World experts once laughed at North Korean cyber power; they are sitting up now

North Korea's army of more than 6,000 hackers is undeniably persistent, and undeniably improving, according to United States and British security officials who have traced these attacks and others back to the North.
North Korea's army of more than 6,000 hackers is undeniably persistent, and undeniably improving, according to United States and British security officials who have traced these attacks and others back to the North. PHOTO: REUTERS

SEOUL (NYTIMES) - When North Korean hackers tried to steal US$1 billion (S$1.3 billion) from the New York Federal Reserve last year (2016), only a spelling error stopped them.

They were digitally looting an account of the Bangladesh Central Bank, when bankers grew suspicious about a withdrawal request that had misspelled "foundation" as "fandation". Even so, the minions of North Korean leader Kim Jong Un got away with US$81 million in that heist.

Their track record is mixed, but North Korea's army of more than 6,000 hackers is undeniably persistent, and undeniably improving, according to United States and British security officials who have traced these attacks and others back to the North.

Amid all the attention on Pyongyang's progress in developing a nuclear weapon capable of striking the continental United States, the North Koreans have also quietly developed a cyber programme that is stealing hundreds of millions of dollars and proving capable of unleashing global havoc.

Unlike its weapons tests, which have led to international sanctions, the North's cyberstrikes have faced almost no pushback or punishment, even as the regime is using its hacking capabilities for actual attacks against its adversaries in the West.

And just as Western analysts once scoffed at the potential of the North's nuclear programme, so did experts dismiss its cyber potential - only to now acknowledge that hacking is an almost perfect weapon for a Pyongyang that is isolated and has little to lose.

The country's primitive infrastructure is far less vulnerable to cyber retaliation, and North Korean hackers operate outside the country, anyway. Sanctions offer no useful response, since a raft of sanctions are imposed.

And Mr Kim's advisers are betting that no one will respond to a cyberattack with a military attack, for fear of a catastrophic escalation between North and South Korea.

It is hardly a one-way conflict: By some measures, the US and North Korea have been engaged in an active cyber conflict for years.

Both the US and South Korea have also placed digital "implants" in the Reconnaissance General Bureau, the North Korean equivalent of the Central Intelligence Agency, according to documents that Edward Snowden released several years ago.

US-created cyber and electronic warfare weapons were deployed to disable North Korean missiles, an attack that was, at best, only partially successful.

Indeed, both sides see cyber as the way to gain tactical advantage in their nuclear and missile standoff.

Once, North Korea counterfeited crude US$100 bills to try to generate hard cash. Now intelligence officials estimate that North Korea reaps hundreds of millions a dollars a year from ransomware, digital bank heists, online video game cracking and, more recently, hacks of South Korean Bitcoin exchanges.

One former British intelligence chief estimates the take from its cyberheists may bring the North as much as US$1 billion a year, or a third of the value of the nation's exports.

When Mr Kim succeeded his father, in 2011, he expanded the cyber mission beyond serving as just a weapon of war, focusing also on theft, harassment and political-score settling.

"Cyberwarfare, along with nuclear weapons and missiles, is an 'all-purpose sword' that guarantees our military's capability to strike relentlessly," Mr Kim reportedly declared, according to the testimony of a South Korean intelligence chief.

And the array of United Nations sanctions against Pyongyang only incentivised Mr Kim's embrace.

"We're already sanctioning anything and everything we can," said Mr Robert Silvers, the former assistant secretary for cyberpolicy at the Department of Homeland Security during the Obama administration. "They're already the most isolated nation in the world."

For decades, Iran and North Korea have shared missile technology, and US intelligence agencies have long sought evidence of secret cooperation in the nuclear arena. In cyber, the Iranians taught the North Koreans something important: When confronting an enemy that has internet-connected banks, trading systems, oil and water pipelines, dams, hospitals and entire cities, the opportunities to wreak havoc are endless.

By midsummer 2012, Iran's hackers, still recovering from a US and Israeli-led cyberattack on Iran's nuclear enrichment operations, found an easy target in Saudi Aramco, Saudi Arabia's state-owned oil company and the world's most valuable company.

That August, Iranian hackers flipped a kill switch at precisely 11.08am, unleashing a simple wiper virus onto 30,000 Aramco computers and 10,000 servers that would destroy data, and replace it with a partial image of a burning American flag. The damage was tremendous.

Seven months later, during joint military exercises between US and South Korean forces, North Korean hackers, operating from computers inside China, deployed a very similar cyberweapon against computer networks at three major South Korean banks and South Korea's two largest broadcasters. Like Iran's Aramco attacks, the North Korean attacks on South Korean targets used wiping malware to eradicate data and paralyse their business operations.

Beyond respect, and retribution, the North wanted hard currency from its cyber programme.

So soon the digital bank heists began - an attack in the Philippines in October 2015; then the Tien Phong Bank in Vietnam at the end of the same year; and then the Bangladesh Central Bank.

Researchers at Symantec said it was the first time a state had used a cyberattack not for espionage or war, but to finance the country's operations.

Now, the attacks are increasingly cunning. Security experts noticed in February that the website of Poland's financial regulator was unintentionally infecting visitors with malware.

It turned out that visitors to the Polish regulator's website had been hit with a watering hole attack, in which North Korean hackers waited for their victims to visit the site, then installed malware in their machines. Forensics showed that the hackers had put together a list of internet addresses from 103 organisations, most of them banks, and designed their malware to specifically infect visitors from those banks, in what researchers said appeared to be an effort to move around stolen currency.

More recently, North Koreans seemed to have changed tack once again. North Korean hackers' fingerprints showed up in a series of attempted attacks on cryptocurrency exchanges in South Korea, and were successful in at least one case, according to researchers at FireEye.

While US and South Korean officials often express outrage about North Korea's cyber activities, they rarely talk about their own - and whether that helps fuel the cyber arms race.

At a recent meeting of US strategists to evaluate North Korea's capabilities, some participants expressed concerns that the escalating cyberwar could actually tempt the North to use its weapons - both nuclear and cyber - very quickly in any conflict, for fear that the United States has secret ways to shut the country down.