The offices of the Bangladesh Bank were about to close for the weekend when the hackers began their heist – by breaking a printer. An ordinary HP LaserJet 400, this juddering copier was responsible for printing out a physical record of all the bank’s international transactions in real time. But when staff arrived to collect the latest numbers they saw an error message on the printer’s LCD screen. Suddenly, they were unable to see physical proof of the dozens of international transactions the bank was making – and, consequently, all the fraudulent withdrawals the hackers from North Korea were about to order.
It didn’t worry staff at the bank: fixing a broken printer could wait until Monday. As employees left to enjoy their weekends, the hackers put their plan into action. Already embedded within the bank’s interface with the SWIFT international transaction network, they instructed the Federal Reserve Bank of New York, which controlled one of its accounts, to make a series of transfers worth $951m to dummy companies around the world. Sensing something was amiss, staff at the US bank put all thirty of the requests under review. Even so, it approved four of them – a sum total of $81m.
This is the first country to rob a bank.
Robert Hannigan, BlueVoyant
Investigators had little success tracing the money, most of which was laundered through Filipino casinos. They had more luck with the identity of the hackers. The malware used to hack the Bangladesh Bank on 4 February 2016 was almost identical to that used in another audacious cyberattack four years earlier against Sony Pictures. In that case, the perpetrators did little to disguise their participation, hacking into the studio’s IT systems and leaking a trove of sensitive email data before releasing a set of worms that destroyed the rest of its files. The culprit was very obviously North Korea, the attack retribution for the imminent release of The Interview, a bawdy comedy about the assassination of its leader, Kim Jong-un.
The Sony hack was ultimately a demonstration of North Korea’s capacity to use cyberattacks for geopolitical grandstanding. The Bangladesh Bank heist, meanwhile, showed how adept this tiny, isolated nation in Northeast Asia had become at using the same techniques for daylight robbery. “This is the first country to rob a bank,” says Robert Hannigan, chairman of cybersecurity firm BlueVoyant and a former director of GCHQ. “Now, they’re probably the most sophisticated bank robber around.”
The attacks have grown in complexity and scope since the Bangladesh Bank heist. Last month, the US Department of Justice published an indictment of three individuals it alleges were at the heart of some of the most audacious thefts. According to the notice, Jon Hyok, Kim Il and Park Hyok were not only participants in the attacks on Sony and the Bangladesh Bank, but also banking institutions in Mexico, Malta, Pakistan and the Philippines, at least three cryptocurrency exchanges, and two online casinos. These are just a fraction of the cyberattacks perpetrated against businesses around the world – hacks that have become a vital source of foreign currency for the North Korean state, and one which has proven almost impossible to take down.
An all-purpose sword
North Korea isn’t an obvious contender to be one of the most powerful nations in cyberspace. A small, totalitarian nation in Northeast Asia, the Democratic People’s Republic of Korea (DPRK) is economically stunted and an international pariah. “This is a country that’s cut off from the rest of the world,” says Hannigan. “That doesn’t really scream ‘internet skills’.”
Unsurprisingly, what internet infrastructure that does exist in North Korea is confined to its capital city, Pyongyang, and only accessible to a handful of its governing elite. Even so, the Democratic People’s Republic of Korea (DPRK) has invested heavily in training its best and brightest to become adept IT practitioners.
“North Korea has always seen itself as a major military tech power,” explains Jeenho Hahm, a doctoral candidate for international affairs at Johns Hopkins and an expert on the country’s cyber-capabilities. The nation’s ability to develop its own nuclear deterrent while subject to international sanctions, for example, is a major source of pride for the regime. The same applies to cyber. Since the 1980s, the DPRK has pursued information technology as both a means of control over its own population, encouraging its citizens to use smartphones and computers that are constantly monitored by censors, but also as a tool for expanding its influence abroad.
“North Korea has called its cyber-capability an ‘all-purpose sword,’” explains Min Chao Choy, a data correspondent at NK News. “You really see that in the way that they use it. They use it for espionage, on a political level but also for industrial espionage. They use it for funds. They use it to threaten North Korean defectors living in South Korea. And I’m sure they have a lot more destructive capabilities that they haven’t displayed yet.”
Some of the earliest hacks were designed to inflict damage on their targets. In 2009, North Korea made its first distributed denial of service (DDoS) attack against governmental institutions in the US and South Korea. Two years later, the DPRK injected malware into South Korea’s foreign ministry, National Intelligence Service and the Nonghyup Bank, in what became known as the ‘Ten Days of Rain’ attack. In the case of the latter, the hackers embedded themselves into the bank’s personal computers for several months, before destroying 273 out of its 587 servers.
Few of these attacks originate in North Korea itself. The perpetrators are scattered in cities across East Asia, where their access to the internet was unfettered. They have been groomed for their roles since childhood, singled out by the state for their aptitude for maths and science before being funnelled into special classes to hone their IT skills. They are sent to pursue further studies at universities abroad, usually in China or Russia, under the watchful supervision of a minder – whereupon they begin hacking for the North Korean state.
