04:11,717
and then a year later,

1193
01:04:11,717 --> 01:04:15,025
they're literally washing
$100 million

1194
01:04:15,025 --> 01:04:17,331
through a casino
in the Philippines.

1195
01:04:17,331 --> 01:04:19,856
It's astonishing.

1196
01:04:19,856 --> 01:04:22,336
But what's really, really scary

1197
01:04:22,336 --> 01:04:25,687
is what happened
just a year later.

1198
01:04:27,428 --> 01:04:29,561
Now back to
the major cyber-attack,

1199
01:04:29,561 --> 01:04:34,087
the ransomware crippling 200,000
computers in 150 countries.

1200
01:04:34,087 --> 01:04:37,699
The thousands of targets all
received this ominous message

1201
01:04:37,699 --> 01:04:39,745
in English on their screens:

1202
01:04:49,276 --> 01:04:54,151
Everyone was basically locked up
with this malware

1203
01:04:54,151 --> 01:04:58,329
that we discovered had been
launched by the same attackers

1204
01:04:58,329 --> 01:05:01,158
as the Central Bank
of Bangladesh.

1205
01:05:01,158 --> 01:05:03,377
MISHA:
So they design this malware,

1206
01:05:03,377 --> 01:05:05,989
and then they lose
control of it entirely.

1207
01:05:05,989 --> 01:05:08,121
And that caused chaos.

1208
01:05:08,121 --> 01:05:11,385
REPORTER: Ambulances were
diverted to other hospitals.

1209
01:05:11,385 --> 01:05:14,823
Patients were turned away,
their operations cancelled.

1210
01:05:14,823 --> 01:05:17,696
NICOLE: You know,
the first sign that something

1211
01:05:17,696 --> 01:05:21,961
was seriously wrong was when
hospitals in the United Kingdom

1212
01:05:21,961 --> 01:05:24,529
started telling patients,
"Don't come."

1213
01:05:24,529 --> 01:05:28,533
That their systems had been
locked up with ransomware.

1214
01:05:28,533 --> 01:05:33,625
It's unclear if it was
accidentally released too early,

1215
01:05:33,625 --> 01:05:35,018
it appears so,

1216
01:05:35,018 --> 01:05:37,890
or if it was
designed not to work

1217
01:05:37,890 --> 01:05:41,241
and just begin wiping computers,
because it didn't matter.

1218
01:05:41,241 --> 01:05:44,157
Even if you paid them, you would
not get the decryption key.

1219
01:05:44,157 --> 01:05:45,985
They didn't have
the decryption key.

1220
01:05:45,985 --> 01:05:48,118
They couldn't decrypt your files anymore.

1221
01:05:48,118 --> 01:05:50,816
REPORTER: Japan, Turkey
and the Philippines

1222
01:05:50,816 --> 01:05:54,733
were also affected.
In the US, FedEx was hit.

1223
01:05:54,733 --> 01:05:59,694
MISHA: That virulent virus
spiralled out of control.

1224
01:05:59,694 --> 01:06:04,047
In Germany, it attacked the
network of the Deutsche Bahn,

1225
01:06:04,047 --> 01:06:05,439
German Railway.

1226
01:06:05,439 --> 01:06:09,400
In Spain,
WannaCry hit Telefonica,

1227
01:06:09,400 --> 01:06:12,359
the biggest telecommunications company.

1228
01:06:12,359 --> 01:06:16,537
It hit the banking systems,
and ATMs didn't work.

1229
01:06:16,537 --> 01:06:21,847
This thing was hitting companies
in something like 150 countries.

1230
01:06:21,847 --> 01:06:23,588
REPORTER:
Other targets in the US

1231
01:06:23,588 --> 01:06:26,025
include Merck Pharmaceutical
in New Jersey.

1232
01:06:26,025 --> 01:06:28,810
Even the company that makes
Oreo cookies may have been hit.

1233
01:06:28,810 --> 01:06:32,945
So, you had the health
service, you had transport,

1234
01:06:32,945 --> 01:06:36,470
you had communications,
you had the finance system,

1235
01:06:36,470 --> 01:06:37,906
and you had governance

1236
01:06:37,906 --> 01:06:42,824
all with one tiny piece
of crappy malware, WannaCry.

