Online Heists

Are Cyber Crooks Funding North Korea’s Nukes?

How does Kim Jong Un come up with the billions to pay for his nuclear tests? Increasingly successful online bank heists provide at least some of the cash, experts say.

Photo Illustration by Elizabeth Brockway/The Daily Beast

Like all modern geopolitical chess matches, the growing tension between the United States and North Korea has a shadowy analog playing out in cyberspace.

North Korea is primed for a sixth nuclear test, which would bring it one step closer to its admitted goal of developing a nuclear-tipped ICBM capable of reaching the United States mainland. At his current pace, Kim Jong Un could achieve that objective within three years, according to military analysts. That’s within President Donald Trump’s first term, and the administration has been ratcheting up the tough talk almost daily. The president recently said that nuclear war is on the table, and the USS Carl Vinson is steaming toward the Korean Peninsula (for real this time). Far from cowed, North Korea on Sunday detained an American college professor who’d been teaching in Pyongyang, the second arrest of a U.S. citizen in recent months.

But weapons tests like last month’s failed missile launch in Sinpo aren’t cheap. By one estimate, North Korea spent $1.3 billion on missile tests in 2012 alone. That may explain why the escalation in North Korea’s nuclear provocations has been accompanied by a spree of attempted and actual online bank heists that trace right back to Pyongyang. The largest of them was a nearly successful theft of almost $1 billion from Bangladesh Bank in 2016—enough money to fund North Korea’s missile testing for almost a year.

State-run crime has been an important component of North Korea’s economy for years. Illegal arms sales to countries like Syria and Iran are reportedly North Korea’s mainstay, but it’s also been linked to everything from the wholesale production of illegal drugs to the mass sales of counterfeit Viagra and cigarettes. In 2009, the U.S. blamed North Korea for a deluge of counterfeit U.S. currency, dubbed “supernotes,” that were so high in quality that the Treasury Department was forced to redesign the $100 bill.

“The money that North Korea makes from illicit activities is 40 percent of their real economy,” said Bruce Bechtol, professor of political science at Angelo State University and the author of four books on North Korea. Criminal proceeds prop up North Korea’s communist government, support the lavish lifestyle of party leaders, and help support the military, he said. “And some of it, no doubt, goes to support both their nuclear program and their ballistic missile program.”

When it comes to online crime, however, North Korea was mostly associated with a wave of vandalistic attacks on South Korea in 2013, followed by the infamous 2014 hack attack on Sony Pictures. “They were known for wipe attacks,” said Eric Chien, technical director of Symantec’s Security Technology and Response division. “I’d have predicted that they’d do more of those. Instead they tried to transfer about a billion dollars from the Bank of Bangladesh. No way we could have seen that coming.”

The Bangladesh caper unfolded on Feb. 4, 2016, when hackers used custom malware and stolen credentials to initiate 35 SWIFT wire transfer orders from Bangladesh Bank’s holdings at the Federal Reserve Bank of New York. The Fed began processing the orders, which totaled $951 million, but bank officials grew suspicious after noticing a misspelling in a transfer to Sri Lanka. That transfer was quickly pulled back, and another 30 were blocked entirely. But by then $81 million in stolen funds had gone through to Rizal Bank in the Philippines, landing in four accounts opened nearly a year earlier under fake names.

The Rizal Bank customers—purported Chinese businessmen—soon showed up at the bank branch in person, withdrew the money and deposited it into a fifth fraudulent account freshly established under the name of a legitimate customer. Then they wired the money to two Philippine casino resorts, where it disappeared.

As the first reported large-scale hack accomplished over SWIFT, a backbone of international finance, the breach received global publicity and alarmed the banking industry. Previous attacks surfaced, including a hack at Ecuador’s Banco del Austro that cost it $12 million in early 2015.

Normally Eastern European hackers would be the clear suspects for an ambitious bank heist—if the internet had a Captain Renault, he’d round up the Russia-based Carbanak gang for questioning. But when outside computer-security experts examined the Bangladesh attack code, they made an unexpected find. A portion of the code devoted to wiping out the victim’s hard drive was nearly identical to a custom disk wiper used in the “Dark Seoul” attacks against South Korean banks and broadcasters in 2013. Those attacks shared both code and a command-and-control server with the most famous destructive computer attack in history: the November 2014 breach of Sony Pictures by the “Guardians of Peace,” carried out in retaliation for a movie depicting Kim Jong Un’s assassination. The U.S. has formally named the government of North Korea as the culprit in the Sony breach.

Even before the Sony hack, the gang known as the “Lazarus Group” in computer-security circles had a distinctive style that Chien and his team recognized now in the Bangladesh code. Conventional cybercrooks build on the successes of their forebears, borrowing proven methods and malware known to have worked in the past. “Best practices, if you will,” said Chien.

