The US Department of State and Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark warning about North Korea (DPRK)’s cyber capabilities and ongoing campaigns to attack financial and research institutions across the world.
Urging international expulsion of “foreign-located North Korean information technology (IT) workers” CISA said the US State Department is making rewards of up to $5 million available for information on “illicit DPRK activities in cyberspace, including past or ongoing operations.”
(North Korean hacker crews are widely reported to operate in south east Asia, rendering attribution challenging).
In an April 15 advisory alert, the US says it believes North Korea has: “Demonstrated a pattern of disruptive and harmful cyber activity that is wholly inconsistent with the growing international consensus on what constitutes responsible state behaviour in cyberspace.”
It was not immediately clear what prompted the renewed focus on North Korean operations, versus other known state actors with aggressive cyberspace activities spanning espionage and cyber crime.
North Korean state-sponsored cyber teams consist of hackers, software developers and cryptologists, CISA said, pointing to a range of well-know cyber-based financial theft incidents, through which the CISA estimates more than $2 billion has been stolen as of late 2019.
One of the thefts involved siphoning funds from the Bangladesh Bank by conducting unauthorised transactions on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network.
The hackers are said to have gained access to this network via a successful spear phishing campaign of bank employees.
Another campaign known as FASTCash has been in operation since 2016 and CISA notes that: “In one incident in 2017, DPRK cyber actors enabled the withdrawal of cash simultaneously from ATMs located in more than 30 different countries. In another incident in 2018, DPRK cyber actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries.”
North Korea Cybercrime and Sanctions
North Korea is subject to numerous sanctions limiting imports and exports. These have a significant impact on the country’s economy and ability to produce capital. It is widely believed that the cybercriminal activates being undertaken are designed to mitigate the impact of these restrictions.
A 2019 United Nations report stated North Korea is using cyberattacks to illegally force the transfer of money from financial institutions to supplement its economy and is using the internet as an: “Asymmetric means to carry out illicit and undercover operations in the field of cybercrime and sanctions evasion. These operations aim to acquire funds through a variety of measures in order to circumvent the sanctions.”