threatintel
actor tracker
Named attack · kill-chain walkthrough

Bangladesh Bank SWIFT Heist

Fraudulent SWIFT MT103 transfers via SWIFT Alliance Access abuse

Lazarus Group (HIDDEN COBRA / ZINC)Early 2015 – Feb 2016

Attributed by BAE Systems (May 2016), Symantec (May 2016), and the U.S. Department of Justice to DPRK's Reconnaissance General Bureau. The DOJ criminal complaint (Sep 2018) against Park Jin Hyok names the Bangladesh Bank heist as a Lazarus Group operation.

Lazarus Group operators spent roughly a year inside Bangladesh Bank's network mapping SWIFT operations before submitting ~35 fraudulent MT103 messages on 4–5 Feb 2016 (Bangladesh's weekend, when staff were absent). The malware patched the in-memory SWIFT Alliance Access software to suppress database-integrity checks and silenced the local confirmation printer. $81M reached four fictitious accounts at RCBC in Manila and was laundered through Philippine casinos. Approximately $850M was attempted; most was blocked by New York Fed compliance filters.

scene 00 / 07
phishing email"job application"resume.doc ⊕BB employeeworkstationimplant installed ↓T1566.001Lazarus implantevtdiag.exe / evtsys.exeregistered as Windows serviceT1543.003Jan 2015Feb 4 2016~1 year of internal recon: SWIFT ops · timing · accountsDWELL ≈ 12 months (BAE Systems / DOJ Park Jin Hyok complaint)in-memory SWIFT patchbypass DB integrity checksT1027.005 · T1565.001printerreceipts suppressedevent log wipedevtsys.exe erases artifactsT1070.001SWIFT operator credentialscaptured via keylogger (T1056.001)auth codes · operator IDs · SWIFT secretsRECON:NY Fed account 10102568· Thu–Fri BB weekend · RCBC Manila mule accountsT1083 · T1057 · T1082 — Federal Reserve Bank of New York + RCBC Jupiter St, Makatiworkstation(initial foothold)SMB pivotT1021.002SWIFT Alliance Accessserver — separate segmentevtdiag.exe deployed heresegment boundary (inadequately isolated)Thu–Fri 4–5 Feb 2016 · Bangladesh Bank weekend · ~35 SWIFT MT103 messages submitted · ~$951M attempted
  1. Phase 01 · Initial AccessTA0001

    Spear-phishing emails disguised as job applications delivered malware to Bangladesh Bank staff

    • In early 2015 operators sent targeted emails to Bangladesh Bank employees presenting as job seekers, with malicious documents/resumes attached — a tactic documented in the BAE Systems heist-attribution report (May 2016).
    • Attachments dropped a custom implant belonging to the toolset BAE Systems identified as part of the Lazarus banking toolkit, later cross-referenced by Symantec to shared code with the Sony Pictures wiper.
    • The DOJ Park Jin Hyok complaint (Sep 2018, Count 3 — 'Computer Fraud') describes this phase as an intrusion originating from external spear-phishing that established the initial foothold in 2015.
    • MITRE ATT&CK technique T1566.001 (Spearphishing Attachment).
    Techniques
    T1566.001 · Phishing: Spearphishing Attachment
    Sources
  2. Phase 02 · Execution & PersistenceTA0002

    Custom implants persisted for ~12 months while operators mapped every detail of SWIFT operations

    • Following initial compromise operators maintained persistent access from early 2015 through February 2016 — approximately a full year of dwell time inside the bank's network.
    • BAE Systems identified two key malicious executables: `evtdiag.exe` (database integrity bypass) and `evtsys.exe` (event log manipulation), purpose-built to interact with the Alliance Access SWIFT client software Bangladesh Bank used.
    • The implant was registered as a Windows service (T1543.003) to survive reboots across the extended reconnaissance period.
    • The DOJ complaint documents that operators spent this period learning the internal SWIFT messaging procedures, account numbers, operator schedules, and the timing cadence of correspondent banks.
    Techniques
    T1059 · Command and Scripting InterpreterT1543.003 · Create or Modify System Process: Windows Service
    Indicators
    evtdiag.exe — Custom malware — patches SWIFT Alliance Access in-memory database integrity checks (BAE Systems, May 2016)evtsys.exe — Custom malware — event log manipulation and SWIFT message interception (BAE Systems, May 2016)msoutc.exe — Additional malware component from the same toolset — identified by BAE Systems
    Sources
  3. Phase 03 · Defense EvasionTA0005

    Malware patched the SWIFT client in-memory and suppressed the confirmation printer to hide every transaction

