The nation’s fingerprints have appeared recently in surprisingly sophisticated attacks; ‘The whole world needs to take notice’

The nation’s fingerprints have appeared recently in surprisingly sophisticated attacks; ‘The whole world needs to take notice’

Under leader Kim Jong Un, pictured with his wife, North Korea has developed a sophisticated hacking operation. STR/AFP/GETTY IMAGES

SEOUL—North Korea’s cyber army, long considered a midlevel security threat, is quietly morphing into one of the world’s most sophisticated and dangerous hacking machines.

Over the past 18 months, the nation’s fingerprints have appeared in an increasing number of cyberattacks, the skill level of its hackers has rapidly improved and their targets have become more worrisome, a Wall Street Journal examination of the program reveals. As recently as March, suspected North Korean hackers appear to have infiltrated Turkish banks and invaded computer systems in the run-up to the Winter Olympics, cybersecurity researchers say.

For years, cybersecurity experts viewed North Korea as a second-rate hacking force whose attacks were disruptive but reasonably easy to decode. Researchers rated its operational skills well behind countries such as Russia, Israel and the U.S.

Those days appear to be over, with Pyongyang flashing levels of originality in its coding and techniques that have surprised researchers. It also has shown a willingness to go after targets such as central banks and point-of-sale systems. As North Korea prepares for possible negotiations with Washington aimed at freezing its nuclear program, its hacking capabilities could help it generate money to compensate for economic sanctions or to threaten foreign financial institutions.

A North Korean student works in a university computer lab in Pyongyang. Promising students are sent to special schools to learn hacking.
A North Korean student works in a university computer lab in Pyongyang. Promising students are sent to special schools to learn hacking. PHOTO: DAVID GUTTENFELDER/ASSOCIATED PRESS

North Korea is cultivating elite hackers much like other countries train Olympic athletes, according to defectors and South Korean cyber and intelligence experts. Promising students are identified as young as 11 years old and funneled into special schools, where they are taught hacking and how to develop computer viruses.

“Once you have been selected to get into the cyber unit, you receive a title that makes you a special citizen, and you don’t have to worry about food and the basic necessities,” says​ a defector familiar with North Korea’s cyber training.

Global Threat

Frequency of hacks by 5 most active operations, measured by how often they are mentioned in cybersecurity reports each quarter

10 Hacks

Lazarus

Group

(N.Korea)

8

Sofacy

(Russia)

6

OilRig

(Iran)

4

Carbanak

(Multiple

nations)

2

Turla

Group

(Russia)

0

2016

’17

’18

Number of hacks from 4Q 2015 to 1Q 2018

39

Sofacy

36

Lazarus Group

19

Carbanak

18

Turla Group

17

OilRig

40

10

20

30

0

Note: Hacking groups’ country affiliations are based on cybersecurity firms’ presumed ties or location.

Source: AlienVault

To assess North Korea’s cyber program, the Journal interviewed dozens of North Korean defectors, foreign cybersecurity researchers, South Korean government advisers and military experts. The researchers emphasize that catching hackers is difficult, and that they can’t be 100% certain that every attack attributed to North Korea was orchestrated by its cyberwarriors.

These experts point to numerous signs that the hackers have become better. North Koreans are acting on security glitches in widely used software only days after the vulnerabilities first appear, and crafting malicious code so advanced it isn’t detected by antivirus programs, they say. When software or security firms plug holes, the hackers are adapting within days or weeks, fine-tuning their malware much as Apple Inc. would release an update to the iPhone’s operating system.

Many North Korean hackers are using perfect English or embedding other languages into coding to make it appear hacks came from other countries, the researchers have concluded. And they are earning a reputation as innovators at breaking into smartphones, hiding malware in Bible apps or using Facebook Inc. to help infect targets.

“The whole world needs to take notice,” says John Hultquist, director of intelligence analysis at U.S. cybersecurity firm FireEye Inc., who now ranks North Korea among the world’s mature hacking operations.