Our knowledge of the daily lives of these hackers derives from a mixture of indictments, forensic investigations by cybersecurity firms and testimony from defectors. According to Kim Heung-kwang, a defector who claims to have taught many of these would-be hackers at universities in North Korea, most end up under the command of the so-called Reconnaissance General Bureau, a branch of military intelligence that directly reports to Kim Jong-un. Each hacker is then seconded to one of six specialised units.
The most important of these is arguably Unit 180, which concentrates on obtaining foreign currency to fund North Korea’s weapons programme. Its prominence has grown in recent years, says Hahm, as a direct consequence of the publicity generated by the Sony Hack. “I think North Korea… realised that if they tried to use [cyber]attacks as too much of a military means, it could backfire [and] draw too much attention,” he says. That attention could lead to increased international efforts to neuter its cyber-offensive capability.
Aside from record-breaking bank heists, the unit was also implicated in the global ‘WannaCry’ ransomware attack that crippled the UK’s National Health Service in 2017. Most of its targets are less ambitious, however, and range from credit card users and security researchers, to online casinos and in-game currency in World of Warcraft. Cryptocurrency sites have proven especially vulnerable. “Pretty much all of the South Korean Bitcoin exchanges have been hacked at one point or another,” says Chris Doman, chief technology officer at Cado Security.
Detecting North Korea hackers
Unlike most state-backed attacks, it is not difficult for investigators to attribute North Korea’s. “They don’t try to hide who they are,” says Doman, not least in their choice of malware, which is written exclusively for the use of these hacking units.
Few of these programs are especially sophisticated, at least compared with zero-day exploits. Even so, that doesn’t matter if your objective is just to defraud big business, says Hannigan. “They’re not trying to do sophisticated espionage and stay hidden for decades,” he explains. “They really want to do what criminal groups do, which is go in and steal money, and… cash it out and launder it. And you don’t need as high a level of sophistication for that.”
Indeed, the links between North Korea and organised crime stretch beyond shared techniques. Cashing out the earnings from ransomware without detection requires a complex network of shell companies and professional money launderers – all of which are provided by the DPRK’s longstanding connections with organised crime, stretching back to the late 1960s.
This symbiotic relationship was apparent during the ‘FastCash 2.0’ attack, in which North Korea hacked into ATMs across East Asia. Unable to have its own people physically stand next to the machines as they spat out cash, the DPRK enlisted the help of local organised crime syndicates – which in Japan meant partnering up with the Yakuza.
Much of this activity is run out of North Korea’s network of embassies, where hackers posing as diplomats can conduct their operations with impunity. This reliance on criminal networks, however, is also a weak point for the regime – one that can be exploited by international law enforcement agencies. The DOJ operation that led to the recent indictments of Jon Hyok, Kim Il and Park Hyok also led to the arrest of Ghaleb Alaumary, a Canadian-American national who admitted involvement in the FastCash 2.0 attack.
Defanging North Korean hackers on a macro level requires these kinds of targeted arrests, says Hannigan. “This business model relies on a multinational network of criminals,” he says. “The more nations that can cooperate in disrupting those networks, the better.”
The crude nature of most North Korean malware also means that businesses can take their own steps to shore up their defences. “A lot of these things come back to boring but basic security hygiene,” says Doman, from running sophisticated antivirus software to phishing email filters. Even the damage wrought on businesses by destructive attacks can be mitigated through the use of back-ups.
Awareness of the cybersecurity threat posed by the DPRK is growing among businesses, says Doman – symptomatic, in part, of the diminishing number of fresh targets for the regime. “Now they’ve hacked pretty much every Bitcoin exchange in South Korea, hopefully hacking them a second time will be harder,” says Doman. “People are taking this more seriously. So, hopefully, this will be a less effective source for them [North Korea] in the future.”
The US Treasury has also raised the possibility of punishing businesses who pay ransoms to North Korean hackers. “Governments are beginning to worry about the fact that a significant slice of this money is not just going to criminals, but going to sanctioned nation states,” says Hannigan. By making the cost of complying with ransom demands higher than the temporary benefit of releasing their systems from a hacker’s grip, a major source of foreign income for the North Korean regime could, in theory, be suppressed.
If North Korea didn’t have this capability, they’d be much worse off. Cyber[crime] is probably keeping them afloat.
Min Chao Choy, NK News
How sustainable, then, is this model of cybercrime for the North Korean state? For the regime, its importance has only grown over the past year as what little income it earned from foreign exports collapsed during the pandemic. “If North Korea didn’t have this capability, they’d be much worse off,” says Choy. “Cyber[crime] is probably keeping them afloat.”
Covid-19 notwithstanding, the DPRK’s ‘All-Purpose Sword’ will continue to be a vital weapon in the regime’s fight to obtain foreign currency. “It would be nice to think that the business model would not be sustainable because, over time, defences would be so hard [that] it would be difficult to do this at scale, at low cost, at no risk,” says Hannigan. “But frankly, for the foreseeable future, that looks like an ideal that we’re not going to reach quickly. There are enough poorly defended organisations and companies out there for this business model to continue delivering hard currency for North Korea for, I think, some years to come.”