The Cybercrime Syndicate Financing the North Korean State

The United States government labels them HIDDEN COBRA. In 2013, the South Korean financial system fell victim to a mysterious “WhoIs Team.” The attackers behind the Sony Pictures hack called themselves the “Guardians of Peace.” They prey on user data, cryptocurrency, and vaccine intellectual property. Today, they are most commonly identified as the Lazarus Group.

Not much is known about the Lazarus Group, apart from the fact that they are a collective of North Korean cybercriminals. The US intelligence community alleges that they serve the North Korean state, mostly undertaking acts of espionage and hacking financial institutions for the much-needed money to fund the heavily sanctioned nation and its nuclear program. As of late 2019, the Lazarus Group has crippled hundreds of thousands, if not millions, of computers and stolen up to US$2 billion. Despite the mystery surrounding the Lazarus Group, one thing is clear: they are one of the greatest cyber threats to the security of the international community.

As of late 2019, the Lazarus Group has crippled hundreds of thousands, if not millions, of computers and stolen up to US$2 billion.

The Lazarus Group

Although the origins of the Lazarus Group are not certain, their strategies have advanced rapidly over time and each successive attack has proven more devastating. The earliest attacks attributable to the Lazarus Group occurred in 2009, when they targeted US and South Korean government websites. They struck again in 2010, 2011, and 2013, hitting Korean banks, government servers, and media agencies. The North Korean cyber offensive began as simple distributed denial-of-service (DDoS) attacks, disrupting normal network functionality, but they quickly increased in sophistication. By 2013, their malware had evolved into a unique and novel blend of homegrown techniques, capable of wiping tens of thousands of computers in high-tech South Korea.

It was only in 2014, when the gaze of the North Korean hackers shifted to Hollywood, that the international community truly began to acknowledge the magnitude of the threat. In 2014, Sony Pictures Entertainment intended to release The Interview, a satirical film depicting the assassination of the North Korean leader Kim Jong-Un. A month prior to the premiere, the Guardians of Peace (now the Lazarus Group) stole huge swathes of data, leaked sensitive documents, and destroyed 75 percent of internal servers. The Hollywood giant crumbled to their demands, cancelling all theatrical releases of the film. Most alarmingly, despite what was tantamount to an attack on US national security, the Guardians of Peace and the DPRK suffered virtually no retribution. Although the Obama administration technically imposed additional sanctions on certain North Korean entities, none were directly associated with the attack, casting doubt as to whether the sanctions had much real impact.

Despite what was tantamount to an attack on US national security, the Guardians of Peace and the DPRK suffered virtually no retribution.

Perhaps emboldened by the successful Sony attack and the lack of substantial US sanctions, the Lazarus Group attacks continued to escalate. Banks in at least 18 countries suffered hacking attempts and, in February 2016, DPRK hackers pulled off the largest cyber bank heist to date. It was a Friday morning when hackers routed almost US$1 billion from the Bangladesh Bank into the Manila casino industry. Although sharp-eyed bankers and checks in the SWIFT system blocked the majority of the funds, an unprecedented US$81 million still made its way into the pariah state’s coffers. Following this attack, leading cybersecurity firm Kaspersky called the Lazarus Group “one of the most successful in launching large scale operations against the financial industry.”

It would only take another year for the Lazarus Group to pull off another daring, record-setting cyberattack. Dubbed the “WannaCry” attack, North Korean hackers crippled 300,000 computers in 150 countries, holding critical data hostage in exchange for Bitcoin ransom. Although it is uncertain exactly how much revenue the attack generated, it caused billions of dollars of damage across the world. The global WannaCry cyberattack continues to be the largest ransomware attack in history.

Since the WannaCry attack, the Lazarus Group has concentrated efforts on cryptocurrency. In April 2018, the group hacked a cryptocurrency exchange and stole almost US$250 million. In May 2019, North Korea increased their mining of the anonymity-focused Monero coin by at least ten fold. September 2020 saw the theft of US$281 million worth of cryptocurrency from the Seychelles-based KuCoin exchange – possibly the largest cryptocurrency theft to date. Moreover, with the difficulty of tracing unregulated cryptocurrency, coupled with the recent surge in the price of crypto assets, the North Korean stash of virtual dark money is sure to be greater than international estimates.

Photo by André François McKenzie / Unsplash

Most recently, the South Korean National Intelligence Service (NIS) reported attempts on vaccine IP by North Korean hackers, despite the DPRK citing zero cases. Unconfirmed sources suggest vaccine leaders AstraZeneca and Pfizer were targets, though the NIS maintains that attempts were unsuccessful. Separately, Microsoft claimed that the effort hit at least nine pharmaceutical companies and had been a collaboration with Russia. However, given that many hacking attacks take several months for perpetrator(s) to be accurately identified, it may be some time before the truth behind this latest string of attacks becomes clear.

Made in China?

The image of North Koreans as high tech hackers clashes with the more customary image of North Koreans as farmers and soldiers. Given the historical isolation of the country and the strict control of informational flow, it is indeed puzzling to see the developing country take down Hollywood and hack international financial systems.

It seems that Chinese tertiary institutions played an influential role in training North Korea’s cyber agents, at least in the beginning. Though top domestic universities, such as Kim Il-sung University, are common destinations for mathematically talented students, the most promising students were reportedly sent to Shenyang, China. Another report shows a contingent of North Korean students studying at the prestigious Harbin Institute of Technology. China and North Korea also publicly maintain other student exchange programs which potentially educate hackers in the making.