1237
01:06:42,824 --> 01:06:44,130
ERIC: In other attacks,

1238
01:06:44,130 --> 01:06:46,002
they have to send you
a spear-phishing email,

1239
01:06:46,002 --> 01:06:48,047
trick you into double-clicking
on an attachment.

1240
01:06:48,047 --> 01:06:50,180
In this case, your computer
just had to be on,

1241
01:06:50,180 --> 01:06:51,485
connected to the internet,

1242
01:06:51,485 --> 01:06:54,053
and it would have got infected
by WannaCry.

1243
01:06:54,053 --> 01:06:57,274
MISHA: It succeeded because
the crappy malware

1244
01:06:57,274 --> 01:07:00,407
was being infiltrated
into the systems

1245
01:07:00,407 --> 01:07:03,193
on the back
of a much more powerful tool

1246
01:07:03,193 --> 01:07:04,803
called EternalBlue,

1247
01:07:04,803 --> 01:07:08,459
which had been developed by
the National Security Agency

1248
01:07:08,459 --> 01:07:10,417
in the United States.

1249
01:07:10,417 --> 01:07:12,637
The thing the NSA
never wanted to talk about

1250
01:07:12,637 --> 01:07:15,640
was the fact that it was
travelling on a digital missile

1251
01:07:15,640 --> 01:07:19,426
that had been built
at its own intelligence agency.

1252
01:07:19,426 --> 01:07:22,560
They repurposed something
created by the US government,

1253
01:07:22,560 --> 01:07:24,170
leaked
by the Russian government,

1254
01:07:24,170 --> 01:07:26,825
put it into their ransomware
that allowed it to spread

1255
01:07:26,825 --> 01:07:30,742
all over the world,
any computer on at that time.

1256
01:07:30,742 --> 01:07:34,006
MISHA: So one crappy piece
of malware

1257
01:07:34,006 --> 01:07:36,878
can hit every single aspect

1258
01:07:36,878 --> 01:07:39,142
of the critical national infrastructure

1259
01:07:39,142 --> 01:07:42,971
within the space
of about ten days

1260
01:07:42,971 --> 01:07:44,886
in different countries.

1261
01:07:57,508 --> 01:08:00,728
Eventually, there's a court case
after about a month.

1262
01:08:00,728 --> 01:08:03,601
There's a court case in Manila.

1263
01:08:03,601 --> 01:08:06,908
Ultimately, the bank manager
didn't want anyone to find out.

1264
01:08:06,908 --> 01:08:08,388
But when he finally got in touch

1265
01:08:08,388 --> 01:08:10,825
with the Bank
of the Philippines, they said,

1266
01:08:10,825 --> 01:08:12,827
"If you need this money returned,

1267
01:08:12,827 --> 01:08:15,700
you need to get a court order."
So he files a court order,

1268
01:08:15,700 --> 01:08:18,006
but court orders are public
in the Philippines,

1269
01:08:18,006 --> 01:08:19,573
like in many other countries.

1270
01:08:19,573 --> 01:08:22,576
A reporter spots it and realised
that this has happened,

1271
01:08:22,576 --> 01:08:25,101
publishes it in a newspaper,
and it all comes out.

1272
01:08:25,101 --> 01:08:28,016
REPORTER: The $81 million
money-laundering scandal

1273
01:08:28,016 --> 01:08:31,672
is now considered one of
the biggest bank heists in Asia.

1274
01:08:31,672 --> 01:08:33,805
But how exactly
did thieves steal

1275
01:08:33,805 --> 01:08:35,981
such a huge amount of money?

1276
01:08:35,981 --> 01:08:37,461
Not just known
in the Philippines

1277
01:08:37,461 --> 01:08:38,679
and the Bank of Bangladesh,

1278
01:08:38,679 --> 01:08:40,377
when the Bangladesh
government finds out

1279
01:08:40,377 --> 01:08:42,901
the bank manager has been
doing this behind the scenes,

1280
01:08:42,901 --> 01:08:44,337
but the whole world finds out.

