Nation Flaunts Sanctions via Cybercrime Efforts
North Korea’s cybercrime capabilities have given the country the ability to flaunt international sanctions by allowing the regime to steal millions in currency not only from banks but also from cryptocurrency exchanges, according to a report from the United Nation’s Security Council.
Between January 2017 and September 2018, the Democratic People’s Republic of Korea carried out at least five successful attacks against cryptocurrency exchanges in Asia, resulting in the theft of $571 million in currency, the report concludes.
The UN report also notes North Korea’s ability to attack banks across the world, including the Bangladesh Bank heist that targeted the bank’s SWIFT system account at the Federal Reserve Bank in New York and then transferred about $81 million to accounts in the Philippines, where the money was then laundered.
Other international banks targeted by North Korean cyberattacks include the Banco de Chile and Cosmos Bank in India, according to the report, which the UN released March 14. Between 2015 and 2018, the country targeted banks in Europe, Asia, the United States and South America, resulting in the theft of over $1 billion, the report adds.
“Cyberattacks by the Democratic People’s Republic of Korea to illegally force the transfer of funds have become an important tool in the evasion of sanctions and have grown in sophistication and scale since 2016,” according to the UN report.
The report, written by a panel of UN security experts, looks at how North Korea is evading international sanctions through a variety of means while keeping its nuclear and ballistic missile capabilities intact. One reason is that the country and its agents keep finding ways to fill the country’s coffers through numerous illegal activities, including cyberattacks.
As the report states: “The panel notes a trend in the Democratic People’s Republic of Korea’s evasion of financial sanctions of using cyberattacks to illegally force the transfer of funds from financial institutions and cryptocurrency exchanges. According to a member state, ‘cyberspace is used by the DPRK as an asymmetric means to carry out illicit and undercover operations in the field of cybercrime and sanctions evasion. These operations aim to acquire funds through a variety of measures in order to circumvent the sanctions.'”
North Korea’s APT Groups
At the heart of these schemes are a network of advanced persistent threat groups that work with or are directly sponsored by the North Korean regime and carry out various cyberattacks, according to the report. Some of these groups share ties, while others work independently, the report found.
For instance, the most well-known of these groups, Lazarus – which also goes by the name Hidden Cobra among other aliases – is mostly focused on disruptive campaigns, which include the well-known Sony Pictures hack of 2014 as well as the Wannacry ransomware attacks of 2017.
In September 2018, U.S. prosecutors charged Park Jin Hyok of North Korea with being part of Lazarus and alleged that he was one of the main architects of WannaCry and other attacks, including those against Sony and Bangladesh Bank. While North Korea and the U.S. do not have a formal extradition treaty, which means that it’s unlikely that Hyok will ever face trial, the nearly 200-page indictment offers a window into how the APT group works, what tools its uses as part of attacks and some of the motivation behind these various schemes.
Other APT groups, such as APT 38 and Temp.Hermit, overlap, with each of these groups using some of the same toolsets as part of their various cyberattack campaigns.
APT 38 and Temp.Hermit are involved with various financial schemes, but Temp.Hermit also launches espionage campaigns, according to the UN report. APT 38, which security analysts began studying in late 2018, has been involved in several high-profile banking attacks targeting the SWIFT systems of banks in Africa and Asia, according to a recent analysis by FireEye.
Connecting the Dots
There appears to be a direct line between North Korea’s attacks against banks and the country’s new-found interest in attacking cryptocurrency, which helps to further hide its activities, says Mukul Kumar, the CISO and vice president of cyber practice at Cavirin, a Santa Clara, California-based security company.
“North Korea’s attacks on cryptocurrency exchanges are a logical escalation from their earlier attacks on other financial institutions, since, as the report points out, the digital trail is more difficult to trace,” Kumar tells Information Security Media Group. “What is important to note is that the U.S. is not just sitting back and hoping sanctions have an impact. Under the administration’s new guidelines, the U.S. can take additional offensive actions to counter future attacks. I see this change in strategy as critical to ensuring our national cyber posture.”
As part of the UN report released last week, the panel noted that it’s recommending several guidelines to help stop North Korea avoid sanctions. To help stop cyberattacks, it recommends, among other steps:
- U.N. member states need to be aware of North Korea’s ability to use cyberattacks to circumvent sanctions by illegally generating revenue.
- Member states need to share information about North Korea’s capabilities not only among themselves, but with banks and other financial institutions.
- The UN Security Council, when drafting financial sanctions measures, needs to take into account North Korea’s ability to wage cyberattacks to circumvent sanctions.