Although the North Korean cyber education program may have started in China, its agents are now spread across the globe. The US Army estimates some 6,000 North Korean cyber agents are living and working from overseas locations, including places as diverse as India, Kenya, and New Zealand. Among these 6,000, it is unclear whether the Lazarus Group is the sole overarching entity — some reports suggest multiple other cybercrime organizations exist, though their aims and characteristics appear largely the same.

Their Next Target

It is highly improbable that these cyber attacks will stop. Cybercrime is a low risk, high reward enterprise. Millions can be stolen and attribution is often difficult, with retribution highly delayed. Even in the Bangladesh Bank Heist—the largest cyber bank heist in history—it took cybersecurity specialists a full year to accredit it to the Lazarus Group. Furthermore, cyber attacks have the tactical advantage of edging close to, but falling short of war. Unlike nuclear missiles or boots-on-the-ground reunification invasions, cybercrime does not yet amount to an act of war, despite having the potential to cause massive damage. Chillingly, cybercrimes are all bite with no telltale bark.

If the recent push for cryptocurrency and vaccine IP is any indication, the authoritarian regime has realized the obvious potential in using cyber weapons as a game-changing, new modus operandi. The terrifying question that security analysts across the world must reckon with is where the target might land next. The DPRK could double their efforts in hacking financial institutions and cryptocurrency exchanges to generate sorely needed revenue. Another alarming possibility is the infiltration of military technology. The US holding the most powerful weapons in the world means nothing if control over these weapons lands in the hands of a volatile dictator. Or perhaps, as our cars, homes, and even cities, turn “smart”—in other words, get plugged into the Internet of Things—the potential for cyber attacks will grow exponentially. After all, it is an embedded computer controlling much of the functions of our car, the security apparatus of our homes, even the life support machines in our hospitals. Anything “smart,” from contemporary fridges to the city’s traffic lights, is a computer, and therefore hackable.

Photo by Shawn Ang / Unsplash

Notably, these are not fears that are unique to the DPRK. China and Russia are both considered more dangerous and imminent threats, and are the leading suspects behind several large attacks. However, the tiny Korean nation of 26 million should not be neglected; after all, technology is the great equalizer. Regardless of the wealth and size of the nation, all a successful cyber heist takes is a small squadron of hackers. The Lazarus Group have proven themselves time and time again, pulling off some of the biggest attacks in history.

In fact, the pariah status of the hermit kingdom might actually make them a more daring and dangerous threat. Unlike both Russia and China, the DPRK has severed almost all relations with the international community. There is virtually no trade or investment that can be sanctioned, few embassies to revoke, little international reputation to invoke in global fora. In other words, the sanctioned nation has nothing to lose and everything to gain. This unique calculus means that the dictatorial state poses an unparalleled threat to international security.

The sanctioned nation has nothing to lose and everything to gain.

Striking Back

In 2018, after years of successful evasion, the US got its first tangible grip on the Lazarus Group. The United States Justice Department brought charges against Park Jin-Hyok, a suspected Lazarus Group operative. He was charged for several cyber attacks, including the 2014 Sony Pictures hack, the 2016 Bangladesh Bank Heist, and the 2017 WannaCry attack. Several years later, in February of 2021, the Justice Department built on the investigation, charging Jon Chang-Hyok, Kim Il, and Park with the theft of US$1.3 billion.

With DPRK attacks showing no sign of relenting and general threats to global cybersecurity increasing, it is clear that precautions need to be taken. An April 2020 guidance from the US intelligence community recommended a collaborative approach: information on how to best secure data and best defend against attacks must be shared across private and public sectors amongst like-minded countries. Cyber threats are indiscriminate and information is king. In the WannaCry attack, the Lazarus Group capitalised on vulnerabilities in the Microsoft operating system first developed by the NSA. Had there been better cross-sector dialogue, the damage might have been mitigated.

Another pressing recommendation is simply to follow cybersecurity best practices and bolster cyber education. Preventing crime is easier than punishing crime, particularly cybercrime. Even the simplest practices, such as training to recognise phishing or scam emails and backing up data regularly, could go a long way in protecting the general public.

Ultimately, the sluggish and elephantine mechanisms of international law must catch up with the lightning pace of technological growth. As the Center for Strategic and International Studies pointed out in a 2015 paper, international norms and laws must acknowledge the very real threat of cybercrime and establish effective deterrence mechanisms. A sharp condemnation of the Lazarus Group by the United Nations Security Council and a global conversation on where cybercrime fits on the spectrum of international crimes are good first steps. The international community must agree that, when it is possible to identify individuals or entities, punishment should be swift, exacting, and multilateral.

The Lazarus Group and the broader DPRK cyberthreat pose an invisible yet salient risk to the security of the international community, its financial institutions, and its intellectual property. Second order impacts, such as the financing of North Korea’s nuclear and ballistic missiles program, further destabilise global peace and security. For the foreseeable future, it seems that this threat is unlikely to abate. Unless the international community reckons with the true potential of the danger and acts, one of the greatest cyber threats in the world—capable of billion dollar bank heists and forcing Hollywood to its knees—remains a rogue group of hackers from the quiet Korean land of farmers and soldiers.

Photo by Random Institute / Unsplash