Just a few years ago, hackers working for North Korea were most notorious for ruthless, destructive attacks on the regime’s many enemies around the world.
In 2014, after the Seth Rogen and James Franco comedy The Interview raised the ire of Kim Jong-un’s regime, North Korean hackers allegedly targeted the studio behind the movie, Sony Pictures, leaking private documents that led to the departure of studio chief Amy Pascal and multiple lawsuits against the company. In 2013, North Korean hackers are thought to have trained their cyberweapons on targets in South Korea, as malware shut down computers at major banks and television stations in the country.
But more recently, Pyongyang has toned down its purely destructive digital attacks in favor of another kind of cyber operation: stealing cash.
“We haven’t really seen as much of [the destructive malware attacks] in the last year,” says Adam Meyers, vice president of intelligence at security firm CrowdStrike. “What we have seen is kind of an uptick in the attacks [that] are very distinctive for North Korea, which is revenue or currency generation.”
A recent string of heists on South Korean cryptocurrency exchanges, carried about in attacks that bear the signature of Pyongyang’s hackers, have coincided with a dramatic rally in the bitcoin market. On Monday, a South Korean official blamed the North for stealing billions of won in cryptocurrency last year from South Korean exchanges, partly through malware-laden spear-phishing emails.
One email campaign that began last October targeted victims using the lure of a job opening for the role of CFO at a European-based cryptocurrency company, said IT security firm Secureworks.
On December 19, a few days after bitcoin reached a record high near $20,000, a South Korean cryptocurrency exchange called Youbit reported that it suddenly lost roughly 17% of its digital coin holdings. The exchange, which had also been targeted in April, when hackers linked to North Korea stole some 4,000 bitcoin–now valued at about $36 million and worth more than twice that at the peak of the bitcoin boom, was forced to declare bankruptcy. While Pyongyang continues to deny that it plays any role in cyberattacks, including the Sony hack, the Youbit heists were quickly linked to North Korea.
South Korea is also investigating whether its northern neighbor is linked to the recent $523 million theft from Japanese cryptocurrency exchange Coincheck–the country’s largest such digital currency exchange hack–due to similarities with other recent heists, Bloomberg reported on Monday, citing an unnamed South Korean lawmaker.
Hampered by its resource-strapped economy and international sanctions, Pyongyang has long sought unorthodox ways to bring in funds, including counterfeiting and illicit drug sales. Cryptocurrencies like bitcoin–or other, harder-to-trace digital currencies like monero–could help the North evade tightening sanctions, by avoiding conventional banking systems and adding layers of anonymity and plausible deniability to its transactions. Government officials in Russia and Venezuela have said that cryptocurrencies could help their countries bypass controls on money flows in and out of their countries.
Pyongyang’s Four Hacker Specialties
Stealing funds is just one of North Korea’s hacking objectives. An elite hacking group linked with the regime–commonly known to security researchers as the Lazarus Group–can be split into four distinct groups, each with different tactics and targets, according to Crowdstrike. Just as researchers have given Russian hacking groups code names with the word “bear,” the security firm has issued code names for the North Korean hackers that reference the Chollima, a mythical winged horse that’s an important symbol in the Communist nation:
- Stardust Chollima is responsible for revenue-generating attacks;
- Silent Chollima is focused on those destructive attacks against media, financial companies, and government agencies and contractors;
- Labyrinth Chollima focuses on infiltrating Western and South Korean targets for espionage purposes; and
- Ricochet Chollima takes a “smash-and-grab approach” to stealing data, says Crowdstrike’s Meyers.
Stardust, the revenue-grabbing team, has been implicated in a variety of high-profile attacks in recent years, including a 2016 attack that saw more than $80 million diverted from the Bangladeshi central bank’s account with the Federal Reserve Bank of New York, apparently by hacking the bank’s computers and sending fraudulent instructions through the SWIFT international funds transfer network. Investigators have also linked North Korea to a variety of other hacks involving the SWIFT system, though most were markedly less successful than the Bangladesh digital heist.
The group is also believed by many to be behind last May’s destructive WannaCry ransomware attack, which held computers around the world hostage for a bitcoin ransom. North Korea is also suspected of deploying malware to surreptitiously mine cryptocurrency on other people’s computers. A report last year from the Boston-area digital threat intelligence firm Recorded Future pointed to evidence that North Korea also started domestically mining cryptocurrency around the time of the WannaCry attack.
In a December blog post, the Counter Threat Unit at Secureworks wrote, “Given the current rise in bitcoin prices, CTU suspects that the North Korea’s interest in cryptocurrency remains high and is likely continuing its activities surrounding the cryptocurrency,” the firm wrote. Its report said that internet addresses linked to North Korea have been spotted “taking part in bitcoin research” since 2013.
It’s unclear, though, how lucrative the country’s thefts and other digital currency activities have been, since it’s difficult to determine how much cryptocurrency any particular party actually controls. And while many security researchers have linked North Korea with the Lazarus Group, it is also hard to determine who is really behind the hacking outfit.
Fake Marlboros, Superbills, and Heroin, Too
Among its methods of generating foreign cash, North Korea runs a set of relatively high-priced Korean restaurants in other Asian countries, and it’s even made an estimated hundreds of thousands of dollars renting space on its Berlin embassy grounds to a youth hostel.
The regime relies even more heavily on a range of ill-gotten funds. North Korea’s currency counterfeiting operations–which have reportedly slowed in recent years–have produced high-quality counterfeit U.S. $50 and $100 “supernote” bills for decades; in 2009 a Congressional Research Service report said that at least $45 million in these bills had been found in circulation. Pyongyang has also been accused of manufacturing and smuggling millions in counterfeit cigarettes–fake packs of Marlboros and Winstons have shown up in Southeast Asia and Africa–as well as illicit drugs like meth and heroin.
According to a confidential UN report seen by the BBC and others, North Korea earned nearly $200 million last year by exporting banned commodities in breach of international sanctions, adding that there was evidence that the North was helping Syria to develop chemical weapons and providing ballistic missiles to Myanmar.
Stealing or mining cryptocurrencies is another way to bring in foreign currency, necessary to pay for imported infrastructure from irrigation equipment to nuclear arms. But they offer other benefits too: In addition to more easily evading sanctions and controls, including recent U.S. efforts to stem money laundering through China and Macau, cryptocurrencies can also be used to pay for things directly, without going through the conventional financial system.
“They can pay for infrastructure with bitcoin,” Meyers says.
As Pyongyang’s hackers turn their attention to cryptocurrency, Meyers thinks that digital espionage and destructive attacks on South Korea could be held in abeyance amid an apparent thaw between the two countries. The countries recently held their first formal talks in about two years. North Korea has said it intends to attend the Olympics in South Korea, even after President Trump has continued to hurl belligerent rhetoric at the country.
U.S. government hackers, meanwhile, have reportedly probed North Korean systems for weaknesses, though it’s not clear if they’ve taken any steps to retaliate or prevent future attacks.
And while the reclusive nation often appears cut off from the rest of the world, its hackers have access to the modern internet: North Korea recently got an apparent bandwidth boost when Russian company TransTeleCom began carrying some of its traffic in addition to previous sole provider China Unicom, according to 38 North, a news site that monitors North Korea.
The hackers also have access to advanced computing resources, with some deployed outside the country, says Meyers.
“If they can build nuclear weapons, they can certainly understand cryptocurrency,” he says.