North Korean Cybercrime: A Worrisome Success Story

Dhaka, February 5th 2016. Despite the apparent calm, the Central Bank of Bangladesh is under attack. One of the most ambitious bank heists in history is launched by an unknown group of hackers. 81 million USD transfers from the Central Bank to an obscure account in an investment bank in Manila, Philippines — where a local casino is poised to launder the money. 

A single typo costs $20 million USD

This attack could have been much worse.  The hackers make a typo triggering one of the transfers intended for the “Shalika Foundation” to be sent to the “Shalika Fandation.” This error alerts the routing bank, Deutsche Bank, to ask for more information from the Central Bank of Bangladesh regarding the 20 million USD transfer. It was the typo and subsequent request that alerted the Central Bank of Bangladesh to the fraudulent scheme, which stopped the transaction. Despite their ironic mistake, this large-scale cyber-attack aroused curiosity across the threat intelligence community. After a one-year investigation, Kaspersky Lab concluded that the cyberattack was most likely conducted by the Lazarus Group (a.k.a. Hidden Cobra), a group of hackers renowned for other high-level cybercrime activities and its strong links to the State of North Korea. To the general public, North Korean hacker groups remain relatively less well-known than hackers linked to those in Russia, whose activities during the 2016 American presidential campaign have been abundantly discussed. Among cybersecurity specialists, names such as Lazarus, Bluenoroff, and Andariel are very familiar.

N. Korean retaliation for lampooning Kim Jong-Un

Activities linked to the Lazarus Group were first detected in 2009. Subsequent activity, most notably includes the Sony Pictures Entertainment hack, which occurred in 2014, where 40 gigabytes of company data were stolen and posted online. The motive? The Lazarus Group was seeking revenge for Sony’s new comedy, The Interview, a movie lampooning the North Korean regime and its leader Kim Jong-Un in particular. Data released by the self-proclaimed Guardians of Peace (identified as the Lazarus Group by many security researchers) included personal information about Sony Pictures employees, information about executive salaries, as well as plans for future Sony films.

N. Korea invests in cybercrime

Other cyberattacks potentially perpetrated by North Korean hackers have been carefully studied by threat intelligence researchers. Operation Dark Seoul  (a.k.a. Operation Troy ) wiped tens of thousands of computer hard drives in South Korea on March 20, 2013. According to McAfee researchers, on top of this act of cyber-vandalism, the hacker activities also included intelligence gathering on South Korean military targets. These different shows of cyber-force from North Korea raise several questions. Among them, why did North Korea decide to invest strongly in cybercrime? Is North Korea’s use of cybercrime a geopolitical success story, even if a worrisome one?  Answers to these questions become apparent if we look at North Korea’s decisions under a simple cost-benefit paradigm. Let’s begin with the benefit for North Korea. According to a U.N report, cyberattacks have generated around 2 billion USD for North Korea. Experts have identified “at least 35 reported instances of DPRK actors attacking financial institutions, cryptocurrency exchanges and mining activity designed to earn foreign currency.” In a country deprived of foreign currency due to the important economic sanctions imposed by the international community, this massive source of income is extremely strategic. A variety of sources, among them the U.S. Treasury Department, worried that the influx of money was ultimately used to fund North Korea’s nuclear weapons and missile programs. Sources speculate that North Korean authorities boost weapon development by using cyber-espionage to target foreign civil and military technologies.

Geopolitical view of cybercrime

From a geopolitical viewpoint, conflicts in cyberspace are congruent with the rather unique diplomatic posture and strategy led by North Korea in the international community. Indeed, compared to a conventional arms race, developing cyber warfare capacities remains considerably less expensive. This observation has notably been highlighted by Anthony Craig and Brandon Valeriano in the research paper Conceptualising Cyber Arms Races. Since cyber technologies can be much cheaper than conventional weapons, weaker states can possibly gain asymmetric advantages by entering into the cyber arms arena and compete on a more even footing with traditionally powerful states.” As a consequence, investments in cyber capabilities can be seen as a backdoor for Rogue States to be able to compete against Western countries. Extremely effective cyber weapons do not necessarily need costly technological developments, as demonstrated by the infamous WannaCry  ransomware. North Korean groups using “EternalBlue” an exploit of Windows’ Server Message Block (SMB) protocol initially found by the NSA delivered a strong ROI. Quick, large-scale exploitation of unpatched servers can deliver stronger ROI versus malware requiring top-notch resources and technology. The cost of cybercrime, again given North Korea’s economic and political isolation, provides limited risk as compared to other countries. This point appears to be proven by the fact that even new economic sanctions do not appear to be an effective deterrent to N. Korea’s weaponization of cybercrime. Moreover, although North Korea’s limited connection to the internet contributes to the economic turmoil of the country, it also limits the possibility of cyber-retaliation responding to North Korea’s cyberattacks. What about the use of a traditional military response to cyberattacks? Researchers suggest the perception of cyberattacks has not cleared the national and public threshold for using conventional weapons. Erica D. Borghard and Shawn W. Lonergan note in their article, Cyber Operations as Imperfect Tools of Escalation, “…both the tangible and psychological costs of cyber operations may check domestic political willingness (or pressure) to escalate via cross-domain instruments in response to adversary cyber operations.”

Growing weaponization of cybercrime

Strong investment by North Korea in geopolitical cybercrime is the result of a rational decision-making process. These cyberattacks are both congruent with the country’s unique position as a Rogue State and financially beneficial.  North Korean cybercrime is a worrisome geopolitical success story. As Chris Inglis, former deputy director of the NSA Security Agency stated, “Cyber is a tailor-made instrument of power for them [N. Korea].” This conclusion is a warning for the international community, including Western enterprises and citizens (as shown by the WannaCry ransomware). Do not underestimate the cyber threat emerging from Rogue Nation States.