North Korea keeps cof­fers stacked from hacks

Ev­ery­thing from fash­ion sales to the Fed have be­come tar­gets for North Korean cy­ber thieves, dis­cov­ers James Cook

The Daily Telegraph - Business - - Technology Intelligen­ce -

At the end of 2019, a series of ap­par­ently in­nocu­ous mes­sages were sent through LinkedIn to em­ploy­ees of aero­space and mil­i­tary com­pa­nies in the UK, Europe and the Mid­dle East. “We wel­come elites like you,” said one mes­sage which seemed to have been sent by a re­cruiter work­ing for a ri­val busi­ness. “I want you to work in our com­pany.”

Cu­ri­ous en­gi­neers who replied to the job of­fers were sent fur­ther mes­sages urg­ing them to down­load files to find out more. “As you are a re­li­able elite, I will rec­om­mend you to our very im­por­tant depart­ment,” they were promised be­fore be­ing en­cour­aged to open files con­tain­ing a list of open jobs and salaries.

But while re­cip­i­ents read through the list of highly paid po­si­tions, their com­put­ers were be­ing silently hi­jacked by hack­ers who im­planted soft­ware to al­low them to peer through all their files and emails.

The jobs and the re­cruiters weren’t real, but part of an elab­o­rate scam.

The mes­sages were sent by Lazarus, a no­to­ri­ous North Korean hack­ing group which man­aged to break into the servers of Sony Pic­tures in 2014, and brought parts of the NHS to a stand­still dur­ing the Wan­naCry ran­somware attack in 2017, say ex­perts from cy­ber­se­cu­rity busi­nesses ESET and F-Se­cure.

Once the hack­ers had gained access to a tar­get’s computer, the fake LinkedIn pro­files vanished. One hacker then used his access to a vic­tim’s email ac­count to find an out­stand­ing in­voice. He sent an email to an­other busi­ness de­mand­ing pay­ment, but asked for the money to be sent to a new bank ac­count con­trolled by the hack­ing group.

This cy­ber­at­tack is a typ­i­cal ex­am­ple of North Korea’s unique ap­proach to hack­ing. As well as hack­ing to make po­lit­i­cal state­ments, the coun­try uses its le­gions of hack­ers to gen­er­ate bil­lions of dol­lars for the regime through a series of au­da­cious cy­ber bank heists.

A United Na­tions re­port pub­lished last year es­ti­mated that North Korean hack­ers have stolen more than $2bn (£1.5bn) and said the money was be­ing fun­nelled into the regime’s mis­sile de­vel­op­ment pro­grammes.

Cut off from al­most all of the world’s fi­nan­cial sys­tem, North Korea has for years re­lied on il­le­gal ac­tiv­i­ties to bol­ster its in­come. As well as thriv­ing drug traf­fick­ing and coun­ter­feit­ing schemes, the regime has also funded hun­dreds of dig­i­tal bank heists. Spy agen­cies around the world typ­i­cally con­sider Chi­nese and Rus­sian hack­ers to be their largest prob­lem, with North Korea and Iran seen as more ama­teur. Ed Par­sons, the man­ag­ing direc­tor of F-Se­cure Con­sult­ing who has been track­ing re­cent North Korean at­tacks against the UK, says the coun­try’s hack­ers are “op­por­tunis­tic”.

“They’re quite brazen, they’re more indis­crim­i­nate and pro­lific com­pared to other threat ac­tors,” he says.

The constant stream of cy­ber at­tacks from North Korea hasn’t slowed dur­ing the coro­n­avirus pan­demic.

Claire’s, the fash­ion ac­ces­sories chain, an­nounced on March 20 that it would close all of its shops dur­ing lock­down. Within hours, a North Korean hacker had pur­chased the web do­main claires-as­sets.com.

Four weeks later, cy­ber­se­cu­rity busi­ness Sansec spot­ted that hack­ers had man­aged to sneak a snip­pet of ma­li­cious code on to the main Claire’s web­site which silently in­ter­cepted the card de­tails of peo­ple shop­ping on­line from their homes for weeks un­til it was re­moved on June 13.

