North Korea has trained thousands of hackers to pose a weaponized cyber threat to its neighbors and the world, but lately it’s been using them to make money.
The White House on Monday said North Korea was behind a global malware attack last May named “WannaCry.” The attack encrypted and rendered useless hundreds of thousands of computers in more than 150 countries and sought ransom to unlock the machines.
Analyst James Lewis of the Center for Strategic and International Studies said WannaCry is an example of how North Korea’s cyber capabilities have morphed under leader Kim Jong Un.
“Hacking is an intelligence function, tightly controlled by the party of the Kim family for political purposes and to make hard currency,” Lewis said. “That’s one of the new developments in the past few years. … They try to use hacking to make money.”
North Korea, which bans its citizens’ access to an unrestricted Internet and lacks universal access even to electricity, decided two decades ago to invest in a cadre of hackers who could reach across the world to do damage, said Martyn Williams, a contributor to 38 North, a publication of the U.S.-Korea Institute at the Johns Hopkins University School of Advanced International Studies.
The timeline of notable operations shows how targets and objectives have changed:
July 4, 2009 — North Korean hackers launched an attack on the U.S. holiday that employed thousands of computers around the world to overload dozens of government websites in the U.S. and South Korea.
Sony Pictures, October 2014 — A group that called itself “Guardians of Peace” stole a trove of company documents from Sony Pictures weeks before the studio planned to release The Interview, a dark comedy about a CIA-inspired assassination attempt against Kim. The documents embarrassed company executives and — together with North Korean threats of violence — their release played a part in a pressure campaign that derailed the film’s planned distribution. President Barack Obama pledged to “respond proportionally” to North Korea for the operation.
Bangladesh Bank, February 2016 — In a sophisticated and carefully timed caper, suspected North Korean hackers sought to drain $951 million from the central bank of Bangladesh through the U.S. Federal Reserve’s SWIFT money transfer system. The operation began on a Thursday night, after Bangladeshi bankers went home for the weekend, and sought to route much of the money through the Philippines, which was celebrating a holiday that Monday, Williams said.
A typo in the requests for the transfer alerted bankers to the fraud, but the timing made reaching people to check the transactions and put holds on those that had already gone through more difficult. The robbers succeeded in transferring $81 million to four private accounts in the Philippines, and the money is believed to have been laundered through local casinos, he said.
The North Korean government has invested for more than 20 years in young people who showed early talent for computers, and it has dispatched many of them to countries with North Korean embassies, which have intelligence officers who could work with the hackers, Williams said.
Williams said North Korean cyber robbery appears to be the result of increased sanctions over its rogue nuclear weapons program.
“It’s harder for the country to raise money in the traditional way so its raising money on the Internet,” Williams said. “Cyber crime on the Internet is easy. You can do it from far away, there’s little risk of being caught. And you can just hire someone to do it. It looks like it could be paying off.”
The WannaCry hackers used tools that were stolen from the National Security Agency and released to the public in April by a group calling itself the Shadow Brokers that is widely suspected of ties to Russian intelligence.
The attack was orchestrated by the North Korean government and carried out by associates elsewhere, said Tom Bossert, President Trump’s assistant for homeland security and counterterrorism.
The WannaCry attack and the public blame by the White House show that the U.S.-North Korean cyber conflict is getting more intense, said Katie Moussouris, a cyber security analyst who advised the U.S. government on cyber defense.
“What makes this particular attack stand out is they used a leaked tool set from one of the most capable governments in cyberspace, the United States,” said Moussouris. “That was as deliberate as the public attribution coming back. This is war.”
Moussouris helped Microsoft develop a crowdsourced computer vulnerability search, and later repeated the exercise for the Department of Defense.
“We’re at a pretty serious escalation point where we have the cyber domain being recognized as the fifth domain of war,” Moussouris added.
North Korea’s cyber capability mirrors its tenacity in pursuing a nuclear weapons program, said Alex McGeorge, head of threat intelligence at Immunity Inc., which specializes in nation-state cyber threats. “They’ve been a punchline for years, but now they have a nuclear weapon. Their cyber capability is similar.”
The problem is how to respond. “They want the world to know they have this kind of capability,” McGeorge said. “They also know they are a uniquely difficult target.”
There are very few ways into the North Korean Internet, which is connected to the world through China and Russia.
It’s “not a free-normal-everybody-has-Internet kind of Internet,” McGeorge said. “They’re already horribly sanctioned. There’s not much more to go.”