In the shadow of nuclear weapons, bank robberies tend to be forgotten. In North Korea’s case, the two are closely connected. Reuters
Conventional wisdom says North Korea is an arsenal-craving backwater under the rule of despots. The regime, however, is driving toward a modern version of authoritarianism, with cyberwar capabilities complementing hydrogen bombs. While the nukes purposefully grab the world’s attention, the regime is taking unprecedented steps in the cyber domain. And it’s targeting more than just its critics.
It’s been just over one year since the collective known as Lazarus Group stole $81 million from the central bank of Bangladesh in a heist that ran through the Federal Reserve Bank of New York. The theft, one of the biggest bank robberies in modern history, initially targeted $1 billion but came up well short because of a simple typo during the online bank transfer process. It’s now the subject of a U.S. federal inquiry looking into North Korea’s possible role in what amounts to modern bank robbery.
This is just one in a series of hacks that prompted accusations against North Korea of targeting, hacking and stealing money from financial institutions from at least 18 different countries.
Never before has a nation-state attempted billion-dollar bank heists like North Korea is now accused of masterminding. The goal, experts say, is funding the nuclear weapons that act as a morbid guarantee of the regime’s survival. While the amount of money stolen is unprecedented, the country’s actions match its longstanding tactic of borrowing from the criminal playbook to skirt crushing economic sanctions.
“What the North Koreans are very good at is continuing to find ways to earn income around the sanctions regime,” Stephan Haggard, visiting fellow at the Peterson Institute of International Economics, said. “Because they’re sanctioned and because they have absolutely no compunction about violating international law and norms, they’re perfectly happy to devote resources to sanctions circumvention. The cyber piece of this is an income earning piece of a larger picture.”
If the bank hacks continue to be successful, there’s no reason to believe they will stop anytime soon.
“If I were a consumer bank right now, I would be pretty concerned about attempts from North Korea to exfiltrate money,” Jon Condra, director of East Asian research and analysis at the threat intelligence firm Flashpoint, told CyberScoop.
The Lazarus-Pyongyang Connection
Lazarus’s involvement in the heists was first pointed out by Symantec as it investigated both the group and North Korea’s increasingly aggressive and idiosyncratic cyberattacks.
“We find them to be quite unpredictable,” Eric Chien, technical director at the security firm Symantec, said. “People try to put [North Korean hackers] in a box and say, ‘This is how they operate.’ They did the Sony wipe, they did the South Korean wipe. If you asked me at that time, ‘Are they going to try to steal $1 billion out of the Bangladesh Bank?’ I would have said, ‘No, that doesn’t fit their profile at all.’”
Earlier this month, Symantec announced a new set of links between Lazarus and hacking attempts on Polish regulators and banks, a cybersecurity incident deemed the most serious the Polish banking system has ever faced.
Chien’s team at Symantec has been actively tracking the Lazarus Group since the Sony hack in 2014, an attack the U.S. government has attributed to North Korea. Researchers have watched the group grow in both ambition and impact but, despite it all, Chien says Lazarus remains “quite low” on a technical perspective.
“Only now they’re starting to take on some of the most modern techniques, the regular techniques you’d see any cybercriminals use in these latest Polish attacks,” he said. “Just because you have low sophistication doesn’t mean you can’t have high impact. We see that with the attack on the Bangladesh Bank. It was really only a typo and some procedural errors that prevented them from getting away with $1 billion and only getting away with $81 million.”
A Connected Dictatorship
For the Kim dynasty, criminal activity is a matter of national security. North Korea’s cyber activity is just the latest step in a decades-long provocation performance.
“They have switched across different domains,” Jon R. Lindsay, a professor at the Global Affairs at the University of Toronto, told CyberScoop. “In the last 10 years, it’s switched to cyber. North Korea keeps trying to find ways to come in under threshold deterrence, response, retaliation. The means it uses to do that have continually varied as the U.S. and South Koreans have come up with more effective deterrent regimes to lock that out.”
