We examine how an isolated and poor country manages to profit at the expense of others.
Over the last decade, North Korean hackers have increasingly exploited Western companies and organizations. From the Sony hack in 2014 to deploying WannaCry ransomware and infiltrating US firms with fake IT employees, the country’s cybercriminals have been busy profiting from cybersecurity weaknesses.
The latest $1.5 billion crypto hack of the second-biggest cryptocurrency exchange, Bybit, was another warning of their increasing capabilities.
Considering the fact that North Korea has an isolated economy and is far behind the rest of the world in many aspects, including technological capabilities, such attacks on technologically advanced Western organizations may seem counterintuitive.
However, even a poor and isolated country can inflict significant damage by having just one goal in mind, experts say.
Special treatment for hackers
While North Korean hackers became known for their malicious activities in the last decade, the country’s capabilities in developing electronic warfare methods date back to the mid-1980s.
It founded Automation University (former Mirim University) in the mountainous region of Hyungsan, where more than 100 hackers graduate from the program every year.
“Graduates of the university are skilled in writing computer viruses, penetrating network defenses and programming weapon guidance systems, and other areas. Such programs are also known to exist in several branches of the Korean People’s Army,” says Nir Kshetri, a professor at North Karolina University who has written several books and articles about North Korea.
Separately, students with high proficiency in math and science are enrolled in a six-year program at Pyongyang’s elite Keumseong High-Middle Schools and later attend top-level universities.
Part of the cyber training takes place in China and Russia, Kshetri says, where hackers are sent to solidify and polish their knowledge of hacking and other skills.
When these “students” come back, they are placed in various cyber warfare units, where they receive special housing and food subsidies and other benefits, including the opportunity to live in Pyongyang, which is considered a special privilege.
“A main reason why the hackers get such special treatment is that they are allowed access to the internet and thus have knowledge of the outside world’s relative prosperity,” Kshetri explains.
Lazarus Group: the biggest hacks
Structured training and access to resources may be key factors contributing to the emergence of hacking groups, including Lazarus Group.
Lazarus, which has been observed acting at least since 2009, is associated with the North Korean government's Reconnaissance General Bureau, and its operations contribute to the country’s development of nuclear weapons.
According to a report by cybersecurity company NCC Group, Lazarus consists of different teams of varying quality, with top teams exhibiting highly skilled operational capabilities.
The hackers' first major assault was “Operation Troy,” which ran from 2009 to 2012 and targeted the South Korean government with distributed denial-of-service (DDoS) attacks.
In 2014, Lazarus used spearphishing, a common tool in hackers’ operations, against Sony Pictures. After obtaining credentials, the hackers leaked unreleased films, scripts, and a trove of sensitive personal and corporate data.
One reason the attack succeeded was Sony’s outdated information security practices and employees’ poor digital hygiene.
In the subsequent years, the Lazarus attacks became more sophisticated.
In 2016, the group managed to hack Bangladesh's central bank, attempting to steal $1 billion after obtaining malware in the system in the form of a keystroke logger. The bank was able to retrieve the majority of funds, though Lazarus still managed to steal $81 million.
The group is also responsible for the WannaCry ransomware, affecting hundreds of thousands of computers in over 150 countries.
Turning to crypto
In recent years, Lazarus has shifted its focus to cryptocurrency, which offers an ideal method for stealing funds and transferring them anonymously via decentralized networks.
Since 2017, North Korean hackers are estimated to have stolen over $6 billion in crypto assets, with around half of that amount attributed to Lazarus.
Prior to the Bybit hack, the group was also responsible for what was, at the time, the biggest crypto heist in history. Lazarus stole $600 million after hacking Ronin Network, which powers the popular crypto-based game Axie Infinity.
The hackers started the attack with a phishing campaign targeting Sky Mavis, an Axie Infinity developer, with a fake LinkedIn job offer.
After a few rounds of fake interviews, one employee reportedly clicked on a job offer via a PDF file, allowing hackers access to the majority of validator nodes required to move funds.
The recent Bybit hack also started with social engineering. The attackers targeted Safe{Wallet}, a widely used multi-signature wallet solution that, in Bybit’s case, required at least three signers, including the exchange’s CEO, Ben Zhou.
“When Bybit’s authorized signers reviewed what appeared to be a routine internal transfer, they were actually approving a request that handed over control of the cold wallet smart contract to the attackers. The attack was carried out by injecting malicious JavaScript code into Safe{Wallet} UI through a compromised developer machine,” a report by NCC Group claims.
LinkedIn is popular among cybercriminals
While Lazarus is by far the most well-known North Korean hacking collective, there are
dozens of cybercriminal groups from the country, operating with the knowledge and backing of the government.
A recently active group is Kimsuky, which is believed to be tasked with cyber-espionage and information-gathering missions.
Other notable threat actors include Andariel, Lab 110, TEMP.Hermit, and Bureau 121, which consist of thousands of hackers and is the main unit of the Reconnaissance General Bureau.
Various North Korean hacking groups also infiltrate US companies, posing as fake workers. If employed, they conduct spying, extort funds, and send their salaries back to North Korea, where the money is used to feed the regime and develop nuclear weapons.
A report by Google Threat Intelligence Group (GTIG) highlights that North Korean hackers have expanded the scope and scale of their operations and are now targeting Europe.
The country’s cybercriminals also increasingly target IT professionals via LinkedIn and similar job-hunting platforms, asking them to perform a task using necessary files hosted on platforms like GitHub.
The link to GitHub typically contains malware and infects devices with BeaverTail and InvisibleFerret malware with the primary objective of stealing cryptocurrency for financial gain and conducting cyber espionage, ESET researchers reported.
Why are the hackers so successful?
Several factors determine the success of North Korean hackers. Ensar Seker, CISO at cybersecurity company SOCRadar, says that the country's heavy investments in cyber warfare gave it an "asymmetric advantage.”
“North Korea doesn’t need the latest technology or resources to be effective. Its attacks are based on social engineering, supply chain compromise, and exploiting human and procedural weaknesses – methods that require skill and persistence rather than expensive tools,” he highlights.
In addition, its cyber operations generate significant revenue, which allows it to create a self-sustaining cycle.
Andrew Costis, Engineering Manager of the Adversary Research Team at AttackIQ, adds that the country is able to carry out sophisticated cyberattacks due to a lack of accountability and minimal legal repercussions.
A report by NCC Group highlights that North Korean hackers operate more recklessly than other state-sponsored threat actors, such as China and Russia.
Russia, for example, shut down its infamous REvil hacking group at the request of the US after the group performed devastating attacks on Western companies, including the Colonial Pipeline attack. In contrast, North Koreans have no pressure from Western governments.
“The country is not or hardly sensitive to external political pressure to comply with internationally accepted rules, which gives it more freedom,” the report reads.
Your email address will not be published. Required fields are markedmarked