By Aruna Viswanatha and Nicole Hong
Federal prosecutors are building cases that would accuse North
Korea of directing one of the biggest bank robberies of modern
times, the theft of $81 million from Bangladesh's account at the
Federal Reserve Bank of New York last year, according to people
familiar with the matter.
The charges, if filed, would target alleged Chinese middlemen
who prosecutors believe helped North Korea orchestrate the theft,
the people said.
The current cases being pursued may not include charges against
North Korean officials, but would likely implicate North Korea,
people close to the process said.
The heist occurred in February 2016, when cyberthieves used the
SWIFT access codes of Bangladesh's central bank in one weekend to
transfer $81 million from the bank's account at the New York Fed to
four bank accounts in the Philippines.
The efforts to build federal cases, people familiar with the
process said, reflect a decision at the Justice Department that
there is merit to the view of some private security researchers
that the Fed heist was linked to the hacking in 2014 of Sony
Pictures Entertainment, which the Federal Bureau of Investigation
blamed on North Korea.
Richard Ledgett, the deputy director of the National Security
Agency, said he was "optimistic about the truth of that," when
asked about reports of a connection between the two
cybercrimes.
"If that linkage is true, that means a nation-state is robbing
banks. That is a big deal; it's different," he said on Tuesday
during a panel discussion at the Aspen Institute.
Federal investigators are focusing on Chinese individuals or
businesses who allegedly helped North Korea orchestrate the theft,
according to the people familiar with the matter.
U.S. Treasury authorities are considering sanctions against the
alleged middlemen, these people said, an approach the government is
increasingly using to go after suspected lawbreakers who are
unlikely to land in U.S. custody.
The North Korean mission to the United Nations and the Chinese
Embassy in Washington didn't respond to requests for comment.
The U.S. attorney's offices and FBI field offices in Los Angeles
and Manhattan had both been investigating the theft, but Los
Angeles took the leading role within the past year, according to
people familiar with the matter.
That shift occurred because government investigators linked the
code used to perpetrate the Bangladesh cyberheist with the Sony
hack, which authorities in Los Angeles had been investigating.
Private security researchers have traced the Bangladesh heist to
a hacking group known as Lazarus, which they say was also behind
the Sony hack. In 2014, the FBI blamed North Korea for the Sony
breach, which exposed embarrassing emails and led the studio to
pull from theaters a movie that involved a plot to kill North
Korean leader Kim Jong Un.
"The whole security community has said that the attack tools and
techniques used in Sony are the same ones used in Bangladesh," said
Eric Chien, an engineer with security vendor Symantec Corp.
Prosecutors haven't publicly filed any cases stemming from the
Sony hack.
There remains a minority view among some federal officials that
the evidence doesn't prove beyond a doubt that North Korea was
behind the Bangladesh theft, according to people familiar with the
discussions. Some officials believe the hackers who carried out the
Bangladesh heist may have appropriated, tweaked or repurposed the
malicious code that the U.S. government made public after the Sony
hack -- which wouldn't necessarily indicate they are linked to
North Korea -- the people familiar with the discussions said.
If charges are filed against alleged middlemen in the Bangladesh
theft, they are expected to be similar to charges unsealed in
September against a Chinese businesswoman, Ma Xiaohong, some of
these people said.
Ms. Ma and her trading company were also accused of helping
North Korea, and targeted by parallel Treasury Department
sanctions. They were accused of helping blacklisted North Korean
companies evade U.S. sanctions, move hundreds of millions of
dollars and procure raw materials, potentially for use in
Pyongyang's nuclear-weapons program. Ms. Ma couldn't be reached for
comment and hasn't pleaded in the case.
Federal prosecutors in Manhattan continue to investigate
breaches of overseas financial institutions that are potentially
related to the Bangladesh heist and may have been carried out by
the same hackers, people familiar with the matter said. Court
documents describe a hacking attack similar to the Bangladesh
effort against a bank in Ecuador, and SWIFT, the global
money-transfer network, has disclosed another against a bank in
Vietnam.
The Justice Department brought its first case accusing another
country's government officials of cyberespionage in 2014, indicting
Chinese military officials, and has stepped up its efforts to file
such charges, linking state-sponsored cyberspying with criminal
activity.
Last week, the department announced an indictment against four
men, including two Russian government spies, accusing them of being
behind Yahoo Inc.'s 2014 security breach and stealing information
about more than a half billion online accounts. Prosecutors alleged
the hackers sought information for intelligence purposes and for
criminal schemes to steal money. The accused couldn't be reached
for comment.
Bangladesh Bank is one of scores of foreign institutions,
including governments and central banks, keeping money at the New
York Fed, enabling them to make payments in U.S. dollars and
purchase sovereign securities, among other things. The New York Fed
handles such accounts out of a special unit within its markets
division.
The audacity and size of the theft, conducted through odd orders
seeking millions of dollars for vague consulting fees and expenses,
sent shock waves through the global money transfer system.
The thieves also transferred $20 million to the account of a
nonprofit in Sri Lanka, but that transfer was halted after a bank
executive in Colombo noticed that the name of the beneficiary had
been misspelled. That money was later returned to Bangladesh's
foreign-currency reserve at the New York Fed.
Philippine authorities returned $15 million of the $81 million
in November, after a Chinese casino operator there turned over the
money to authorities.
Nearly $60 million was paid to two other casinos and another
gambling junket operator in Manila, but the Anti-Money Laundering
Council of the Philippines said it was unable to trace it
further.
SWIFT, or the Society for Worldwide Interbank Financial
Telecommunication, a member-owned cooperative that connects more
than 11,000 financial institutions and accounts for the bulk of
world-wide cross-border payments traffic, said after the Bangladesh
heist that its core network hadn't been breached.
SWIFT has disclosed, however, that several of its client banks
have been targeted in similar cyberattacks. The Brussels-based
cooperative urged customers to improve network security and rolled
out enhanced security patches for its servers.
--Robert McMillan and Katy Burne contributed to this
article.
Write to Aruna Viswanatha at Aruna.Viswanatha@wsj.com and Nicole
Hong at nicole.hong@wsj.com
(END) Dow Jones Newswires
March 22, 2017 17:50 ET (21:50 GMT)
Copyright (c) 2017 Dow Jones & Company, Inc.