North Korea has denied involvement in hacking attacks, including last year’s WannaCry ransomware, which locked digital files and demanded bitcoin payment for their release, or the 2016 cybertheft of $81 million from Bangladesh’s central bank. Calls for comment to the North Korean consulate in Hong Kong weren’t answered.

Researchers say telltale signs are buried deep inside the malware and coding: Korean words only used in the North, the use of data servers commonly associated with Pyongyang hacks and files created by usernames linked with the country’s hackers.

The U.S. and other governments have publicly blamed North Korea for an array of infiltrations in recent months, including WannaCry, citing patterns in coding and techniques they say lead to Pyongyang. South Korean officials estimate their country is now targeted by an estimated 1.5 million North Korean hacking attempts daily, or 17 every second.

Growing Threat

Attacks that cyber experts suspect were orchestrated by North Korea are becoming more frequent.

  • December 2014

    Emails are stolen in attack on Sony Pictures Entertainment.
  • February 2016

    $81 million is stolen from Bangladesh central bank.
  • May 2017

    WannaCry ransomware attack infects more than 300,000 computers in 150 countries.
  • November 2017

    Adobe Flash “zero-day” malware is embedded in Microsoft Office files in South Korea.
  • December 2017

    South Korea cryptocurrency exchange Youbit is hacked, causing company to declare bankruptcy.
  • December 2017

    Attacks on South Korean groups affiliated with the Winter Olympics.
  • January 2018

    Tokyo-based Coincheck cryptocurrency exchange says about $530 million was stolen.
  • March 2018

    Adobe Flash “zero-day” attack on Turkish financial institutions and government groups.

Late last year, North Korean hackers were the first to unearth a vulnerability in the popularAdobe Flash multimedia player that allowed an unchallenged attack to go undetected for months, according to cybersecurity researchers. After Adobe released a security patch in February, the suspected Pyongyang cyberwarriors modified the malware to target European financial institutions, giving them the ability to steal sensitive information about their networks, according to cybersecurity firm McAfee LLC.

North Korea’s cyber advances parallel its breakthroughs in missile technology since Kim Jong Un assumed power in 2011.

Many suspected North Korean attacks occur without a clear objective. Some researchers have described it as akin to an organized-crime ring seeking any weaknesses to learn about enemies or generate cash. Researchers generally agree the program is becoming more focused on obtaining military intelligence or earning income as sanctions tighten and negotiations with the U.S. approach.

“Hacking abilities give them a much stronger hand at the negotiating table,” says Ross Rustici, a director at cybersecurity firm Cybereason Inc. and a former Defense Department analyst.

In October, South Korean lawmakers said North Koreans had stolen 235 gigabytes of data and military secrets, including a joint U.S.-South Korean plan to eliminate Pyongyang leadership in the event of war. North Korean hackers are believed to have stolen hundreds of millions of dollars, ranging from stealing credit-card information from ATMs to a $530 million raid of a Japanese cryptocurrency exchange in January.

Cryptocurrencies appear to be a particular interest. Last year, suspected North Korean hackers began creating fictitious Facebook profiles, posing as attractive young women interested in bitcoin or working in the industry, according to people familiar with a South Korean investigation into the matter. They sought friendships with men at cryptocurrency exchanges and banks.

The Facebook accounts listed links with an “NYU Research Center” and other institutions to make them appear believable. Then the hackers lured men into opening app downloads or word documents, disguised as greeting cards or invites, that flooded their systems with malware, say the people familiar with the investigation.

It isn’t clear what the scheme netted. Facebook shut down fake accounts used by hackers linked to North Korea that “pretended to be other people in order to do things like learning about others and building relationships with potential targets,” the company said in December.

North Korea also has been using a targeting “watering hole” attack, in which a person’s computer becomes infected by accessing a certain website, according to cybersecurity researchers. Research firms say Pyongyang used watering holes to target banks in Mexico, Poland and Asia in 2016, leading to security improvements by those institutions and antivirus software firms.

North Korea re-emerged last June with a watering hole variant that uses different encryptions and commands, according to cybersecurity firm Proofpoint Inc., which named the malware PowerRatankba.

Courtesy: Wall Street Journal

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s