Focus turns to North Korea sleeper cells as possible culprits in ransomware cyberattack

Since the 1980s, reclusive North Korea has been known to train cadres of digital soldiers to engage in electronic warfare.
Since the 1980s, reclusive North Korea has been known to train cadres of digital soldiers to engage in electronic warfare. PHOTO: EPA

SEOUL (NYTIMES) - They take legitimate jobs as software programmers in the neighbours of their home country, North Korea. When the instructions from Pyongyang come for a hacking assault, they are believed to split into groups of three or six, moving around to avoid detection.

Ever since the 1980s, reclusive North Korea has been known to train cadres of digital soldiers to engage in electronic warfare and profiteering exploits against its perceived enemies, most notably South Korea and the United States.

In more recent years, cybersecurity experts say, the North Koreans have spread these agents across the border into China and other Asian countries to help cloak their identities. The strategy also amounts to war-contingency planning in case the homeland is attacked.

Now this force of North Korean cyberhacking sleeper cells is under new scrutiny in connection with the ransomware assaults that have roiled much of the world over the past four days. New signs have emerged not only that North Koreans carried out the attacks but also that the targeted victims included China, North Korea's benefactor and enabler.

As evidence mounts that North Korean hackers may have links to the ransom assaults that destroyed more than 200,000 computers, their motives appear twofold: financial gain - which does not appear to be turning out so well - and proof that Pyongyang has the means to cause significant damage, with or without a nuclear weapon.

Cyberattacks are also a way for the country to inflict damage with little risk of a military response. They are inexpensive and hard to trace, and they can be profitable.

Until last year, nation states rarely used cyberattacks for financial gain. China has been tied to attacks aimed at stealing trade secrets. A handful of countries, including Russia, the US, Iran and North Korea, have also used cyberweapons.

North Korea has been tied to gunrunning, jewel smuggling, illegal gambling and counterfeiting to pay for its military and the lifestyle of the government, but as foreign nations have clamped down on those activities Pyongyang has turned to cyberattacks for badly needed funds.

"North Korea was always a state criminal, sheltered behind sovereignty, and now they've moved this into cyberspace," said Mr James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington.

Over the past year, the same North Korean hacking unit that hit Sony Pictures was linked to cyberattacks at banks in Vietnam and the Philippines, and to a breach at the Bangladesh Central Bank that resulted in the theft of US$81 million (S$112 million). Last year, the same North Korean hackers breached more than 20 Polish banks.

And while it is still too early to point the finger definitively at Pyongyang, clues in the attack code and attackers' machines suggest that the ransom attacks were the work of the same group of North Korean hackers, or of someone masquerading as them.

Though the North Korean hacking group that security experts call the Lazarus Group has been known to use different infection methods, the group's tell-tale code, techniques and tools were seen in the ransomware attacks.

So far, the ransomware attacks, called WannaCry, have not proved very profitable. According to the latest tally of payments made to attackers' Bitcoin wallets, victims have paid only US$75,000 in ransom.

North Korea has in the past timed cyberattacks to coincide with its banned weapons tests - like the ballistic missile launched on Sunday - as a way of subtly flaunting its technology advances despite its global isolation.

Unlike its missile and nuclear weapons tests, however, North Korea has never announced or acknowledged its hacking abilities.

It also is possible that North Korea had no role in the attacks, which exploited a stolen hacking tool developed by the US National Security Agency. Early on Tuesday (May 16), the Shadow Brokers, the hacking group that spread the tool and is not believed to be linked with North Korea, threatened in an online post to start a "Data Dump of the Month" club, in which it would release more NSA hacking methods to paying subscribers.

Security officials in South Korea, the US and elsewhere say it is well known that the North Korean authorities have long trained squads of hackers and programers, and that when superiors in North Korea issue instructions, these hackers are activated to attack targets.

Mr Boo Hyeong Wook, a research fellow at the Korea Institute for Defence Analyses, said the scale of the recent attacks was large enough that it was likely to have been supported on a national level. He also said it would be a logical extension of the growing boldness of North Korean hackers.

While North Korean hackers have for years operated out of China, defectors and South Korean officials say they have been spreading to South-east Asian countries, where government monitoring is less intense.

In countries like Malaysia, many North Korea hackers are believed to work undercover at technology companies and other jobs. Sometimes, the hackers will also run online gambling sites or even make use of ransomware to raise funds for themselves.

North Korea began training electronic warfare soldiers well before the Internet era, according to defectors and South Korean officials. They selected math prodigies when they were 12 or 13 and trained them to become software developers, online psychological warfare experts and hackers.

They were also trained in foreign languages so they could operate abroad. North Korea sends students to study in Russia, China and, more recently, India to learn software and programming techniques. They return home and some are hired as hackers.

If the North Korean hackers were responsible for the disruptions suffered by Chinese computer users, that would constitute an extraordinary assault on North Korea's most important neighbour.

Mr Boo said the changing dynamics in the relationship between China and North Korea, which once described themselves as close as "lips and teeth", could be why China was attacked.

"China has dialed up the pressure on North Korea," he said. "Pyongyang faces the increased possibility that Beijing could abandon it. It made a loud statement."