1281
01:08:44,337 --> 01:08:46,774
And ultimately,
the Bangladesh Bank

1282
01:08:46,774 --> 01:08:48,863
needs to get assistance
from the FBI.

1283
01:08:48,863 --> 01:08:52,171
The New York Fed is involved.
The United States is involved.

1284
01:08:52,171 --> 01:08:54,304
This becomes
a whole worldwide issue

1285
01:08:54,304 --> 01:08:57,220
and begins to ripple across
the financial industry

1286
01:08:57,220 --> 01:08:58,743
that this was even possible.

1287
01:08:58,743 --> 01:09:00,527
Experts believe that hackers

1288
01:09:00,527 --> 01:09:04,183
were able to break into the
New York Federal Reserve's

1289
01:09:04,183 --> 01:09:06,403
special account for Bangladesh,

1290
01:09:06,403 --> 01:09:09,754
getting away with $81 million.

1291
01:09:09,754 --> 01:09:13,236
Now, Bangladesh's Central Bank
governor, Atiur Rahman,

1292
01:09:13,236 --> 01:09:16,935
has resigned after hackers stole
tens of millions of dollars

1293
01:09:16,935 --> 01:09:19,198
from the nation's
foreign reserves.

1294
01:09:19,198 --> 01:09:23,159
The bank was criticised for
its handling of the breach...

1295
01:09:23,159 --> 01:09:26,162
RAKESH: The governor was
an excellent central banker.

1296
01:09:26,162 --> 01:09:27,902
I have a lot of respect for him.

1297
01:09:27,902 --> 01:09:32,298
He was deemed one of the top
bankers by the Asia <i>MoneyWeek.</i>

1298
01:09:32,298 --> 01:09:34,126
And poor fellow, that time,

1299
01:09:34,126 --> 01:09:36,737
he was faced with
this sort of scenario

1300
01:09:36,737 --> 01:09:39,827
which he honestly
didn't understand.

1301
01:09:39,827 --> 01:09:42,787
JOSHUA: He had really pushed
the financial system

1302
01:09:42,787 --> 01:09:45,529
in Bangladesh into
the 21st century.

1303
01:09:45,529 --> 01:09:48,575
He had to essentially fall
on his sword and resign

1304
01:09:48,575 --> 01:09:51,404
in disgrace,
and his career was ruined.

1305
01:09:51,404 --> 01:09:54,190
Many others at the bank
had to resign as well.

1306
01:09:54,190 --> 01:09:57,758
An emotional Maia Deguito,
the manager of the RCBC branch

1307
01:09:57,758 --> 01:10:01,153
in Jupiter Street in Makati,
insists she is innocent

1308
01:10:01,153 --> 01:10:02,763
in the face of accusations

1309
01:10:02,763 --> 01:10:05,636
she is involved in the
money-laundering scheme.

1310
01:10:05,636 --> 01:10:08,247
REPORTER:
So far, only the branch manager

1311
01:10:08,247 --> 01:10:11,468
has been charged by the
Anti-Money Laundering Council.

1312
01:10:11,468 --> 01:10:14,384
MISHA: One of the great
injustices of this whole scandal

1313
01:10:14,384 --> 01:10:17,343
is that the only person who
got convicted of anything

1314
01:10:17,343 --> 01:10:18,953
was Maia Deguito,

1315
01:10:18,953 --> 01:10:22,696
and she was just the mid-level
branch manager of the RCBC,

1316
01:10:22,696 --> 01:10:26,874
the bank in the Philippines
that received the actual funds.

1317
01:10:26,874 --> 01:10:28,180
Typical, isn't it?

1318
01:10:28,180 --> 01:10:30,965
A crime that was conceived
and carried out

1319
01:10:30,965 --> 01:10:32,402
by a whole bunch of men,

1320
01:10:32,402 --> 01:10:35,535
and the only person who
gets done for it is a woman

1321
01:10:35,535 --> 01:10:38,538
who probably wasn't that
guilty in the first place.

