Why North Korea’s cyber army threatens banks worldwide
The Hermit Kingdom, nuclear armed and firing off ballistic missiles, is estranged from the rest of the world and cut off from trade. But building missiles and nukes is not a cheap endeavor. So to fund these programs, Kim Jong-un—whose forbears built one of the most fearsome cyberwarfare programs in existence—is increasingly flexing those muscles to pilfer financial institutions with an army of digital pirates.
In fact, worldwide financial news outlets such as Reuters report that as of the December price spike in bitcoin, North Korean hackers have been able to net millions of dollars via virtual currencies. Particularly vulnerable is South Korea, which has seen attacks on exchanges including Bithumb, Coinis, and Youbit.
The latest Youbit hack, which took place Dec. 19, had all the hallmarks of a North Korean cyber-offensive on a bitcoin exchange. One fifth of client holdings vanished, forcing Youbit to go out of business and file for bankruptcy. How much was taken Youbit didn’t say, but a previous Youbit attack in April netted North Korean cyber-thieves $35 million. If that amount was all in bitcoin, and the malefactors have held onto it since, that heist could be worth some $700 million today.
Even before the latest cryptocurrency strike, experts maintained that the regime was trying to amass “a bitcoin war chest.”
Now here’s where it could get scary for banks. About the same time Youbit was cleaned out the first time, Kaspersky Lab claimed it had digital evidence that North Korea was also involved in last year’s $81 million cyber heist of the Bangladesh central bank’s account at the Federal Reserve Bank of New York.
“Within the last two years the North Koreans have demonstrated increasing aggressiveness towards banks and other financial entities and a willingness to conduct intrusions for the purpose of monetary gain,” says Luke McNamara, senior analyst for the FireEye cybersecurity firm. “Increased sanctions in the last year have likely increased the regime’s need to acquire alternative sources of income and funds.”
In fact, last year’s Bangladesh Central Bank intrusion would have been far worse save for a simple misspelling in a transaction that alerted authorities. Bad grammar by the North Koreans also marked May’s deployment of WannaCry ransomware; i.e. “You have not so enough time.” On Dec. 18, the White House officially declared North Korea responsible for WannaCry, adding that the cyberattack “was widespread and cost billions.”
The cyber army’s supreme ‘unit’
Somewhere in the bowels of the North Korean security apparatus (known for tunneling out mountains to hide from bombardment) exists an elite, pampered group of expert cyberhackers known as Unit 121. The North Korean cyberwarfare agency, reportedly consisting of close to 2,000 hackers, bores its way into supposedly secure systems around the world, including—and increasingly—those used by financial institutions.
Unit 121 was established within North Korea’s Reconnaissance Bureau of the General Staff Department to undertake offensive cyber operations, according to a report last year by Andrew Cordesman, a former consultant to the Departments of State and Defense during the Afghan and Iraq wars. He now serves as Arleigh A. Burke Chair in Strategy at the Center for Strategic and International Studies.
These hackers, according to the report, receive training in North Korea, Russia and China and spend their days trying to break into military, intelligence and financial networks to steal exploitable secrets.
They’ve even succeeded on American cyber-turf, cracking into the Sony Pictures database in December 2014 in response to the studio’s unflattering take on dictator Kim Jong-un—and a fictional plot to kill him—in “The Interview.” (North Korea called the Seth Rogen film an “act of war.”) The attack, said Burney, cost the company more than $15 million along with PR damage from the release of embarrassing emails.
The North Korean threat to financial institutions “is very real and rather large,” says R.J. Burney, a cybersecurity expert who works with the FBI and U.S. Special Operations Command.
One reason, says Burney, is that the communist government knows the value of hacking. It provides hackers, as it does military personnel, with a lifestyle that far exceeds that of the average North Korean.
The North Korean GDP per capita is roughly $2,000, compared to $22,000 in South Korea. So while the general populace starves due to international sanctions, costly weapons programs and a despot who hides billions outside the peninsula, Unit 121 operatives live a comparably comfortable life.
“Given the nature of the population’s needs [i.e., food, water and healthcare] it is very desirable to be a patriot hacker,” says Burney.
