North Korea hackers increasingly more interested in stealing cash than secrets

A new study claims North Korean hackers are targeting banks more than ever before. It's one way they're trying to funnel cash to the sanction-crippled regime.
North Korea's state-sponsored hackers are increasingly going after money rather than secrets, according to a report published on Thursday (July 27) by a South Korean government-backed institute. PHOTO: REUTERS
Updated
Jul 28, 2017, 05:36 PM
Published
Jul 28, 2017, 10:07 AM

SEOUL (NYTIMES) - North Korea's state-sponsored hackers are increasingly going after money rather than secrets, according to a report published on Thursday (July 27) by a South Korean government-backed institute.

Cybersecurity experts have noticed a shift in the hacking attacks they suspected were mounted by North Korea.

Formerly, most such attacks appeared intended to cause social disruption or purloin secret data, and the targets were generally the computer networks of government agencies or media companies in countries it considered hostile.

The best-known example was a 2014 attack on computers at Sony Pictures Entertainment.

That kind of attack is still occurring, but in the past few years, North Korean hackers seem to have become more interested in stealing cash, the Financial Security Institute said in its report on Thursday.

The report said North Korean-linked hackers were behind the recent digital theft of US$81 million (S$110 million) from Bangladesh's central bank. The North Koreans also tried to breach Polish banks, leaving traces that led anti-hacking experts to believe the hacking group also planned to steal money from more than 100 other organisations around the world.

North Korea is isolated, impoverished and desperately short of foreign currency to pay for imports. Even so, it has trained a large army of hackers, originally as an inexpensive means of espionage, sabotage and propaganda, but now also as a moneymaker.

Russian cybersecurity firm Kaspersky Lab has identified a hacking group called Bluenoroff that it says is to blame for attacks on foreign financial institutions, like those in Poland and Bangladesh.

Bluenoroff is said to be an offshoot of Lazarus, the North Korea-linked hacking group implicated in earlier attacks.

The new report identified another Lazarus spin-off, which it named Andariel, and said that group was responsible for at least seven hacking attacks on banks, defence contractors and other businesses in South Korea over the past two years. (The names Lazarus and Andariel apparently refer to characters in the Diablo video game.)

"Bluenoroff and Andariel share their common root," the report said. "If Bluenoroff has attacked financial firms around the world, Andariel focuses on businesses and government agencies in South Korea using methods tailored for the country."

The report said the Andariel group had increasingly shifted from destructive attacks on computer networks to crimes like stealing bank-card data and using it to draw cash from bank customers' accounts or selling the data on the black market. The group also used malware to cheat at online poker and on other gambling websites.

"Andariel is believed to focus on earning hard currency," the report said.

The Financial Security Institute, which is financed by the South Korean government, cautioned that the report was partly conjectural and did not represent an official view.

North Korea, a country that is cut off from much of the global economy and allows only a tiny portion of its population to have access to the Internet, has been building up its cyberattack capabilities since the early 1990s, selecting teenagers and teaching them to be hackers, according to South Korean officials and defectors from the North.

South Korean cybersecurity officials began detecting attacks attributed to North Korean hackers around 2009.

North Korea is now believed to have 1,700 state-sponsored hackers, aided by more than 5,000 supervisors, trainers and other support staff, South Korean officials estimate.

The hackers typically do their work abroad, taking legitimate software programming or other jobs in China, South-east Asia or Europe and waiting for instructions from Pyongyang to mount an assault, they said.

Going abroad is a rare privilege for North Koreans, and those who are allowed to work outside the country are required to send the government a quota of foreign currency every year, according to North Korean defectors.

North Korea has been accused of illicit moneymaking schemes to pay for its huge military, its nuclear weapons programme and its leaders' luxurious lifestyle, including gun-running, drug trafficking and counterfeiting.

As the United Nations has tightened sanctions and made those avenues more difficult, cyberattacks have loomed larger as a source of cash. Some hacking experts suspect North Korean involvement in the recent wave of global ransomware attacks.

North Korea has denied any involvement in hacking attacks, accusing South Korea and the United States of slander.

Join ST's Telegram channel and get the latest breaking news delivered to you.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top