    • `evtdiag.exe` patched the running SWIFT Alliance Access process in memory to bypass the software's own database-integrity checks, preventing it from flagging anomalous outbound MT103 messages — documented by BAE Systems as the key technical novelty of the attack.
    • The malware also intercepted and modified records written to the local SWIFT message database so that the fraudulent transactions did not appear in Bangladesh Bank's own logs.
    • Critically, operators patched the Alliance Access printer driver so that confirmation receipts — which normally print automatically at the bank's terminal — were never printed, meaning staff arriving Monday morning saw no paper trail of the weekend's 35 transactions.
    • Event log manipulation (`evtsys.exe`) erased forensic artifacts from Windows event logs (T1070.001).
    Techniques
    T1027.005 · Obfuscated Files or Information: Indicator Removal from ToolsT1070.001 · Indicator Removal: Clear Windows Event LogsT1565.001 · Data Manipulation: Stored Data Manipulation
    Sources
  4. Phase 04 · Credential AccessTA0006

    SWIFT operator credentials captured via keyloggers gave operators full authority to submit real messages

    • Published reporting and the DOJ complaint indicate operators captured SWIFT operator credentials — including authentication codes required to submit MT103 transfer messages — through keyloggers installed during the long dwell period.
    • With valid credentials, every fraudulent MT103 was submitted as if by an authorised Bangladesh Bank operator; NY Fed and downstream correspondent banks saw properly authenticated SWIFT messages.
    • MITRE T1056.001 (Keylogging) — consistent with the toolkit's capability set described by BAE Systems.
    Techniques
    T1056.001 · Input Capture: KeyloggingT1552 · Unsecured Credentials
    Sources
  5. Phase 05 · DiscoveryTA0007

    ~12 months of internal reconnaissance — operators learned Bangladesh weekend timing, NY Fed routing, and RCBC accounts

    • Operators enumerated Bangladesh Bank's SWIFT BIC codes, the bank's account at the Federal Reserve Bank of New York (account 10102568), and the correspondent routing paths to the Philippines and Sri Lanka (T1083, T1057).
    • They identified that Bangladesh Bank observes a Thursday–Friday weekend; the New York Fed would not process callbacks until Monday. The attack was timed precisely for 4–5 February 2016 to maximise the window before detection.
    • Pre-positioned fictitious accounts at RCBC's Jupiter Street branch in Manila — four accounts opened months earlier under fake names — were identified as money-mule destinations, per the DOJ complaint.
    • Operators also learned the SWIFT MT103 message fields, beneficiary naming conventions, and which compliance triggers to attempt to avoid.
    Techniques
    T1083 · File and Directory DiscoveryT1057 · Process DiscoveryT1082 · System Information Discovery
    Sources
  6. Phase 06 · Lateral MovementTA0008

    Operators pivoted from compromised workstations to the SWIFT messaging server — a separate network segment

    • Bangladesh Bank's SWIFT Alliance Access server was on a separate network segment from general employee workstations, but post-incident forensics confirmed it was reachable from the compromised hosts.
    • Lateral movement to the SWIFT server gave operators direct access to the Alliance Access software and its database — the prerequisite for deploying `evtdiag.exe` and the printer-suppression patch.
    • Investigators found the SWIFT server segment lacked the network segmentation controls that would have blocked SMB-based lateral movement (T1021.002), a finding SWIFT cited in its Customer Security Programme notices as a systemic bank-sector gap.
    • The SWIFT CSP (launched 2016) mandates strict segmentation of the SWIFT local infrastructure as a mandatory control, directly in response to this heist.
    Techniques
    T1021.002 · Remote Services: SMB/Windows Admin Shares
    Sources
  7. Phase 07 · ImpactTA0040

    $81M transferred to RCBC Manila accounts and laundered through casinos; ~$850M attempted total

    • On 4–5 February 2016 operators submitted approximately 35 fraudulent SWIFT MT103 messages from Bangladesh Bank's NY Fed account (No. 10102568) totalling ~$951M — documented in the DOJ Park Jin Hyok complaint.
    • The majority were blocked by NY Fed automated compliance filters that flagged routing anomalies; a $20M transfer to 'Shalika Fandation' in Sri Lanka was reversed after a Deutsche Bank correspondent flagged the misspelling of 'Foundation'.
    • Five transfers totalling $81M reached four fictitious-name accounts at RCBC's Jupiter Street branch, Makati City, Manila; the funds were withdrawn within days of arrival and converted to casino chips at Solaire Resort & Casino, laundering them through the Philippine gaming system and rendering recovery nearly impossible.
    • The malware's printer suppression ensured bank staff who arrived Monday 8 Feb found no printed confirmations; Bangladesh Bank only became aware of the transfers via an automated SWIFT response message, per investigator accounts.
    • US Treasury OFAC (Sep 2018) designated Park Jin Hyok and noted the Bangladesh Bank heist as part of a pattern of DPRK state-directed financial theft to generate hard currency for the regime.
    Techniques
    T1657 · Financial TheftT1565.001 · Data Manipulation: Stored Data Manipulation
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Lazarus Group (HIDDEN COBRA / ZINC)
Capability
  • T1566.001
  • T1059
  • T1543.003
  • T1027.005
  • T1070.001
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources