The next text about North Korean hackers is provoked by three incidents.
On July 24, 2020, the US Army released a guide regarding the Korean People’s Army, describing what to expect from North Korea as an enemy. Hackers were “placed full-time,” and it turned out that North Korea may have more than 6,000 cyber fighters working on its behalf abroad, including India and China. First of all, these are groups subordinate to the DPRK’s military cyber command, the so-called Bureau 121. However, this list also includes those who are engaged in electronic intelligence.
Secondly, several officials and computer security experts have issued a statement on the same topic: only “cash-strapped North Korea” uses its hackers not for intelligence, as Russia, China, and Iran do, but to steal money from foreign banks. In this environment, the thesis that “North Korea’s sophisticated cyber-attacks signal the desperate situation of a regime hit by a triple whammy of sanctions, typhoons, and COVID-19″ is beyond question.
Paul Nakasone, Commander of the US Cyber Command, said in Foreign Affairs Magazine that Pyongyang is using hacking as a way to defy sanctions imposed on the communist state by “hacking international financial networks and cryptocurrency exchanges to generate revenue to fund its weapons development activities”.
The panel of experts’ report to the UN Security Council dated August 2019 says that “large-scale attacks on cryptocurrency exchanges” allow the DPRK to quietly receive funds to implement programs to create “weapons of mass destruction,” with the total amount of revenue estimated at $ 2 billion.
Moon Jong Hyun, Head of the Cyber Threat Response Center (ESRC) and expert at the cyber defense operations command of the Republic of Korea said in an interview with RIA Novosti that North Korean hackers are the only government hackers in the world who are engaged in hacking banks and financial systems, including stealing cryptocurrencies from exchanges and private users. According to him, South Korean experts register attacks by North Korean hackers in many cases but cannot openly report that North Korea committed the hacking. One has to consider the policy of the current government, which seeks peace with the DPRK.
By the way, it is in this context that on August 26, in a joint warning with the US Treasury, FBI, and the US Cyber Command, the United States Department of the Cybersecurity and Infrastructure Security Agency (CISA) stated that cyber actors of the North Korean government use malware to gain illegal access to “banks in many countries to initiate fraudulent international money transfers and cash out ATMs.”
It is alleged that the hacker group BeagleBoyz (the name given by the US government) is responsible for complex campaigns to cash out ATMs with cyber support, publicly identified as “FASTCash” in October 2018. As a result of the attack, thousands of ATMs in North America, East Asia, and Africa began simultaneously issuing paper bills picked up by local criminal elements. Supposedly, some of this money went to Pyongyang. Since 2015, BeagleBoyz has targeted more than 30 countries, including South Korea, Japan, and India.
There is also information that the US authorities intend to block 280 cryptocurrency accounts associated with North Korean hackers, who stole millions of dollars’ worth of cryptocurrency from two virtual exchanges and tried to launder funds through Chinese traders. In a civil forfeiture lawsuit, the US Department of Justice linked the cyber theft to North Korea, citing a report by a UN panel of experts that said state-backed North Korean hackers stole about $500 million from at least five exchanges in Asia in 2017 and 2018.
As NK News (North Korea) writes, citing an analysis by Kaspersky Labs, the hackers’ ransom price is lower than the cost of backing up and restoring information, so it is easier for the victim to pay.
In this context, on October 1, 2020, the US Office of Foreign Assets Control (OFAC) published guidelines that warn that paying a ransom to hackers from the DPRK will be punished with severe fines or other sanctions.
On October 22, John C. Demers, the Assistant Attorney General of the National Security Division, noted that the DPRK might receive support for its illegal cyber activities from China in terms of know-how and protection.
Thirdly, there was a whole series of publications in the Russian press that North Korean hackers began hunting for the Russian Federation’s defense secrets. Kommersant magazine wrote that Kimsuky North-Korean Backed Hacking Group attacks military and industrial organizations: as stated by Anastasia Tikhonova, head of the Group-IB Complex Threat Research Department, to collect confidential information from aerospace and defense companies, Kimsuky used the theme of the pandemic and sent fraudulent emails with job information.
