Sleeper cells of N. Korean hackers under scrutiny

A staff member at the Korea Internet and Security Agency in Seoul monitoring the spread of ransomware cyber attacks on Monday. As evidence mounts that North Korean hackers may be linked to the ransomware attacks, their motives appear twofold: financi
A staff member at the Korea Internet and Security Agency in Seoul monitoring the spread of ransomware cyber attacks on Monday. As evidence mounts that North Korean hackers may be linked to the ransomware attacks, their motives appear twofold: financial gain and proof that Pyongyang has the means to cause significant damage, with or without a nuclear weapon.PHOTO: AGENCE-FRANCE PRESSE

Evidence mounts that these units were behind ransomware attacks

SEOUL • They take legitimate jobs as software programmers in the neighbours of their home country, North Korea. When the instructions from Pyongyang come for a hacking assault, they are believed to split into groups of three or six, moving around to avoid detection.

Ever since the 1980s, reclusive North Korea has been known to train cadres of digital soldiers to engage in electronic warfare and profiteering exploits against its perceived enemies, most notably South Korea and the United States.

In recent years, experts say, North Korea has spread these agents across the border into China and other Asian countries to cloak their identities. The strategy amounts to war contingency planning in case the homeland is attacked.

Now this force of North Korean cyber-hacking sleeper cells is under new scrutiny in connection with the ransomware assaults that have roiled much of the world over the past four days. New signs have emerged not only that North Koreans carried out the attacks, but also that the targeted victims included China, North Korea's benefactor.

As evidence mounts that North Korean hackers may have links to the ransom assaults that destroyed more than 200,000 computers, their motives appear twofold: financial gain - which does not appear to be turning out so well - and proof that Pyongyang has the means to cause significant damage, with or without a nuclear weapon.

Cyber attacks are also a way for it to inflict damage with little risk of a military response. They are inexpensive, hard to trace, and can be profitable. Until last year, nations rarely used cyber attacks for financial gain. China has been tied to attacks aimed at stealing trade secrets. Some countries, including Russia, the US, Iran and North Korea, have also used cyber weapons.

 
 

North Korea has been tied to gunrunning, jewel smuggling, illegal gambling and counterfeiting to pay for its military and the lifestyle of the government, but as foreign nations have clamped down on those activities, Pyongyang has turned to cyber attacks for badly needed funds.

"North Korea was always a state criminal, sheltered behind sovereignty, and now they have moved this into cyberspace," said cyber security expert James Lewis at the Centre for Strategic and International Studies in Washington.

In the past year, the same North Korean hacking unit that hit Sony Pictures was linked to cyber attacks on banks in Vietnam and the Philippines, and to a breach at the Bangladesh Central Bank that resulted in the theft of US$81 million (S$113 million). Last year, the same North Korean hackers breached more than 20 Polish banks.

And while it is still too early to point the finger definitively at Pyongyang, clues in the attack code and attackers' machines suggest that the ransom attacks were the work of the same group of North Korean hackers, or of someone masquerading as them. Though the hacking group that security experts call the Lazarus Group has been known to use different infection methods, the group's telltale code, techniques and tools were seen in the attacks.

North Korea has in the past timed cyber attacks to coincide with its banned weapons tests - such as the ballistic missile launched on Sunday - to subtly flaunt its technological advances despite its global isolation. Unlike its weapons tests, however, it has never announced or acknowledged its hacking abilities.

While North Korean hackers have for years operated out of China, defectors and South Korean officials say they have been spreading to South-east Asian countries, where government monitoring is less intense. In countries such as Malaysia, many North Korea hackers are believed to work undercover at technology companies and other jobs. Sometimes, the hackers will also run online gambling sites or even make use of ransomware to raise funds for themselves.

North Korea began training electronic warfare soldiers well before the Internet era, according to defectors and South Korean officials. It selected maths prodigies when they were 12 or 13 and trained them to become software developers, online psychological warfare experts and hackers. They also learnt foreign languages to operate abroad.

North Korea sends students to study in Russia, China and, more recently, India to learn software and programming techniques. They return home and some are hired as hackers.

NYTIMES

SEE OPINION

A version of this article appeared in the print edition of The Straits Times on May 18, 2017, with the headline 'Sleeper cells of N. Korean hackers under scrutiny'. Print Edition | Subscribe