Even while revenue has been choked out of the country with sanctions, the dictatorship has poured considerable resources into developing cyber capabilities over the last 38 years. According to South Korean intelligence, it came into stark focus in 1986 when North Korea hired 25 Russian instructors to train “cyber-warriors.” The training took place at Mirim Command Automation College (now known as Kim Il Military College), an institution that became legendary for its shadowy activity. The Korea Computer Center, a top research center from the Pyongyang regime, was established in 1990 and has since branched out to offices and commercial dealings around the world.
The hackers who make up Lazarus may have been part of the North Korean programs that educate students from middle school to the university level at institutions like Kim Il Sung Military Academy, the top school in the nation. By 2000, as the country emerged from a four-year long famine that killed as many as 3.5 million people, North Korea increased investments in technology, connectivity and personnel that slowly began to open the country up, albeit through the internet, to the outside world.
“North Korea is not famous for its considerable levels of access to the international community nor its internet infrastructure,” Condra said. “That said, they’ve invested significantly in developing asymmetric cyber capabilities as a means of countering a symmetric military advantage on behalf of the United States and its allies in the region.”
Beyond attacking financial institutions, information warfare provides North Korea with a force multiplier in the looming specter of military conflict with its southern counterpart. South Korean intelligence assessments show a low enough stockpile of conventional weapons to emphasize North Korea’s need for asymmetric weapons that would enable it, in theory, to strike quickly and with a high impact. Along with cyberweapons, nuclear arms, biological weapons and electronic warfare characterize this approach.
“Grooming prodigies, deploying them, setting up internet, buying programs, and providing conditions for them to operate in China or another third country is considerably cheaper than buying new weapons or fighter jets which cost hundreds of millions of dollars,” according to a North Korean defector interviewed in 2011.
According to former U.S. Director of National Intelligence James Clapper, the Reconnaissance General Bureau (RGB) — North Korea’s top spy agency — is responsible for Lazarus. Within RGB, different groups handle different aspects of cyberwar. It’s RGB’s 110 Institute, the Technical Reconnaissance Group, which South Korean officials say command the Lazarus Group. The 110 Institute is one among several known to send operatives abroad to work within international private and public industries as cover for conducting operations.
How Lazarus Works
The hacking group started operations in 2009, the same year as Operation Troy, a cyberattack in which South Korean military secrets were stolen. That same year saw a flurry of activity including denial of service attacks against South Korean and U.S. targets. Financial institutions and other targets have been hit with attacks every year since by North Korean-affiliated targets, though never with the same level of success that Lazarus saw inside the systems of the Bangladesh Bank. All of these attacks have been pinned on the Lazarus Group.
“Directly stealing money out of bank accounts is something that has not traditionally been the purview of nation-states,” Condra said. “This has been an interesting twist in the APT saga coming out of the East Asian region.”
Offering an estimate, Haggard said that over the last two decades North Korea has made from 10 to 15 percent of its foreign exchange earnings — several hundred million dollars per year — through various shifting forms of illicit activity.
Describing Lazarus’s tools, tactics and procedures, Symantec’s Chien said the whole package is very distinctive.
“When you look at the way they write their code, it’s all written in kind of a different way,” he explained. “If you didn’t have the internet as a reference manual, if you didn’t have the classic text books and computer science university knowledge, you would maybe do it in a different way, whatever way you thought. A bunch of their code is written in a nonstandard, nontraditional method.”
This almost exactly matches up with how North Korea universities operate. A former teacher at a North Korean university who spoke to CyberScoop on the condition of anonymity described students reading from books and other slow, tightly controlled sources of information because the country so thoroughly monitors and blocks internet usage. Whereas hackers in China, Russia or elsewhere might simply rely on Google to solve a problem, North Korea’s students have been thoroughly siloed. As a result of that relative separation and lack of contact, they’ve simply done things differently than the rest of the world.
