As Trump and Kim met, North Korean hackers hit over 100 targets in US and ally nations

North Korean leader Kim Jong Un and US President Donald Trump listen to questions from the media during the one-on-one bilateral meeting at the second North Korea-US summit in the Metropole hotel in Hanoi.
North Korean leader Kim Jong Un and US President Donald Trump listen to questions from the media during the one-on-one bilateral meeting at the second North Korea-US summit in the Metropole hotel in Hanoi. PHOTO: REUTERS

SAN FRANCISCO (NYTIMES) - North Korean hackers who have targeted American and European businesses for more than two years kept up their attacks last week even as President Donald Trump was meeting with North Korea's leader in Hanoi.

The attacks, which include efforts to hack into banks, utilities and oil and gas companies, began in 2017, according to researchers at the cybersecurity company McAfee, a time when tensions between North Korea and the United States were flaring.

But even though both sides have toned down their fiery threats and begun nuclear disarmament talks, the attacks persist.

In 2017, Mr Trump mocked Mr Kim Jong Un as "rocket man" in a speech at the United Nations, while North Korea tested missiles capable of delivering a nuclear warhead to the US. Last week, the tone was very different, and even as the two sides failed to reach an agreement, Mr Trump struck a conciliatory tone towards his North Korean counterpart.

The revelation of North Korea's most recent hacking activity adds new details to the tensions surrounding the summit last week, which ended abruptly without any deals. After their first meeting, 15 months earlier, North Korea had agreed to stop test-firing its missiles.

"For 15 months, they haven't tested weapons because of this negotiation, but over those same 15 months they have not stopped their cyberactivity," said Mr Victor Cha, Korea chairman at the Centre for Strategic and International Studies (CSIS) in Washington.

With the help of an unnamed foreign law enforcement agency, the McAfee researchers gained access to one of the main computer servers used by the North Korean hackers to stage their attacks.


The McAfee researchers said they watched, in real time, as the North Koreans attacked the computer networks of more than 100 companies in the US and around the world. Last month, they expanded their targets to companies in Turkey, operating from a block of Internet addresses traced to Namibia, one of the few countries that maintains friendly relations with Pyongyang.

"They are very, very, very active. It's been nonstop," said Mr Raj Samani, McAfee's chief scientist. "We've seen them hit in excess of 100 victims."

The exact motive of the attacks was not clear. They were well-researched and highly focused and, in many cases, aimed at engineers and executives who had broad access to their companies' computer networks and intellectual property.

McAfee, which is based in Santa Clara, California, would not name the targets of the attacks and said it would be alerting victims and government authorities on Monday (March 4). But the firm did provide a map of North Korean hackers' targets.

The vast majority were in the US, with the most frequent marks in Houston, an oil and gas hub, and New York, a finance hub. Other major targets included London; Madrid; Tokyo; Tel Aviv, Israel; Rome; Bangkok; Taipei, Taiwan; Seoul, South Korea; and Hong Kong. Russia and China, two countries that have maintained cordial relations with North Korea, were relatively untouched.

North Korea, like the US and many other countries, has long been accused of using hackers to further its national interests. In 2014, apparently in retaliation for a movie that mocked Mr Kim, North Korean hackers hit Sony Pictures Entertainment. They destroyed Sony's computer servers, paralysed the studio's operations and eventually leaked embarrassing e-mails from executives, in what would become a playbook for the Russian attacks and leaks of e-mails before the 2016 elections.

North Korean hackers have been tied to attacks on banks all around the world for financial gain - a rarity among government-affiliated hackers but not surprising for a country ravaged by economic sanctions. The "WannaCry" attack, which paralysed more than 150 organisations around the globe in 2017, was also traced to North Korea.

Mr Cha of the CSIS said cyberattacks remained the "third leg" of North Korea's overall military strategy.

"They're never going to compete with the United States and South Korea soldier to soldier, tank for tank," he said. "So they have moved to an asymmetric strategy of nuclear weapons, ballistic missiles, and the third leg is cyber, that we really didn't become aware of until Sony."

Since the Sony attack, McAfee's researchers said North Korea's hackers had significantly improved their capabilities: They are much better at hiding their tracks and researching their targets. And in many of the attacks McAfee witnessed, North Korean hackers had done their homework.

They scoured the Microsoft-owned business site LinkedIn, for example, to find the profiles of industry job recruiters. They sent e-mails that appeared to come from those recruiters' accounts, often in perfect English, promoting job opportunities.

When a target clicked on an attachment or link in the e-mail, the hackers gained access to the target's computer.

"The campaign was clearly really well prepared," said Mr Christiaan Beek, McAfee's senior principal engineer and lead scientist.

"It was very well researched and very targeted. They knew the individuals they were going for, and they drafted e-mails in such a way that their targets clicked on them."

The tools they used to implant malware in the recent attacks, which McAfee's researchers called "Rising Sun" because of a reference in the code, were also starkly improved.

Though the implants shared code with previous North Korean attacks, McAfee's researchers said the hackers added new functions to lift data off infected machines. They also went to great lengths to delete their digital movements and encrypt their traffic.

Mr Beek and Mr Samani said their team at McAfee was able to follow the hackers' movements only because of their access to the North Korean's server.

"The more code we saw, the more links we could see to more and more attacks," Mr Beek said.

Considering other recent North Korean hacking campaigns that McAfee's researchers have tracked - notably against the 2018 Winter Olympics and a separate spate of attacks on banks last year - Mr Beek said North Korea showed no signs of slowing this activity.

Security experts said the attacks would have to be addressed at some point if the two countries should continue talks.

"Their very aggressive cyberactivity will have to be addressed in future discussions," Mr Cha said. "They are extremely active and, it's clear to me at least, they've stopped missile testing because of the ongoing negotiations, but they're not stopping in cyber."