According to the SecAtor Telegram channel, in April 2020, Kimsuky attacked Rostec, but RT-inform (a subsidiary of Rostec that deals with information security) did not confirm or deny this information, noting an increase in the number of incidents and cyber-attacks on the information resources of the Corporation and its organizations in the period from April to September. Denis Kuvshinov, a leading specialist in the threat research group of the Positive Technologies Security Expert Center (PT Expert Security Center), states that the tactics and tools used by Kimsuky have intersections with the Lazarus and Konni groups.
Another article in the same newspaper tells that Kaspersky Lab discovered that a well-known North Korean Lazarus Cybercrime Group has become active in Russia, which attacks through applications for cryptocurrency traders to steal information to access wallets and exchanges, and also collects research and industrial data: most likely, it is particularly interested in the military space sphere, energy and IT.
Unfortunately, in both materials, there is no explanation of how the attack was identified.
Russia also appears in the report of the Intel 471. In this version, “North Korea most likely paid Russian cyber-criminals to help break into banks and other corporate networks to steal money and data,” which “shows the trust that North Korean hackers have built with elite Russian-speaking cyber-criminals.”
On October 19, the US Department of Justice, together with the FBI, indicted six officers of the Main Intelligence Directorate of the Russian general staff for “subversive, destructive and destabilizing activities in cyberspace.” It turns out that the alleged GRU (Russia’s military intelligence service) hackers were behind the cyberattacks on the 2018 Winter Olympics in Pyeongchang, as a result of which dozens of Internet servers and hundreds of computers supporting the games were disabled. However, the US does not provide any evidence.
As for cyberattacks, the author would like to remind the reader who hackers learn from because this is another story from the series “the US monopoly to break the rules is broken.” In 2006, the United States government “crossed the Rubicon” when it conducted a secret offensive cyberattack and distributed malware to an Iranian nuclear facility. According to David Sanger, the chief Washington correspondent for The New York Times, this step “pushed the world into completely new territory.”
The article concludes with a curious digest of hacker attacks against state structures of the Republic of Korea, which surfaced during the autumn parliamentary inspection of the relevant institutions.
On October 3, 2020, officials from the ROK Ministry of Defense said that the number of attempts to hack South Korea’s defense information system has increased rapidly over the past five years. Ending August this year, a total of 8,700 attempts to hack the system were detected. For the whole of 2019, this figure was 9,121, according to the data. Most of the IP addresses used for the attacks were traced to areas of China (27.9%) and the United States (16.7%), but where these attacks came from is difficult to determine
However, on October 10, 2020, data has been released that the number of attempts to hack South Korea through China has increased tenfold over the past three years. According to the military’s data to the National Assembly, hacking attempts through China targeting South Korean military networks accounted for 10,655 cases in 2019, compared to 1,051 cases detected in 2017. In 2020, 7,113 attempts have been made, but the military noted that such hacking attempts do not necessarily mean that Chinese hackers were involved. Of course, it could be North Korea! Still, this does not mean that there are no North Korean or Pro-North Korean hackers at all. So, on June 25, 2013, the anniversary of the beginning of the Korean War, the presidential administration website was hacked, and an ad with approximate content appeared on it: “Hooray for President Kim Jong-un.” A few weeks ago, according to Moon Jong-Hyun, a fraudulent organization of North Korean hackers was discovered in the Republic of Korea, which masqueraded as the Center for human rights in North Korea of the South Korean Ministry of Unification. But rumors about their capabilities and scope are greatly exaggerated.
Konstantin Asmolov, Ph.D. in History and a leading research fellow at the Center for Korean Studies of the Institute of the Far East at the Russian Academy of Sciences, exclusively for the online magazine “New Eastern Outlook”.