1322
01:10:38,538 --> 01:10:41,802
But she received a sentence
of 56 years in jail

1323
01:10:41,802 --> 01:10:44,979
and a fine of $109 million,

1324
01:10:44,979 --> 01:10:49,506
which is significantly more
than the thieves actually stole.

1325
01:10:50,985 --> 01:10:52,291
JOSHUA: To my mind,

1326
01:10:52,291 --> 01:10:54,424
there's no question
that she was a scapegoat.

1327
01:10:54,424 --> 01:10:58,297
I mean, the currency traders
who turned that $81 million

1328
01:10:58,297 --> 01:11:01,300
into pesos got off scot-free.

1329
01:11:01,300 --> 01:11:03,737
There are a couple of
Chinese operators

1330
01:11:03,737 --> 01:11:06,566
who brought these gamblers
in from China.

1331
01:11:06,566 --> 01:11:10,396
We know that they received tens
of millions of dollars in cash.

1332
01:11:10,396 --> 01:11:15,314
They vanished back to Macau.
No trace of them was ever found.

1333
01:11:15,314 --> 01:11:17,751
We can't say for sure,
but certainly it looks like

1334
01:11:17,751 --> 01:11:20,798
people at the Rizal Bank headquarters

1335
01:11:20,798 --> 01:11:23,888
buried these requests
to stop these transactions.

1336
01:11:23,888 --> 01:11:27,239
But nobody else at the Rizal
Bank was ever accused.

1337
01:11:27,239 --> 01:11:31,199
Oddly enough, in this giant
scheme that involved

1338
01:11:31,199 --> 01:11:34,986
a half a dozen countries,
nearly $1 billion,

1339
01:11:34,986 --> 01:11:40,208
only one bank employee
in a small branch in Manila

1340
01:11:40,208 --> 01:11:42,646
was ever convicted of
doing anything wrong.

1341
01:11:42,646 --> 01:11:46,040
It's incredible. Total impunity.

1342
01:11:52,395 --> 01:11:54,788
I think the most
important lesson

1343
01:11:54,788 --> 01:11:57,878
of the Bangladesh Bank

1344
01:11:57,878 --> 01:11:59,880
is a lesson of scale.

1345
01:11:59,880 --> 01:12:01,882
The internet is
a fantastic thing.

1346
01:12:01,882 --> 01:12:04,320
It's made our world
much, much smaller.

1347
01:12:04,320 --> 01:12:07,061
You can do all sorts of things.
It's fantastic.

1348
01:12:07,061 --> 01:12:08,933
But that interconnectivity,

1349
01:12:08,933 --> 01:12:11,805
where everything
is linked to everything else,

1350
01:12:11,805 --> 01:12:15,418
means that if you get bad actors
in that system,

1351
01:12:15,418 --> 01:12:17,245
then the damage

1352
01:12:17,245 --> 01:12:22,076
is infinitely more immense
than it was before.

1353
01:12:23,687 --> 01:12:25,993
When I started this job
two decades ago,

1354
01:12:25,993 --> 01:12:29,083
you had to explain to people,
what is a virus?

1355
01:12:29,083 --> 01:12:31,042
What is a cyber-attack?

1356
01:12:31,042 --> 01:12:33,392
Today, we don't talk about

1357
01:12:33,392 --> 01:12:36,439
making sure this file doesn't
get deleted any more.

1358
01:12:36,439 --> 01:12:40,573
We literally talk about making
sure the supply chain is up,

1359
01:12:40,573 --> 01:12:42,619
food can reach people's tables.

1360
01:12:42,619 --> 01:12:45,665
Our job is not just to protect
people's computers.

1361
01:12:45,665 --> 01:12:49,060
Our job is to ensure
society is up and running.

1362
01:12:49,060 --> 01:12:52,063
MISHA: Everything
that we use now,

1363
01:12:52,063 --> 01:12:53,978
water, electricity,

1364
01:12:53,978 --> 01:12:56,937
the financial system,
the comms system,

1365
01:12:56,937 --> 01:12:58,548
depends on the integrity

1366
01:12:58,548 --> 01:13:03,683
of unbelievably complex
networked computer systems.