The stolen card num­bers were smug­gled out to claires-as­sets.com, an in­no­cent-look­ing web do­main which was un­likely to raise alarm bells at Claire’s.

“North Korea seems to be act­ing like a cy­ber crime group,” says Kayla Izen­man, a re­searcher at the Royal United Ser­vices In­sti­tute. “They are ex­tremely suc­cess­ful.”

These re­cent hacks, how­ever, are small fry in scale com­pared to North Korea’s most au­da­cious cy­ber heist.

In 2016, its hack­ers used the SWIFT cre­den­tials of em­ploy­ees of Bangladesh’s cen­tral bank to send a series of trans­fer re­quests to the Fed­eral Re­serve Bank of New York.

They made away with $81m from the cen­tral bank’s ac­counts, but missed out on their at­tempted haul of $1bn when Deutsche Bank and the Fed raised alarm.

Deutsche only looked into the trans­ac­tions when it spot­ted a mis­spelled world in one of the pay­ment re­quests. A fic­tional Sri Lankan non-profit or­gan­i­sa­tion was called a “fan­da­tion” rather than “foun­da­tion”. The blun­der stopped the hack­ers from steal­ing $851m more.

In re­cent years, the North Korean regime’s at­ten­tion has turned to the softer tar­get of cryp­tocur­rency. North Korean hack­ers have bro­ken into count­less cryp­tocur­rency ex­changes and stolen hun­dreds of mil­lions of dol­lars of vir­tual cur­ren­cies.

“Any num­bers that you see in terms of scope or scale of how much cryp­tocur­rency that they’re hold­ing, you prob­a­bly need to dou­ble it,” Izen­man says.

In late 2018, North Korean hack­ers posed as po­ten­tial clients of a cryp­tocur­rency ex­change, and be­gan email­ing its em­ploy­ees. When the ex­change asked them to send pho­to­graphs of them­selves hold­ing iden­ti­fy­ing doc­u­ments, they sim­ply forged the im­ages us­ing Pho­to­shop to mask their true iden­ti­ties.

Some of their emails were laced with mal­ware that gave the hack­ers access to the com­pany’s servers. Once in­side the net­work, the hack­ers stole $234m worth of dig­i­tal cur­ren­cies such as Bit­coin and Do­ge­coin, ac­cord­ing to a US gov­ern­ment in­dict­ment.

Cryp­tocur­ren­cies may be able to move around out­side of the world’s tra­di­tional bank­ing net­works, but law en­force­ment agen­cies around the world have found ways to track its move­ment.

That causes a prob­lem for North Korean hack­ers seek­ing ways to hide their trans­fer of funds, so they of­ten use elab­o­rate schemes to hide the move­ment of the dig­i­tal money, such as trans­fer­ring vir­tual coins more than 5,000 times in an at­tempt to throw in­ves­ti­ga­tors off their scent.

Se­cu­rity ex­perts warn that a long-stand­ing im­pres­sion that North Korean hack­ers typ­i­cally carry out the dig­i­tal equiv­a­lent of smash and grab raids, break­ing into net­works and steal­ing as much money as possible be­fore flee­ing, is no longer cor­rect.

In­stead, they are be­com­ing more so­phis­ti­cated, and tak­ing care to ham­per any ef­forts to track their move­ments in­side com­pa­nies.

“We have had clear ev­i­dence of re­ally con­certed ef­forts by North Korean at­tack­ers to hide their tracks,” Par­sons says.

In­stead of grab­bing the dig­i­tal cash and flee­ing, they’re now se­curely delet­ing any ev­i­dence that they were ever in­side net­works be­fore mak­ing away with the pro­ceeds.

That’s a con­cern for se­cu­rity ex­perts who spend their lives try­ing to safe­guard net­works against the hack­ers. There is no sign of North Korean hack­ers slow­ing down their vir­tual bank heists dur­ing the pan­demic, and it seems they’re only get­ting smarter.

‘North Korea seems to be act­ing like a cy­ber crime group. They are ex­tremely suc­cess­ful’

Spy gains: hack­ing is hugely lu­cra­tive for the regime

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.