“We go back to Sony as a start,” Chien said. “Just the most obvious things are when they got into Sony they displayed this blinking animation, skull and cross bones, a ‘was here’ animation with their names scrolling across the bottom. It was a bit laughable, but unfortunately, there was real impact there on Sony.”
That’s slowly changing now as North Korea’s cyber operatives increasingly adopt tactics like watering hole attacks.
“We had never seen them reuse off-the-shelf code before,” Chien said while discussing the recent attack on Polish banks. “It’s the kind of thing where if you took an average person in the U.S. and they became a hacker they might do this from the start: Go out on the internet, see how are people doing this and start there. [The Lazarus Group] is at that stage now.”
While the group does have sophisticated capabilities in regards to disk-wiping malware and destructive attacks, according to Condra, they’ve fallen so short of their goals when it comes to stealing money.
“They do seem to manage to get their way into financial institutions but as far as actually exfiltrating the money, they’ve proven less than capable at that,” he said. “It was $81 million they successfully got in the Bangladesh incident out of almost a billion they tried for. I think they are learning and evolving over time, I would certainly venture to say they are more sophisticated than they were in 2009 when they started, but they haven’t proven incredibly successful from the financial theft perspective yet.”
The Chinese Conundrum
When tracking the history of North Korea cyber capabilities, the trail runs right through Xi Jinping’s China.
“[North Korea has] obviously benefited tremendously from their relationship with China,” Condra told CyberScoop. “China is their primary benefactor and many people see China as the only reason North Korea continues to exist in its current form.”
While North Korea was top of discussion between Presidents Xi and Trump during their recent meeting, neither side expects the problem to be solved any time soon. Theft against banks by Pyongyang may end up continuing into the foreseeable future. The current U.S. investigation into the bank hacks could force North Korea to retool but few expect a stop to the hacking or, in a larger sense, provocation.
“I do think that North Korea is really going to be the issue that defines U.S.-China relations under the Trump administration,” Shannon Tiezzi, editor at the Diplomat magazine, said earlier this month. Secretary of State Rex Tillerson “put it quite directly that strategic patience, the Obama administration’s policy, is dead. The Trump administration is determined to craft a new policy. Realistically speaking, unless that policy is we’re going to enter into unconditional dialogue with North Korea, any of the other options are going to be upsetting to China.”
Although Flashpoint’s Condra warns banks to worry about North Korea’s activity, he says they face more common day-to-day threats from elsewhere. “[Lazarus is] a high-impact, low-probability event for most organizations. The more likely vector is cybercrime affecting consumer banks is still probably the cybercrime communities particularly coming out of Eastern Europe. Those guys don’t tend to go after the bank itself, they go after the customers,” he said.
“If we’re ever going to solve the North Korea issue, at least from the cyber domain, China’s going to have to play ball, Condra said. “China is going to have to make the determination that the status quo is no longer acceptable. Fundamentally, the decision is going to have to be made in Beijing.”
North Korean representatives have repeatedly denied the country has been involved in any hacking whatsoever.
North Korea has been blamed in recent years for a series of online attacks, mostly on financial networks, in the United States, South Korea and over a dozen other countries.
Cyber security researchers have also said they have found technical evidence that could link North Korea with the global WannaCry “ransomware” cyber attack that infected more than 300,000 computers in 150 countries this month. Pyongyang has called the allegation “ridiculous”.
The crux of the allegations against North Korea is its connection to a hacking group called Lazarus that is linked to last year’s $81 million cyber heist at the Bangladesh central bank and the 2014 attack on Sony’s Hollywood studio. The U.S. government has blamed North Korea for the Sony hack and some U.S. officials have said prosecutors are building a case against Pyongyang in the Bangladesh Bank theft.
No conclusive proof has been provided and no criminal charges have yet been filed. North Korea has also denied being behind the Sony and banking attacks.
North Korea is one of the most closed countries in the world and any details of its clandestine operations are difficult to obtain. But experts who study the reclusive country and defectors who have ended up in South Korea or the West have provided some clues.