Aside from the Bangladesh Central Bank attack—which initially netted more than $100 million before some of the funds were ultimately being recovered—the North Koreans have hit a bank in Taiwan $60 million. Other banks around the world, said FireEye’s McNamara, have also fallen victim.
“North Korean cyber threat actors such as TEMP.Hermit have targeted victims in South East Asia, Europe, and the Americas,” said McNamara.” In some of these cases they are suspected of stealing funds in the millions of dollars. Additionally, in other incidents we have observed them pursue the theft of cryptocurrencies as a means funding their various activities.”
Rise of a North Korean Lazarus
The Bangladesh attack opened the vaults in another way: It ushered in an insidious new threat to financial institutions, according to a recent study by Symantec. Calling it one of “the most audacious bank heists of its kind,” the report concluded that it marked “the first time there was strong indications of state involvement in financial cybercrime.” Symantec identified a North Korean criminal enterprise called Lazurus that would have made off with $1 billion, if not for the typo and the suspicions of eagle-eyed bank officials, according to the report.
The methods used in this attack, particularly the in-depth knowledge of the bank’s SWIFT systems and the steps taken to cover the attacker’s tracks—are “indicative of a highly proficient actor,” according to the report, which points out it wasn’t the first Lazarus attack.
This same group was also linked to two earlier heists targeting banks that make transfers using the SWIFT network, though the SWIFT network itself was not compromised in any of these attacks, according to the report. Vietnam’s Tien Phong Bank revealed that it had intercepted fraudulent transfers totaling more than $1 million in the fourth quarter of 2015, while research by Symantec also uncovered evidence that another bank was targeted by the same group in October 2015.
A third bank, Banco del Austro in Ecuador, was also reported to have lost $12 million to attackers using fraudulent SWIFT transactions, although no definitive link could be made between that fraud and the attacks in Asia. At the end of 2016, more than 100 institutions in 31 countries, mostly in the financial sector, were targeted by a focused watering hole attack, which seeks to compromise a specific group of end users. Of the 25 targets, the main focus of the campaign was Poland, followed by the U.S. and Mexico. Analysis of the malware used in this attack (known as “Downloader.Ratankba”) revealed many similarities to the Lazarus group, according to the Cordesman report.
Action steps to stay steps ahead
Countering North Korean cyberattacks is a challenge due to that nation’s extremely limited internet access, according a 2014 Hewlett-Packard report. “North Korea’s air-gapped networks and prioritization of resources for military use provide both a secure and structured base of operations for cyber operations and a secure means of communications.”
North Korea’s “hermit infrastructure creates a cyber-terrain that deters reconnaissance. Because North Korea has few Internet connections to the outside world, anyone seeking intelligence on North Korea’s networks has to expend more resources for cyber reconnaissance.”
Still, experts tell BAI that financial institutions can take numerous steps to protect systems against such intrusions. Burney, who works with the FBI and USSOCOM, offers some suggestions. Many are common hygiene methods applicable for all cyber security:
- Train users against phishing.
- Install email filtering software.
- Use endpoint protection software. Update the entire system’s software, and
- Follow outlined SWIFT guidelines.
FireEye’s McNamara also has some suggestions. Taking these steps are important, he says. because North Korea’s “targeting of Western financials and critical infrastructure” is only likely to increase. “These are some of the best proactive steps banks can take to reduce their exposure to the risk of North Korean threat actors:”
- Leverage threat intelligence
- Employing advanced detection solutions for the network
- Train employees on good cyber hygiene
- Maintaining information sharing partnerships with others in your sector, even outside your region, to stay informed of the evolving threat landscape.
- Maintaining readiness and a crisis plan should a breach occur, “to mitigate brand and financial damage.”
While it’s arguable based on past events that South Korean institutions, cybercurrency exchanges and smaller central banks may be most vulnerable, the North Korean regime and Unit 121 are nothing if not unpredictable.
Yet even a dictator’s squad of 2,000 hackers can’t do much of anything when banks—just as in the pre-digital days of safes and getaways cars—stand aware and on guard.
Want more Banking Strategies? Sign up for our free newsletter!
Howard Altman covers the military and national security for the Tampa Bay Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and many other publications around the world.
If you enjoyed this article, check out: Buy-in by degrees: Five ways to bolster your bank’s cybersecurity awareness and Blanket security: How AI is remaking risk management.