SEOUL—North Korea’s cyber army, long considered a midlevel security threat, is quietly morphing into one of the world’s most sophisticated and dangerous hacking machines.
Over the past 18 months, the nation’s fingerprints have appeared in an increasing number of cyberattacks, the skill level of its hackers has rapidly improved and their targets have become more worrisome, a Wall Street Journal examination of the program reveals. As recently as March, suspected North Korean hackers appear to have infiltrated Turkish banks and invaded computer systems in the run-up to the Winter Olympics, cybersecurity researchers say.
For years, cybersecurity experts viewed North Korea as a second-rate hacking force whose attacks were disruptive but reasonably easy to decode. Researchers rated its operational skills well behind countries such as Russia, Israel and the U.S.
Those days appear to be over, with Pyongyang flashing levels of originality in its coding and techniques that have surprised researchers. It also has shown a willingness to go after targets such as central banks and point-of-sale systems. As North Korea prepares for possible negotiations with Washington aimed at freezing its nuclear program, its hacking capabilities could help it generate money to compensate for economic sanctions or to threaten foreign financial institutions.
North Korea is cultivating elite hackers much like other countries train Olympic athletes, according to defectors and South Korean cyber and intelligence experts. Promising students are identified as young as 11 years old and funneled into special schools, where they are taught hacking and how to develop computer viruses.
“Once you have been selected to get into the cyber unit, you receive a title that makes you a special citizen, and you don’t have to worry about food and the basic necessities,” says a defector familiar with North Korea’s cyber training.
Frequency of hacks by 5 most active operations, measured by how often they are mentioned in cybersecurity reports each quarter
Number of hacks from 4Q 2015 to 1Q 2018
Note: Hacking groups’ country affiliations are based on cybersecurity firms’ presumed ties or location.
To assess North Korea’s cyber program, the Journal interviewed dozens of North Korean defectors, foreign cybersecurity researchers, South Korean government advisers and military experts. The researchers emphasize that catching hackers is difficult, and that they can’t be 100% certain that every attack attributed to North Korea was orchestrated by its cyberwarriors.
These experts point to numerous signs that the hackers have become better. North Koreans are acting on security glitches in widely used software only days after the vulnerabilities first appear, and crafting malicious code so advanced it isn’t detected by antivirus programs, they say. When software or security firms plug holes, the hackers are adapting within days or weeks, fine-tuning their malware much as Apple Inc. would release an update to the iPhone’s operating system.
Many North Korean hackers are using perfect English or embedding other languages into coding to make it appear hacks came from other countries, the researchers have concluded. And they are earning a reputation as innovators at breaking into smartphones, hiding malware in Bible apps or using Facebook Inc. to help infect targets.
“The whole world needs to take notice,” says John Hultquist, director of intelligence analysis at U.S. cybersecurity firm FireEye Inc., who now ranks North Korea among the world’s mature hacking operations.
North Korea has denied involvement in hacking attacks, including last year’s WannaCry ransomware, which locked digital files and demanded bitcoin payment for their release, or the 2016 cybertheft of $81 million from Bangladesh’s central bank. Calls for comment to the North Korean consulate in Hong Kong weren’t answered.
Researchers say telltale signs are buried deep inside the malware and coding: Korean words only used in the North, the use of data servers commonly associated with Pyongyang hacks and files created by usernames linked with the country’s hackers.
The U.S. and other governments have publicly blamed North Korea for an array of infiltrations in recent months, including WannaCry, citing patterns in coding and techniques they say lead to Pyongyang. South Korean officials estimate their country is now targeted by an estimated 1.5 million North Korean hacking attempts daily, or 17 every second.
Attacks that cyber experts suspect were orchestrated by North Korea are becoming more frequent.
December 2014Emails are stolen in attack on Sony Pictures Entertainment.
February 2016$81 million is stolen from Bangladesh central bank.
May 2017WannaCry ransomware attack infects more than 300,000 computers in 150 countries.
November 2017Adobe Flash “zero-day” malware is embedded in Microsoft Office files in South Korea.
December 2017South Korea cryptocurrency exchange Youbit is hacked, causing company to declare bankruptcy.
December 2017Attacks on South Korean groups affiliated with the Winter Olympics.
January 2018Tokyo-based Coincheck cryptocurrency exchange says about $530 million was stolen.
March 2018Adobe Flash “zero-day” attack on Turkish financial institutions and government groups.
Late last year, North Korean hackers were the first to unearth a vulnerability in the popularAdobe Flash multimedia player that allowed an unchallenged attack to go undetected for months, according to cybersecurity researchers. After Adobe released a security patch in February, the suspected Pyongyang cyberwarriors modified the malware to target European financial institutions, giving them the ability to steal sensitive information about their networks, according to cybersecurity firm McAfee LLC.
North Korea’s cyber advances parallel its breakthroughs in missile technology since Kim Jong Un assumed power in 2011.
Many suspected North Korean attacks occur without a clear objective. Some researchers have described it as akin to an organized-crime ring seeking any weaknesses to learn about enemies or generate cash. Researchers generally agree the program is becoming more focused on obtaining military intelligence or earning income as sanctions tighten and negotiations with the U.S. approach.
“Hacking abilities give them a much stronger hand at the negotiating table,” says Ross Rustici, a director at cybersecurity firm Cybereason Inc. and a former Defense Department analyst.
In October, South Korean lawmakers said North Koreans had stolen 235 gigabytes of data and military secrets, including a joint U.S.-South Korean plan to eliminate Pyongyang leadership in the event of war. North Korean hackers are believed to have stolen hundreds of millions of dollars, ranging from stealing credit-card information from ATMs to a $530 million raid of a Japanese cryptocurrency exchange in January.
Cryptocurrencies appear to be a particular interest. Last year, suspected North Korean hackers began creating fictitious Facebook profiles, posing as attractive young women interested in bitcoin or working in the industry, according to people familiar with a South Korean investigation into the matter. They sought friendships with men at cryptocurrency exchanges and banks.
The Facebook accounts listed links with an “NYU Research Center” and other institutions to make them appear believable. Then the hackers lured men into opening app downloads or word documents, disguised as greeting cards or invites, that flooded their systems with malware, say the people familiar with the investigation.
It isn’t clear what the scheme netted. Facebook shut down fake accounts used by hackers linked to North Korea that “pretended to be other people in order to do things like learning about others and building relationships with potential targets,” the company said in December.
North Korea also has been using a targeting “watering hole” attack, in which a person’s computer becomes infected by accessing a certain website, according to cybersecurity researchers. Research firms say Pyongyang used watering holes to target banks in Mexico, Poland and Asia in 2016, leading to security improvements by those institutions and antivirus software firms.
North Korea re-emerged last June with a watering hole variant that uses different encryptions and commands, according to cybersecurity firm Proofpoint Inc., which named the malware PowerRatankba.
Courtesy: Wall Street Journal