Kim Heung-kwang, a former computer science professor in North Korea who defected to the South in 2004 and still has sources inside North Korea, said Pyongyang’s cyber attacks aimed at raising cash are likely organised by Unit 180, a part of the Reconnaissance General Bureau (RGB), its main overseas intelligence agency.
“Unit 180 is engaged in hacking financial institutions (by) breaching and withdrawing money out of bank accounts,” Kim told Reuters. He has previously said that some of his former students have joined North Korea’s Strategic Cyber Command, its cyber-army.
“The hackers go overseas to find somewhere with better internet services than North Korea so as not to leave a trace,” Kim added. He said it was likely they went under the cover of being employees of trading firms, overseas branches of North Korean companies, or joint ventures in China or Southeast Asia.
James Lewis, a North Korea expert at the Washington-based Center for Strategic and International Studies, said Pyongyang first used hacking as a tool for espionage and then political harassment against South Korean and U.S. targets.
“They changed after Sony by using hacking to support criminal activities to generate hard currency for the regime,” he said.
“So far, it’s worked as well or better as drugs, counterfeiting, smuggling – all their usual tricks,” Lewis said.
The U.S. Department of Defense said in a report submitted to Congress last year that North Korea likely “views cyber as a cost-effective, asymmetric, deniable tool that it can employ with little risk from reprisal attacks, in part because its networks are largely separated from the Internet”.
“It is likely to use Internet infrastructure from third-party nations,” the report said.
South Korean officials say they have considerable evidence of North Korea’s cyber warfare operations.
“North Korea is carrying out cyber attacks through third countries to cover up the origin of the attacks and using their information and communication technology infrastructure,” Ahn Chong-ghee, South Korea’s vice foreign minister, told Reuters in written comments.
Besides the Bangladesh Bank heist, he said Pyongyang was also suspected in attacks on banks in the Philippines, Vietnam and Poland.
In June last year, police said the North hacked into more than 140,000 computers at 160 South Korean companies and government agencies, planting malicious code as part of a long-term plan to lay the groundwork for a massive cyber attack on its rival.
North Korea was also suspected of staging cyber attacks against the South Korean nuclear reactor operator in 2014, although it denied any involvement.
That attack was conducted from a base in China, according to Simon Choi, a senior security researcher at Seoul-based anti-virus company Hauri Inc.
“They operate there so that regardless of what kind of project they do, they have Chinese IP addresses,” said Choi, who has conducted extensive research into North Korea’s hacking capabilities.
Malaysia has also been a base for North Korean cyber operations, according to Yoo Dong-ryul, a former South Korean police researcher who studied North Korean espionage techniques for 25 years.
“They work in trading or IT programming companies on the surface,” Yoo told Reuters. “Some of them run websites and sell game and gambling programs”.
Two IT firms in Malaysia have links to North Korea’s RGB spy agency, according to a Reuters investigation this year, although there was no suggestion either of them was involved in hacking.
Michael Madden, a U.S.-based expert on the North Korean leadership, said Unit 180 was one of many elite cyber warfare groups in the North Korean intelligence community.
“The personnel are recruited from senior middle schools and receive advanced training at some elite training institutions,” Madden told Reuters.
“They have a certain amount of autonomy in their missions and tasking as well,” he said, adding that they could be operating from hotels in China or Eastern Europe.
In the United States, officials said there was no conclusive evidence that North Korea was behind the WannaCry ransomware, but that was no reason to be complacent.
“Whether or not they are directly involved with ransomware doesn’t change the fact that they are a real cyber threat,” said a senior administration official, who spoke on condition of anonymity.
Dmitri Alperovitch, co-founder of prominent U.S. security firm CrowdStrike Inc, added: “Their capabilities have improved steadily over time, and we consider them to be a threat actor that is capable of inflicting significant damage on U.S. private or government networks.”