The New York Federal Reserve is assisting Bangladesh’s central bank in a lawsuit filed Thursday to claw back $81 million in funds stolen during a 2016 North Korean hacking campaign. But they’re not going after Pyongyang directly.
Instead, Bangladesh Bank is suing a bank in the Philippines where the funds briefly landed before a complex series of transfers that diverted them to Filipino casinos after which they became untraceable. The New York Fed, which was holding the money when it was illegally transferred, is helping, including by urging people and organizations in the Philippines to help recover the funds, according to an agreement between the banks.
The case -- which represents one of the biggest bank heists in modern history -- demonstrates a supreme challenge facing cybercrime victims, former prosecutors told me.
The global losses from cybercrime, which the Center for Strategic and International Studies reports have reached $600 billion annually, are devastating for victims. But it’s often difficult or impossible to recover the stolen money from the hackers who commit crimes across borders. The culprits -- if they can even be identified -- are often bad actors who are beyond the reach of governments' law enforcement.
That means cybercrime victims have to look elsewhere for recompense -- even in this scenario, where the U.S. Justice Department and cybersecurity companies have publicly concluded North Korean government-backed hackers carried out the crime.
“If you really want to recover funds, you need to find someone with deep pockets,” Marcus Christian, an attorney in Mayer Brown’s cybersecurity practice and a former executive assistant U.S. attorney, told me. “People are going to follow the money and find other parties at fault.”
In this case, the heist was interrupted before the hackers had completed their work, according to the lawsuit. If they’d been fully successful, the scam would have wrested nearly $1 billion from Bangladeshi accounts, more than two-thirds of the bank's typical reserves and a sum that would have been “catastrophic” for the nation and its people, according to the suit.
Yet the bank is unlikely to retrieve even the comparatively meager sum of $81 million from the Pyongyang regime, which is both notoriously short of funds and a pariah from global rule of law, Christian said.
As a result, he says Bangladesh Bank is much better off suing the Filipino bank, Rizal Commercial Banking Corporation, or RCBC, which is tied into the global financial system.
This case is somewhat distinct because Bangladesh Bank alleges RCBC was actually complicit in the hack rather than simply negligent. That sets the case apart from, say, a typical data breach case where customers whose information was stolen will sue a company they say failed to adequately protect their personal information.
According to the lawsuit, RCBC assisted the North Korean hackers in transferring the stolen funds to RCBC accounts at the New York Fed and then back to the Philippines. An RCBC attorney called those claims “completely baseless” and a “PR campaign” to shift blame from Bangladesh Bank’s own negligence, Reuters reported.
The Manila bank also argued that the case’s link to New York — the fact the initial transfer occurred at the New York Fed — was too tenuous to justify filing the legal case there. International crime victims often sue in U.S. courts if there’s a reasonable argument to do so because they offer a more transparent legal process and clearer rule of law than other venues, Christian told me.
The case is also somewhat unusual because the New York Fed has pledged to take an active role in helping the Bangladesh Bank recover its money, said John Horn, a former U.S. attorney who’s now a partner with King and Spalding, focused on data security.
“That’s a definite signal that the Fed is going to do what it can to discourage the use of its system in this way going forward,” Horn told me.
The North Korean hackers haven’t escaped completely the reach of U.S. justice.
The Justice Department announced charges in September against one of the alleged Bangladesh Bank hackers, Park Jin Hyok, who’s also accused in the 2014 hack of Sony Pictures Entertainment.
Park is unlikely to see a U.S. courtroom, though, and there has been no talk of retrieving any of the hacked funds from the North Korean regime.
“This case, like most cybercrime cases, demonstrates that when [victims] cannot identify or reach the criminals who affected them adequately, they will turn to other parties for a remedy,” Christian told me.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The FBI enlisted two executives from the tech start-up Akhan Semiconductor to help carry out a sting operation against Chinese telecommunications giant Huawei in Las Vegas last month, Erik Schatzker reported in Bloomberg Businessweek. Akhan had suspected that Huawei might be trying to steal its invention to strengthen smartphone screens. One of the two Akhan executives, Carl Shurboff, was given recording devices by the FBI to wear as part of the sting during the CES technology show in Las Vegas. This investigation into Huawei is separate from recent indictments against the Chinese company and broader concerns by U.S. officials that the company's technology could be used for Chinese spying.
“I think they’re identifying technologies that are key to their road map and going after them no matter what the size or scale or status of the business,” Adam Khan, founder of Akhan, said of Huawei, according to Bloomberg Businessweek.
As part of the probe, the FBI also searched a Huawei laboratory in San Diego on Jan. 28. “It’s possible that the government will conclude there aren’t grounds for an indictment against Huawei,” Schatzker wrote. “Prosecutors also could decide that what happened to Akhan isn’t serious enough to seek charges.”
PATCHED: The Trump administration's National Cyber Strategy is a “head-scratcher” that is based on a “fantasy world” instead of hard truths, wrote Amy Zegart, a contributing editor for the Atlantic. Zegart, who is also a senior fellow at the Hoover Institution, argued that Director of National Intelligence Daniel Coats's “Worldwide Threat Assessment of the US Intelligence Community” last week exposed misperceptions and shortcomings in the National Cyber Strategy, which was released in September 2018.
First, Coats's testimony challenges the idea in the cyber strategy that the United States will remain a leader in emerging technologies. Coats in his prepared testimony “made it clear that U.S. intelligence agencies had concluded the U.S. was already losing its edge in emerging technologies, and we’d better get used to it,” Zegart wrote.
Secondly, Coats also undercut the cyber strategy's claim that the United States will “preserve peace through strength” by pushing back against states including China and Russia that have violated norms of good behavior in cyberspace. That doesn't match the facts as Coats described them, Zegart said. “It’s time our cyber strategy got with the program,” according to Zegart. “Any strategy untethered to reality is no strategy at all.”
PWNED: Some members of the British Parliament were targeted by a hacking attempt, according to BuzzFeed News's Alex Wickham. The attempted hack was aimed at the lawmakers' email and phone contact lists. It's unclear how many lawmakers had their contact information compromised, but at least one Conservative member of Parliament fell for an apparent phishing attempt, Wickham reported.
Christopher Pincher, deputy chief whip, informed lawmakers about the hacking attempts in an email. “Please be wary of texts and/or emails purporting to come from Colleagues asking you to provide overseas contact details and/or asking you to download a secure message app,” Pincher said, according to an image of the email published by BuzzFeed News. “This is a malicious hack that accesses your contacts list and sends texts and emails to all your private contacts.”
— Senate Budget Committee Chairman Mike Enzi (R-Wyo.) asked the Census Bureau about the agency’s plans to test its IT systems and look for vulnerabilities as the 2020 Census approaches. Enzi also wants to know how the agency plans to ensure that it could still use critical IT systems should it face a major cyberattack or another incident that would disrupt service. Enzi, who made the inquiries in a letter to Census Bureau Director Steven Dillingham, asked for response by Feb. 15.
— More cybersecurity news from the public sector:
— Cisco Talos researchers found a malicious PowerPoint document that was sent to subscribers to a mailing list that is run by a group that represents Tibet’s government-in-exile, CyberScoop’s Sean Lyngaas reported. The malware is “likely” meant for espionage activities, the researchers said in a blog post. The espionage operation mimicked online tools that Central Tibetan Administration (CTA) mailing-list members "likely would have trusted,” according to CyberScoop. “For example, the PowerPoint file copied a legitimate PDF available on CTA’s website, Talos found. The attackers also altered the mailing list’s ‘Reply-to’ form to direct responses to a Gmail address they controlled.”
— More cybersecurity news from the private sector:
— The Chinese Embassy in Norway pushed back against an assessment by the Norwegian intelligence service PST that Beijing represents a threat to the country, Reuters reported. The Norwegian agency said in an annual threat assessment report, for instance, that China seeks to infiltrate Norwegian computer systems. “China poses no threat to Norway’s security. It’s very ridiculous for the intelligence service of a country to make security assessment and attack China with pure hypothetical language,” read a statement on the website of China’s Embassy in Norway, according to Reuters. The assessment also listed Russia’s security services as the most important threat to Norway.
- The Center for Strategic and International Studies holds an event titled “China's Digital Silk Road.”
- CPX 360 cybersecurity summit in Las Vegas through tomorrow.
- ARC Industry Forum in Orlando through Thursday.
- Senate Armed Services Committee hearing on worldwide threats tomorrow.
- The Center for Strategic and International Studies holds an event titled “Mitigating security risks to emerging 5G networks” tomorrow.
- Texas Technology Summit in Houston tomorrow.
- The Center for Strategic and International Studies holds an event on digital surveillance on Feb. 13.
The Trump administration’s “wait-in-Mexico” policy for asylum seekers, explained:
Gay lawmaker flees Brazil due to death threats: