On a quiet Sunday in May, as dawn was breaking over Tokyo, a 100-strong army of hooded “withdrawal mules” rolled up at convenience stores across Japan and began a bank robbery that the country had never imagined possible. “Heaven”, as Japan is known to this new generation of robber-hackers, had just been ransacked — heralding an era in Asian cyber crime where thieves can turn a hack into cash almost instantly.
Exactly three hours, 14,000 ATM cash withdrawals and ¥1.8bn ($18m) of theft later, the gang stopped work and melted away, the only immediate trace being some ill-defined CCTV footage and virtual footprints to credit card data stolen from a bank in South Africa.
Cyber security is a growing concern globally but it is creating particular anxiety in Asia after a flurry of attacks affecting Bangladesh, the Philippines, Taiwan, Thailand and Vietnam. Experts say the spike is driven partly by growing political tensions, such as China’s dispute with its neighbours over islands in the South China Sea, but the other key trigger is the attraction of increasingly lucrative, but patchily defended, banks and companies.
Surveys suggest tens of billions of dollars were lost in revenues last year alone. The problem has become so acute that the 10-member Association of Southeast Asian Nations, a bloc of almost 600m people and some of the world’s fastest growing economies, will meet in Singapore next month to try to improve co-operation and strengthen security.
“There is no question that [the problem] is growing,” says Bill Taylor, regional president at LogRhythm, a US security intelligence consultancy. “In the past few years hackers in Asia have certainly ramped up the game. It wasn’t talked about as much and maybe it wasn’t as apparent.”
The new frontline
The execution of the Tokyo heist caught the headlines, but Itsuro Nishimoto, chief technical officer of LAC, the Japanese information security group, says it is the nature of the digital crime underpinning it that is more significant. The ATMs belonged to Seven Bank, the only institution in Japan offering 24-hour cash machines that allow withdrawals on a foreign-issued credit card with a magnetic strip rather than the more secure integrated-circuit chip. The timing of the attack exploited loopholes in the fraud analytics software at both the Japanese and South African end of each transaction.
The reaction of the Japanese authorities suggests that the robbery has been a wake-up call. This year, Japan will introduce reforms that will allow the country’s banks to invest directly in fintech and develop online financial services technologies in-house. Haruhiko Kuroda, the governor of the Bank of Japan, warned senior bankers last month to prepare for cyber attacks as large numbers of people begin to use smartphones to conduct financial transactions for the first time in the country.
“Within the fintech start-up industry, the cyber security side is not so mature in Japan,” says Shunsuke Hayashi, a Tokyo consultant, adding that the big test would come now that banks are able to buy fintech start-ups.
Experts in online security say Asia is on the front line of an emerging category of cyber crime where thieves quickly convert the digital crime into real money. While US and European systems have been under attack for longer they have found ways to survive. Asia is more exposed.
A dangerous combination of a lack of awareness and investment has resulted in institutions that are poorly protected, say observers. The string of direct attacks on Asian banks — including some that exploited weaknesses in how institutions use Swift, the international financial messaging service — are proof of the heightened risk, they add.
Up to 90 per cent of Asia-Pacific banks and companies surveyed by LogRhythm reported an attack of some form this year, according to Mr Taylor. They ranged from customers being swindled out of remittances to direct hacks on the banks’ core systems. In 2015 the number was 76 per cent; the year before that, two-thirds reported incidents.
The cost is enormous. Business revenues lost to cyber attacks in the Asia-Pacific region came to $81.3bn in the 12 months to September 2015, according to a survey by Grant Thornton, the professional services company. It based its report on a survey of 2,500 businesses globally. The toll from attacks in Asia exceeded those in North America and the EU by about $20bn each and accounted for more than a quarter of the $315bn cost of attacks globally during the period.
In a recent analysis of the threat in Japan, Chikai Tanaka, a software industry analyst at Nomura Securities, says the emphasis in cyber attacks had swung towards the extortion of money or the theft of information providing access to money.
“The technology to defend against such attacks is weak in comparison with the advanced level of the technology for such attacks,” he says. “In particular, technology and awareness appear very low in Japan in comparison with countries like the US that require security measures for compliance with various laws and regulations.”
The pillaging of Seven Bank’s ATMs came just months after another audacious bank heist. Attackers used malignant software to beat the system at the Bangladesh Central Bank to send $951m of payment instructions into the broader Swift network. Investigators say of the $101m that was reportedly stolen, $80m was laundered through casinos in the Philippines.
Much of the evidence about increased vulnerability in Asia is anecdotal and some of the publicity comes from cyber security businesses that have a vested interest in selling their services to worried companies. However, more groups are admitting that there are problems as the frequency of raids increases.
Revenues lost to cyber attacks in the Asia-Pacific region in the 12 months to September 2015 out of a global total of $315bn
Large-scale ATM heists have taken place in Taiwan, Malaysia and Thailand. In July the Bangkok-based Government Savings Bank closed almost half its 7,000 cash machines nationwide after thieves targeted 20 machines and took $350,000.
“The robbers loaded malware on to ATM machines so they could hack the system to steal money,” says Saowanee Wiengharuthai, deputy director of corporate communications for Government Savings Bank.
“For banks, this is just one of many cyber security threats which could disrupt operations,” says Bryce Boland, chief technology officer for Asia Pacific at FireEye, a cyber security business. “The good news is that some of the leading banks in Asia are beginning to address risks posed by targeted cyber attacks, though we’re concerned many are still dragging their feet and prioritising compliance over security.”
Owning the problem
The extent of Asia’s vulnerability is difficult to quantify because of the lack of laws that would compel companies or governments to disclose attacks. But a report on the region by FireEye found that organisations allowed attackers to “dwell in their environments” for a median of 520 days before discovering them — more than three times the global median of 146 days.
Adrian Leppard, a former commissioner in the City of London Police who this year joined cyber security consultants Templar Executives, is surprised by the lack of preparedness at some Asian institutions. He cites one bank where he noticed that a new cyber security system was gathering dust, ignored by the IT staff who had not been trained to use it.
Despite such cases, there is a reluctance in Asia and beyond to put too much emphasis on the problem being regional when the criminals and the crime are global.
Gottfried Leibbrandt, chief executive of Swift, acknowledged that several of the recent heists targeted Asian banks using his company’s network, but he told the Financial Times it was “dangerous” to point the finger at any particular region.
“It may be driven by the fact that most of the money went out of the system through Asia,” says Mr Leibbrandt. “Maybe that is the reason why they [steal from] banks in the neighbourhood because it is easier to get money from those banks where they can take it out of the system.”
Mr Leibbrandt is, however, in no doubt about the damage such incidents can cause. After the Bangladesh attack he said: “Banks that are compromised like this can be put out of business. It’s not like retailers losing credit card details or telcos losing customer details. Telcos and retailers will take reputational hits and may face some financial liabilities but things will move on.
“When banks lose control of access to their payment channels, it’s different. In the recent cases, thieves were able to move just some of those banks’ overseas assets. As a result, for the banks concerned, the events haven’t been existential. The point is that they could have been,” Mr Leibbrandt added.
of Asia-Pacific companies have been hit by some form of cyber attack this year, up from 76 per cent 12 months earlier
For the financial services industry in Asia, regulatory compliance has often appeared more important than actual defences, say observers. As a result, too few companies have rehearsed what to do if hit by a major cyber crisis. Last year, such an event affected VTech, the Hong Kong-based toy maker, when the company said hackers had stolen personal information from 5m parents and more than 6.6m children worldwide.
VTech initially described the breach as an “orchestrated and sophisticated attack” only to have that claim debunked by cyber experts. After the company changed its terms of service to place all responsibility for data security on customers, Troy Hunt, a Sydney web security specialist at Microsoft, chastised it for failing to play its part with even basic safeguards on user data. “The level of sophistication involved here is being able to count,” he said.
Asian organisations, says Kenneth Wong, cyber security leader at PwC China and Hong Kong, are only beginning to appreciate the dangers of “slow-burn attacks” which involve malware sitting in systems for years. Before the current wave of incidents, hackers had already cast a wider net, sending phishing emails to infect systems with malware that wakes only occasionally to check for sensitive data before returning to a low-profile slumber.
Hackers have now zeroed in on techniques such as the use of “ransomware” to encrypt targets’ data. They then contact the company to sell the key for a fee rather than auctioning the information to a third party.
days — the average time Asian companies allow malware to sit on their systems — three times the global median
According to FireEye, ransomware demands have spiked since March. They have increased in other regions too, but the rise was much more pronounced in Asia, where more than 40 per cent of its government and corporate clients suffered an attack.
A further driver of hacking appears to be political, particularly in relation to the territorial disputes in the South China Sea, where China is upsetting neighbours and rivals by building artificial islands on reefs and rocks, then adding military installations.
F-Secure, a Finnish cyber security business, said last month that it had found a Trojan it named Nán Hai Shu, or South China Sea rat, that had been used to attack institutions opposed to Beijing’s territorial ambitions. It said targets included the Philippines government’s justice department, the organisers of the Asia-Pacific Economic Cooperation summit and an international law firm representing a party involved in a South China Sea dispute.
Like other cybercrimes in Asia, the Japan ATM heist was notable for its combination of digital know-how with old-fashioned larceny: a triumph of technology, planning and physical execution.
As Japan explores ways to open up its ATM networks to more foreign cards ahead of the 2020 Tokyo Olympics, crooks will try to cash in on any weaknesses, says Mr Nishimoto. It is one of many openings that hackers are looking to squeeze through in the region. “The criminals are looking for places that are weak,” he says. “This is an easy place to turn cyber crime into cash.”
Additional reporting by Martin Arnold, Hudson Lockett and Panvadee Uraisin
Get alerts on Companies when a new story is published