Sunday, 23 September 2018

A Nation State Robbing Banks: 80 Million and a Spelling Error (Night's Black Agents)

This post is inspired in part by Kento Bento's video about the biggest bank heist in modern history:


You may remember me mentioning this bank heist before, back in 2016 when not all the facts were in.

A couple quick points before I dive into Lazarus. Night's Black Agents Directors and agents wondering if Human Terrain is useful, wonder no more. Think about how cleverly this whole thing had to be coordinated: the thieves knew if they hit this particular bank on this particular day, and then transferred the stolen money to a bank in the Philippines, they'd be in the clear. Bangladesh, being Muslim majority, had its weekend on Friday and Saturday. The hack starts Friday. They come in on Sunday to sort out their problems, but they can't talk to their colleagues in New York because, on Sunday, their Christian colleagues are all off for the day. Monday works, but the bank in the Philippines, where the money is sent, is celebrating Chinese New Year, so it can't be contacted. That was fiendishly clever timing on someone's part.

Two, you may remember me mentioning a missing IT expert in the previous post. That expert, Tanveer Hassan Zoha, did turn up eventually. Detectives found him wandering near the airport and took him home, six days after he went missing. The IT expert claimed he could discover the identity of some of the culprits, and went with special police to the Bangladesh bank to have a look at the bank's records. Two days after that he was abducted from an auto rickshaw, and his family claimed the police were no help finding him. As far as I can determine his abductors were not caught. If he ever issued a public statement about his abduction, he didn't make it in an English language publication, as far as I know.

Bangladesh Airport connects to Hong Kong via Cathay Dragon, and Hong Kong is only a ferry ride away from Macau. That's where the alleged thieves went - it was a stopping point on their journey to North Korea, according to Kento Bento.

Which brings me to Lazarus Group, an entity that has been committing cybercrime since the early 2000s. Its earliest known attacks targeted South Korea, and it's alleged that the group has links to the North Korean government. This is difficult to prove, and might be a fake-out to throw blame on a believable straw man. That said, if anyone's going to think it's a good idea to back a group of crooks on a cybercrime spree, it's the dictator who may have poisoned his half-brother at an airport shopping concourse.

Lazarus has hit banks before, but banks aren't its only focus. It likes to hit South Korean targets, and allegedly was responsible for the Sony hack in 2014. The group demanded Sony withdraw its film The Interview, a comedy about an attempt on Kim Jong-un's life.


The Interview had so-so reviews and according to IMDB lost a ton of money - budget $44 million, worldwide gross something in the region of $12 million. Sony pulled the film from theatres in December 2014, allowing only a limited independent cinema release, and that after President Obama criticized Sony for giving in to terrorist threats.

Cybercrime experts Kaspersky Labs analyzed the Bangladesh hack, and give Kaspersky praise because it has nailed down the perfect hacking mini-scenario for Night's Black Agents Directors.

Initial Compromise. A single system inside the bank is breached with remotely accessible vulnerable code, perhaps through a webserver or a watering hole on a seemingly trustworthy website. The premise is simple: find a site you know the target visits, like a Chinese takeaway. The security on that site is bound to be less robust than the target's IT. Break it, infect it, wait for your target to visit - and the mouse takes the cheese. Snap!

Foothold Established. The group establishes persistent backdoors so they can come and go as they like.

Internal Reconnaissance.  The groups spends days, weeks, learning the network and identifying useful resources, like a backup server with vital information or an email server that can let the hackers into anything connected to that server. With the Bangladesh hack, Lazarus was particularly interested in SWIFT authentication, so it went after any server that might contain SWIFT authorization codes as well as IT admin systems.

Deliver and Steal. The great hack begins. Presumably followed by a scene Kaspersky does not mention, tentatively titled RUN AWAY!

This is the perfect breakdown for scenes in a game. What's more, they don't have to be about Digital Intrusion and nothing else. Human Terrain, Surveillance, Infiltration, Electronic Surveillance, potentially Flattery, Bureaucracy - all these will be useful, particularly in the early stages of the hack.

I see this as a potential Thrilling Digital Intrusion contest, starting with the initial compromise and moving through to final execution. The technothriller dialogue opportunities, particularly in the Initial Compromise or Internal Reconnaissance, are fascinating. It's a reminder that a Thrilling Contest doesn't have to be over in a few minutes. This one takes months - though at the table on the day the whole thing might take an hour's game time at most.

As for North Korea, well … it'd make a hell of a Node.

Enjoy!

No comments:

Post a Comment