1367
01:13:03,683 --> 01:13:07,992
And our dependence
is becoming such

1368
01:13:07,992 --> 01:13:10,386
that, should anything go wrong,

1369
01:13:10,386 --> 01:13:13,171
be it a technical hitch
or be it a hack,

1370
01:13:13,171 --> 01:13:17,131
it can actually lead
to our lives grinding to a halt

1371
01:13:17,131 --> 01:13:19,525
in a very short space of time.

1372
01:13:20,483 --> 01:13:22,136
NICOLE: We're sort of in a state

1373
01:13:22,136 --> 01:13:24,617
where we're increasing
our vulnerability

1374
01:13:24,617 --> 01:13:27,359
and our attack surface
every single day.

1375
01:13:27,359 --> 01:13:29,796
And instead of pausing

1376
01:13:29,796 --> 01:13:32,799
and thinking about
how to lock up our power grid,

1377
01:13:32,799 --> 01:13:37,848
really, where our energy has
been focused is on escalation.

1378
01:13:37,848 --> 01:13:41,373
Countries like the United
States, China and Russia

1379
01:13:41,373 --> 01:13:44,550
have already arrogated
the right to themselves

1380
01:13:44,550 --> 01:13:47,335
to attack with full force,

1381
01:13:47,335 --> 01:13:50,034
whether cyber
or conventional weapons,

1382
01:13:50,034 --> 01:13:51,905
against anyone who brings down

1383
01:13:51,905 --> 01:13:56,519
a serious piece of critical
national infrastructure.

1384
01:13:56,519 --> 01:14:01,480
ERIC: We've had Stuxnet blowing
up the Natanz centrifuge plant.

1385
01:14:01,480 --> 01:14:04,962
We've had ransomware attacks,
which hit the Eastern Seaboard.

1386
01:14:04,962 --> 01:14:07,007
There was no gas
to the Eastern Seaboard

1387
01:14:07,007 --> 01:14:09,619
for a whole week
in the United States.

1388
01:14:09,619 --> 01:14:11,751
We had Russia
against the Ukraine,

1389
01:14:11,751 --> 01:14:14,537
shutting out the power
in the middle of winter.

1390
01:14:14,537 --> 01:14:17,453
We're talking about
people losing their lives.

1391
01:14:17,453 --> 01:14:19,019
We've also had cyber-attacks

1392
01:14:19,019 --> 01:14:21,413
that potentially affected
US elections.

1393
01:14:21,413 --> 01:14:23,763
We had the healthcare in the UK
brought down,

1394
01:14:23,763 --> 01:14:25,939
dialysis machines
no longer working.

1395
01:14:25,939 --> 01:14:29,421
MISHA: This is an extremely
fragile situation,

1396
01:14:29,421 --> 01:14:33,599
much more fragile
than the period of détente,

1397
01:14:33,599 --> 01:14:37,255
because so many more
countries have these weapons.

1398
01:14:37,255 --> 01:14:41,389
Malware is much more difficult
to control than nuclear weapons.

1399
01:14:41,389 --> 01:14:44,871
NICOLE: People always warn me
of the cyber Pearl Harbor

1400
01:14:44,871 --> 01:14:47,091
or the cyber 9/11,

1401
01:14:47,091 --> 01:14:49,746
but it's almost worse than that.

1402
01:14:49,746 --> 01:14:53,619
Every day, there are thousands
of cyber-attacks,

1403
01:14:53,619 --> 01:14:58,232
and we're just getting more and
more and more inured to them.

1404
01:14:59,016 --> 01:15:00,887
It's like a plague.

1405
01:15:00,887 --> 01:15:05,152
MIKKO: I think we'll see much
more hostile cyber activity,

1406
01:15:05,152 --> 01:15:07,851
much more cyber bank robberies,

1407
01:15:07,851 --> 01:15:09,983
much more cyber espionage.

1408
01:15:09,983 --> 01:15:13,030
We'll see much more cyber war.

1409
01:15:13,030 --> 01:15:15,815
In many ways,
I think we've seen nothing yet.

1410
01:15:15,815 --> 01:15:19,253
MISHA: As attacks increase
in their sophistication

1411
01:15:19,253 --> 01:15:21,386
and their range,

1412
01:15:21,386 --> 01:15:25,346
then the impact
can be ever greater.

1413
01:15:25,346 --> 01:15:29,873
There is a cyber-attack on
critical national infrastructure

1414
01:15:29,873 --> 01:15:31,744
coming to a place near you

1415
01:15:31,744 --> 01:15:35,269
within the next
five to ten years.

1416
01:15:35,269 --> 01:15:38,708
If it's done well,
and if it's really malicious,

1417
01:15:38,708 --> 01:15:41,232
that could be catastrophic.

1418
01:15:43,016 --> 01:15:47,586
What's amazing about the
Bank of Bangladesh heist is...

1419
01:15:47,586 --> 01:15:51,285
they almost walked away
with $1 billion.

1420
01:15:54,071 --> 01:15:56,203
The mistakes that they made

1421
01:15:56,203 --> 01:15:59,990
that led to them only walking
with $81 million

1422
01:15:59,990 --> 01:16:02,862
were literally a typo in a name

1423
01:16:02,862 --> 01:16:05,082
and potentially
not being patient enough,

1424
01:16:05,082 --> 01:16:06,562
waiting just one more hour.

1425
01:16:06,562 --> 01:16:09,913
We could be telling
a completely different story.

1426
01:16:09,913 --> 01:16:11,828
JOSHUA: Presumably, these guys

1427
01:16:11,828 --> 01:16:15,309
kept perhaps 95 percent
of that cash.

1428
01:16:15,309 --> 01:16:16,528
You could walk out

1429
01:16:16,528 --> 01:16:18,399
with 95 percent
of what you came in with,

1430
01:16:18,399 --> 01:16:21,838
have nobody trace that money,
no record of it whatsoever,

1431
01:16:21,838 --> 01:16:26,233
and get on a plane with it,
and you're home free.

1432
01:16:26,233 --> 01:16:30,760
MISHA: Even if you had invested
a year's work,

1433
01:16:30,760 --> 01:16:35,460
that you had recruited
a really decent set of hackers,

1434
01:16:35,460 --> 01:16:39,899
that you had corrupted
bank officials,

1435
01:16:39,899 --> 01:16:43,947
you'll be looking at a profit
of about $75 million.

1436
01:16:43,947 --> 01:16:47,037
For a year's work,
not a bad pay-off.

1437
01:16:49,126 --> 01:16:52,999
The Bank of Bangladesh heist
showed them what was possible.

1438
01:16:54,392 --> 01:16:56,742
They proved that
they could do it.

1439
01:17:01,617 --> 01:17:03,662
After that attack,
it didn't stop.

1440
01:17:03,662 --> 01:17:07,840
We saw continued attacks
on various banks across Asia,

1441
01:17:07,840 --> 01:17:10,451
I think in
the Philippines again.

1442
01:17:10,451 --> 01:17:14,673
And also, they started hacking
the cryptocurrency exchanges,

1443
01:17:14,673 --> 01:17:18,546
where people store their Bitcoin
and Monero digital currency,

1444
01:17:18,546 --> 01:17:21,724
which has proved to be
incredibly lucrative for them.

1445
01:17:23,726 --> 01:17:25,684
MISHA: In 2017,
Lazarus was thought

1446
01:17:25,684 --> 01:17:27,338
to have successfully attacked

1447
01:17:27,338 --> 01:17:31,995
at least five Asian
cryptocurrency exchanges.

1448
01:17:31,995 --> 01:17:37,827
That's a total of
$571 million that was lost.

1449
01:17:37,827 --> 01:17:41,134
Cryptocurrency exchanges
just have the bare minimum

1450
01:17:41,134 --> 01:17:43,659
of security, we're learning now.

1451
01:17:43,659 --> 01:17:46,923
MISHA: In 2020, as the global
pandemic spiralled,

1452
01:17:46,923 --> 01:17:50,143
AstraZeneca, makers of
one of the key vaccines,

1453
01:17:50,143 --> 01:17:53,538
was hit by an attack,
extorting the company

1454
01:17:53,538 --> 01:17:56,846
and stealing sensitive
information for profit.

