North Korea said to have stolen a fortune in online bank heists
WASHINGTON—North Korea's nuclear and missile tests have stopped, but its hacking operations to gather intelligence and raise funds for the sanction-strapped government in Pyongyang may be gathering steam.
U.S. security firm FireEye raised the alarm Wednesday over a North Korean group that it says has stolen hundreds of millions of dollars by infiltrating the computer systems of banks around the world since 2014 through highly sophisticated and destructive attacks that have spanned at least 11 countries. It says the group is still operating and poses "an active global threat."
It is part of a wider pattern of malicious statebacked cyber activity that has led the Trump administration to identify North Korea—along with Russia, Iran and China—as one of the main online threats facing the United States. Last month, the Justice Department charged a North Korean hacker said to have conspired in devastating cyberattacks, including an $81 million heist of Bangladesh's central bank and the WannaCry virus that crippled parts of Britain's National Health Service.
On Tuesday, the U.S. Department of Homeland Security warned of the use of malware by Hidden Cobra, the U.S. government's byword for North Korea hackers, in fraudulent ATM cash withdrawals from banks in Asia and Africa. It said that Hidden Cobra was behind the theft of tens of millions of dollars from teller machines in the past two years. In one incident this year, cash had been simultaneously withdrawn from ATMs in 23 different countries, it said.
North Korea, which prohibits access to the world wide web for virtually all its people, has previously denied involvement in cyberattacks, and attribution for such attacks is rarely made with absolute certainty. It is typically based on technical indicators such as the Internet Protocol, or IP, addresses that identify computers and characteristics of the coding used in malware, which is the software a hacker may use to damage or disable computers.
But other cybersecurity experts tell The Associated Press that they also see continued signs that North Korea's authoritarian government, which has a long track record of criminality to raise cash, is conducting malign activity online. That activity includes targeting of financial institutions and crypto-currency-related organizations, as well as spying on its adversaries, despite the easing of tensions between Pyongyang and Washington.
"The reality is they are starved for cash and are continuing to try and generate revenue, at least until sanctions are diminished," said Adam Meyers, vice president of intelligence at CrowdStrike. "At the same time, they won't abate in intelligence collection operations, as they continue to negotiate and test the international community's resolve and test what the boundaries are."
CrowdStrike says it has detected continuing North Korean cyber intrusions in the past two months, including the use of a known malware against a potentially broad set of targets in South Korea, and a new variant of malware against users of mobile devices that use a Linux-based operating system.
This activity has been taking place against the backdrop of a dramatic diplomatic shift as Kim Jong Un has opened up to the world. He has held summits with South Korean President Moon Jae-in and with President Donald Trump, who hopes to persuade Kim to relinquish the nuclear weapons that pose a potential threat to the U.S. homeland. Tensions on the divided Korean Peninsula have dropped and fears of war with the U.S. have ebbed. Trump this weekend will dispatch his top diplomat, Mike Pompeo, to Pyongyang for the fourth time this year to make progress on denuclearization.
But North Korea has yet to take concrete steps to give up its nuclear arsenal, so there's been no let-up in sanctions that have been imposed to deprive it of fuel and revenue for its weapons programs, and to block it from bulk cash transfers and accessing to the international banking system.
FireEye says APT38, the name it gives to the hacking group dedicated to bank theft, has emerged and stepped up its operations since February 2014 as the economic vise on North Korea has tightened in response to its nuclear and missile tests. Initial operations targeted financial institutions in Southeast Asia, where North Korea had experience in money laundering, but then expanded into other regions such as Latin America and Africa, and then extended to Europe and North America.
In all, FireEye says APT38 has attempted to steal $1.1 billion, and based on the data it can confirm, has gotten away with hundreds of millions in dollars. It has used malware to insert fraudulent transactions in the Society for Worldwide Interbank Financial Telecommunication or SWIFT system that is used to transfer money between banks. Its biggest heist to date was $81 million stolen from the central bank of Bangladesh in February 2016. The funds were wired to bank accounts established with fake identities in the Philippines. After the funds were withdrawn they were suspected to have been laundered in casinos.