In contrast, the Lazarus Group seemed to develop its techniques in a bubble, finding its own quirky path and defying conventional criminal wisdom. Even the hacker culture the “Guardians of Peace” parroted in the Sony attack seemed strangely out of touch. The hackers splashed Sony desktops with the image of a smiling skeleton on a dark background below 48-point crimson letters declaring “Hacked By #GOP”—an electronic calling card that would have felt at home on a 1995 website defaced by “Global Hell.”

Get The Beast In Your Inbox!

Daily Digest

Start and finish your day with the top stories from The Daily Beast.

Cheat Sheet

A speedy, smart summary of all the news you need to know (and nothing you don't).

By clicking “Subscribe,” you agree to have read the Terms of Use and Privacy Policy
Thank You!
You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason.

North Korea’s technological and cultural isolation might help explain this phenomenon, said Gordon G. Chang, the author of Nuclear Showdown: North Korea Takes on the World, and a Daily Beast contributor. “North Korean hackers live in a tightly knit community and I’m sure that they’re overseen by minders,” he added. But their isolation doesn’t last forever. “They’re given a little bit of training, and after that they’re sent out to get the bulk of it. So it’s not a completely indigenous program.”

By last fall, the North Korean hackers had grown a more worldly side. In October, security experts discovered that a Polish bank had been infected with previously unseen malware. Once again there were links to prior attacks by the Lazarus Group, but this time the malware was served from an unlikely source: the website of the government agency that regulates Poland’s banks, the Financial Supervision Authority. The hackers had penetrated the agency’s hosting servers and changed the website to secretly deliver malware to visitors.

That tactic, called a “watering hole attack,” is among the more sophisticated tools in the modern hacker’s arsenal. Instead of attacking individual targets of interest, you hack a website that some portion of your target group is likely to visit, and use it to infect them. Your prey comes to you, like a hunter crouching behind a tree at a Serengeti watering hole.

By using a watering hole, the Lazarus Group demonstrated it was evolving at a near supernatural pace. “In 2012 they started out like other hackers started in the ’90s, and now they’ve caught up to 2017,” said Chien. “They took a 10- to 20-year timeline and compressed it into five years.”

Despite their rapid advancement, Kim Jong Un’s hackers made a crucial misstep in deploying their attack in Poland. The perpetrators tried to limit their exposure by programming the server to deliver malware exclusively to visitors coming from known banking institutions. Random users reading the Polish Financial Supervision Authority website—those who weren’t coming from an internet IP address range on the watering hole’s hit list—were exposed to nothing more harmful than a report on Poland’s pension system.

But the hackers failed to cull their target selection list before putting it in action, and it didn’t just contain Polish banks. The list was packed with addresses for 104 organizations in 31 countries, most of them financial institutions. In an apparent attempt to scale its attack for mass delivery, North Korea inadvertently published its entire game plan.

The target list included Bank of America, MasterCard, the European Central Bank, the Czech National Bank, Deutsche Bank in Germany, Mellon Bank in New York, the Bank of Tokyo-Mitsubishi, the Bank of Nova Scotia, ICICI Bank in Mumbai, Macquarie Group in Australia, HSBC, and the Bank of Estonia. On a map of the world, Kim’s sharpest adversaries are the U.S., South Korea, and Japan. But on the internet, he’s declared war on nearly everybody.

It’s an alarming development that positions North Korea as a potential cybercrime juggernaut. The country has an entire department, called Office 39, devoted to organizing and carrying out crime, and an army of professional hackers, said Bechtol. “How many people have taken 7,000 troops and said, ‘OK, we’re going to make you guys cyberwarriors now,’” Bechtol said. “And then decided, ‘OK, now we’re going to use you to steal money for our government.’ Who would do that? But that’s what it appears North Korea has done.”

Even beyond its size, being the first state-run heist crew gives the Lazarus Group advantages over most organized criminal enterprises. Russian hackers have staged SWIFT-based heists, but they’ve never tried to steal $1 billion in one day. One reason is they lack the resources and connections to metabolize that kind of cash, a problem that doesn’t burden North Korea, which already controls a vast international money-laundering network to handle its criminal proceeds. “It goes in a slush fund that’s scattered into banks all over the world,” said Bechtol. “Then it’s funneled illegally back into North Korea.”

Kim’s reputation for ruthlessness may also be an asset. When the money mules showed up at Rizal Bank to withdraw the $81 million Bangladesh windfall, the bank manager chose not to make trouble, according to testimony delivered at a Philippines senate hearing last year. “I’d rather do this than me being killed or my family,” she was overheard saying.

With no sign that North Korea is backing off its nuclear program or cyberattacks, we’re left with this: Trump, an inexperienced and unpredictable president elected with the help of Vladimir Putin’s hackers, may soon take the U.S. to war with North Korea, in response to missile tests funded in part by Kim’s hackers. If we survive, future writers of fourth-grade history textbooks are going to have a devil of a time with 2017.