1455
01:17:58,064 --> 01:18:00,632
The sums involved
are astronomical,

1456
01:18:00,632 --> 01:18:03,940
and Lazarus is still
very much at large.

1457
01:18:06,246 --> 01:18:11,774
They have been designated
by the United States an APT;

1458
01:18:11,774 --> 01:18:13,863
that's an
advanced persistent threat.

1459
01:18:13,863 --> 01:18:16,692
Now, the fundamental criteria

1460
01:18:16,692 --> 01:18:20,478
is that they represent a threat

1461
01:18:20,478 --> 01:18:24,612
to US national security
and national infrastructure.

1462
01:18:24,612 --> 01:18:28,486
So, just by dint of it
being called an APT

1463
01:18:28,486 --> 01:18:33,404
means that the Lazarus Group
is serious stuff.

1464
01:18:33,404 --> 01:18:35,623
JOSHUA: Marvel fans,
think HYDRA.

1465
01:18:35,623 --> 01:18:38,801
James Bond films,
think of SPECTRE.

1466
01:18:38,801 --> 01:18:40,237
It's something like that.

1467
01:18:43,762 --> 01:18:47,635
MISHA: Now, it's tempting to
think this comparison is absurd,

1468
01:18:47,635 --> 01:18:51,074
but this is the scale
that Lazarus operates on.

1469
01:18:51,074 --> 01:18:54,294
Arguably, they're the most
potent cyber criminals

1470
01:18:54,294 --> 01:18:56,427
in business today.

1471
01:18:56,427 --> 01:19:00,300
So the nation state's
involvement in cybercrime

1472
01:19:00,300 --> 01:19:02,955
means that cybercrime
has actually morphed

1473
01:19:02,955 --> 01:19:05,653
into cyber warfare.

1474
01:19:05,653 --> 01:19:08,613
NICOLE: You can have zero trust
in these systems.

1475
01:19:08,613 --> 01:19:12,095
You need to assume that
everything has been broken,

1476
01:19:12,095 --> 01:19:14,010
everything is being listened to,

1477
01:19:14,010 --> 01:19:17,274
that everything can be captured,
and operate accordingly.

1478
01:19:19,580 --> 01:19:22,453
MISHA: If a small group
can plan something

1479
01:19:22,453 --> 01:19:25,499
and get away with $81 million,

1480
01:19:25,499 --> 01:19:27,937
which involved
the Fed in New York,

1481
01:19:27,937 --> 01:19:29,765
SWIFT in Brussels,

1482
01:19:29,765 --> 01:19:32,550
the Bangladeshi Bank in Dhaka,

1483
01:19:32,550 --> 01:19:36,032
and then all the peripherals
in Manila,

1484
01:19:36,032 --> 01:19:40,427
just think about what one of the
really professional operations

1485
01:19:40,427 --> 01:19:42,560
in China, Russia,

1486
01:19:42,560 --> 01:19:44,518
the NSA, GCHQ,

1487
01:19:44,518 --> 01:19:48,871
just think what havoc
they could wreak.

1488
01:19:48,871 --> 01:19:52,613
And every year, the hacks get
bigger, the damage greater,

1489
01:19:52,613 --> 01:19:54,702
the implications graver.

1490
01:19:56,139 --> 01:20:00,447
Armies literally have hackers
hammering at the gates.

1491
01:20:00,447 --> 01:20:02,710
And it just takes
a simple breach,

1492
01:20:02,710 --> 01:20:05,583
one person, one weak link,

1493
01:20:05,583 --> 01:20:08,238
and those armies
will storm the defences

1494
01:20:08,238 --> 01:20:12,851
and bring down a network
that our way of life depends on.

1495
01:20:12,851 --> 01:20:15,593
It happened in Bangladesh
in 2016.

1496
01:20:15,593 --> 01:20:21,033
And believe you me, it's going
to happen again very soon.

1497
01:20:24,515 --> 01:20:25,777
[CLICK]

1498
01:21:14,957 --> 01:21:17,916
Subtitles: Iyuno