These days, when Cold War superpowers are squaring up over Ukraine, and revelations of shoot-to-kill policies in detention camps serve as a visceral reminder that China’s authoritarianism grows grimmer, it can be hard to get too worked up about little old North Korea. Even brandishing nuclear weapons, its rotund, baby-faced, spiky-haired leader, Kim Jong-un, can seem something of a joke – “Little Rocket Man”, as Donald Trump dubbed him in 2017.
ut the North Korean regime does not take mockery well. And while its principal victims will always be its own 26 million-strong population who have, for decades, endured famine and poverty, it has in recent years developed a way of lashing out at the West that is not delivered by an ICBM: hacking.
“It’s a top-tier threat,” says Geoff White, author of a new book, The Lazarus Heist, which details the rise and rise of North Korean cyber warfare units from petty criminals to sowers of international mayhem. When it comes to cyber warfare, he says: “North Korea is a terrifying combination of very skilled people and a [regime] agenda to put and keep itself on the world map. .” Or, as Rafe Pilling, who has studied North Korea for many years as principal researcher for the cyber security firm, Secureworks, puts it, “This is a country that has no red lines.”
Perhaps inevitably, it was North Korea’s neighbour and rival, South Korea, that first felt the chill digital wind blowing from Pyongyang, back in 2013. Then it was major broadcasters and banks that were hit. As White notes, there had been “many physical incidents which had inflamed tensions between the two states. But now a new front was opening up in the conflict. North Korea’s military had discovered the Internet, and things would never be quite the same again”.
The next year, it was America – or more precisely, Hollywood – which was the victim, when Sony was humiliated by the release of a vast trove of hacked emails. In some, Sony’s co-chairman Amy Pascal described Angelina Jolie as a “minimally talented spoiled brat” and suggested that then-president Barack Obama might like the movie 12 Years a Slave. The hack was so devastating that, six weeks later, a cafe on the studio lot could still not accept card payments. And why Sony? Because it planned to release The Interview – a spoof film in which journalists who land a scoop invitation to meet Kim Jong-un are then recruited by the CIA to kill him. Sony might have considered it a joke. North Korea most certainly did not.
The more the “hermit kingdom” flexed its cyber muscles, the more it found it could get away with. Soon hackers were planning what White calls “a legendary heist, as though its hackers had watched Ocean’s Eleven”. The target: Bangladesh’s central bank. The loot: almost a billion dollars. The sheer audacity of the plot is dazzling. Planned for a year and launched over a holiday weekend, computer robbers accessed the SWIFT banking system through Bangladesh Bank and drained its account at the Federal Reserve Bank of New York. As always in such heists, it is the details that entrance. The hackers had established that any Fed queries to such large payments would be spat out of a single printer at Bangladesh Bank’s HQ in Dhaka, so they disabled it. When the printer was fixed, it did indeed churn out endless pages of queries from the Fed. But by then it was too late, the money was on its way. Indeed, only the chance use of a bank on Jupiter Street in Manila, in the Philippines, prevented Bangladesh losing the full billion, for Jupiter was also the name of a sanctioned Iranian ship, and that word alone raised red flags on the international bank transfer system.
In the last five years, the dictatorship has surfed the swelling popularity of cryptocurrencies, attracted not just to the riches stored in digital “wallets” around the world, but to the ease with which they can be anonymously and tracelessly spirited away. Crypto, in other words, is easy to launder.
Myriad crypto owners, dealers and traders have fallen victim to scams presumed to have emanated from North Korea. The aim is devastatingly simple: to make money. “On the whole, it’s not done for ideological reasons, but to raise currency,” says Alan Woodward, who has worked in the field for the UK Government, advises Europol, and is now a professor at the University of Surrey’s Centre for Cyber Security. “They haven’t got two beans to rub together and this is a good way of getting hard currency.”
In this way, hacking is just a new version of an old trick. North Korea’s spooks have long sought ways of circumventing its financial isolation. Under Kim Jong-un’s predecessor, Kim Jong-il, it simply printed its own counterfeit dollars. In The Lazarus Heist, White quotes one US state department official as saying: “We found billions of dollars in illicit funds being produced. It was like a separate economy. And what made it particularly interesting to me was that it came right under Kim Jong-il. He was the mob boss. He was the Tony Soprano. He was the Pablo Escobar. But he also was the head of state.”
Back then, the scams were intended to stave off bankruptcy. Today, there is a grimmer destination for the funds – North Korea’s nuclear programme. The value of the cryptocurrency hacks attributed to North Korea alone adds up to $1.3 billion (pounds 1 billion). As White puts it, “Those nukes don’t come cheap.”
Experts say there are two particular issues of concern. The first is that, for all Hollywood’s mockery, and much as we like to imagine North Korea as backward, its hackers are in fact extremely skilled. The country may be, as Woodward says, “only connected to the rest of the internet by a bit of wet string”, but its hackers are, in true authoritarian style, identified early for their mathematical talent, then trained up and wholly integrated into the military. Doing so is one of the only ways, in North Korea’s near feudal system, for the low-born to rise up the social ladder. “They have really smart people,” says Pilling. “There’s strict filtering from a young age, a whole process.”
The second problem is that North Korea and its leader represent a prickly, unpredictable foe, at once highly capable and yet so removed from the normal web of global relationships that they are not particularly worried about the repercussions of their actions.
“North Korea is not connected like other countries,” says Pilling. “This is already a heavily sanctioned country. The normal diplomatic and economic threats have already been exhausted.”
But, while painstaking investigations of hacks may not lead to prosecutions of hackers safely ensconced in North Korea, unveiling methods, codes, tips and tricks deployed by the Lazarus Group sheds light on dark secrets. Like blowing a spy’s cover, says Don Smith, at Secureworks Counter Threat Unit, “you impose costs on the bad guy, force them to retool; you burn their code, and they have to republish.”
For while the hackers’ malicious computer code itself may be concocted by whizzkids, the way it is delivered is often more akin to old-fashioned espionage, updated for a digital age. A human target must be convinced to open an email attachment containing the code. To do so, North Korean agents create detailed social media accounts and email addresses – convincing personas to dupe their victims. Once these personas are blown, revealed in investigations whose findings are shared around the world, they can never be used again.
The same goes for well equipped front companies, based abroad. Last year, Google published a blog detailing how North Korea’s hackers had been attempting to infiltrate the West’s own cyber security community, having created multiple Twitter profiles and a research blog “to build credibility and connect with security researchers”. Sharing the information sinks such efforts, which must be restarted from scratch. So while more moles are certain to pop up, at least a few are whacked. The big danger is that North Korea decides to deploy its cyber warriors to wage war rather than just steal stuff. The nature of the regime means it’s not easy to predict what might tip it over the edge.
But while systems and software can be perfectly ring-fenced, this is, for all its computer elements, essentially a human problem. It only takes one employee in one department to open one dodgy email.
What is certain is that North Korea’s hackers are sure to keep sniffing out new targets, innovating. “They never stop surprising me though I’ve spent a decade studying them,” says Pilling. “You might have guessed that they would hit South Korea, but would you guess that they would target Hollywood a year later, or try to steal a billion dollars from a central bank a year after that, or take down the NHS. What’s next? There’s just no constraint on their thinking.”
Telegraph Media Group Limited