Cybercrime and cyber conflicts: DPRK

2024

North Korea's "hacker army" structure revealed

In mid-September 2024, cybersecurity researchers at Palo Alto Networks submitted data on the structure of the Lazarus Group - a notorious hacker group allegedly sponsored by North Korean intelligence. Read more here

UN charges of stealing $147 million from HTX crypto exchange

North Korea laundered $147.5 million Tornado Cash in March 2024 after stealing it in 2023 from, cryptocurrency exchange HTX experts say. UN

Observers told the UN Security Council sanctions committee that they investigated 97 alleged North Korean cyber attacks on cryptocurrency companies between 2017 and 2024 worth about $3.6 billion.

2023

Thousands of North Korean programmers secretly work for US companies

On October 18, 2023, the US Department of Justice announced the disclosure of a fraudulent scheme implemented by the authorities of the Democratic People's Republic of Korea (DPRK) in order to evade sanctions and develop its own weapons program. It is said that under this program, thousands of North Korean programmers secretly work in American companies.

According to the Ministry of Justice, the DPRK government has sent a huge number of qualified IT specialists to live abroad - primarily in China and Russia. The goal is to fraudulently achieve employment in companies from the United States and in other organizations around the world. At the same time, North Korean programmers impersonate specialists from other countries.

The DPRK government has sent a huge number of qualified IT specialists to live abroad

The scheme involves the use of pseudonymous email, social networks, digital payment platforms, accounts on recruiting sites, fake web pages, as well as proxy servers located in the United States and other states. It is said that such false employees provide income of millions of dollars a year: the money goes to the DPRK government to develop the military industry.

The Democratic People's Republic of Korea has swarmed the global market with front workers in information technology to finance its ballistic missile program in this way. The FBI recommends that employers take additional preventive measures against remote IT workers to make it more difficult for attackers to hide their identities, the US FBI of Justice said in a statement.

American law enforcement agencies blocked 17 domains used by IT specialists from the DPRK. In addition, about $1.5 million in funds received by North Korean false programmers was seized.^[1]

Reuters: IT systems of Russian missile developer "NGO mechanical engineering" hacked by hackers from North Korea

On August 7, 2023, it became known that hackers from North Korea hacked into the IT systems of the Russian company NPO Mechanical Engineering. This enterprise is engaged in the development, production and modernization of complexes of strategic and tactical aviation high-precision weapons of the air-to-surface, air-to-air classes and unified systems of naval weapons, domestic rocket and space technology and electronic equipment. Read more here.

2022

UN: Hackers from North Korea stole record volume of cryptocurrencies - more than $1 billion

In 2022, North Korean attackers stole a record amount of cryptocurrency assets. This is stated in the report of the United Nations, which was released on February 6, 2023.

It is estimated that cybercriminals associated with North Korea stole in 2022 cryptocurrencies worth approximately $630 million - more than in any of the previous years. Moreover, according to some reports, the volume of theft of virtual assets by North Korean hackers can be significantly higher - more than $1 billion.

North Korean hackers steal record amount of cryptocurrencies in a year

North Korea has used more sophisticated cyber technologies both to gain access to digital networks involved in cyber financing and to steal potentially valuable information, including for its weapons programs, according to a report seen by Reuters.

Among the most active cybercriminal groups related to North Korea are Kimsuky, Lazarus Group and Andariel. In 2022, attackers targeted networks of foreign aerospace and defense companies. In addition, ransomware distributed for ransom in cryptocurrencies was actively used. For example, the document says that a group associated with North Korea, known as HOlyGhOst, "extorted money from small and medium-sized companies in several countries, distributing ransomware in a large-scale financially motivated attack." In 2019, UN observers reported that North Korea received about $2 billion in several years for its weapons of mass destruction programs through increasingly sophisticated cyber attacks.

Recent shocks in the digital currency market show that cryptocurrency ownership carries risks for individuals, but if the central bank takes measures aimed at protecting financial stability, the problem will become public, "the UN website says[2]

All of North Korea left without internet after cyber attack

In early February 2022, it became known about an American hacker under the nickname P4X, who, according to Wired, single-handedly managed to completely turn off the Internet in North Korea for several hours. The publication claims that the cybercriminal provided journalists with convincing evidence of the effectiveness of his actions.

According to the hacker, at the end of 2021, he himself became the target of attacks by hackers from North Korea, at the same time P4X turned to the Federal Bureau of Investigation (FBI) for help, but the user bureau did not arrange a response. After the refusal, 4X decided to punish the offenders himself and lynched himself, organizing several hacker attacks on North Korean state servers.

In early February 2022, it became known about an American hacker who single-handedly managed to completely turn off the Internet in North Korea for several hours

The hacker developed the FUNK Project website (Fuck U North Korea Project), which is only available on the dark web. With the help of this project, the cybercriminal hopes to find like-minded people in order to continue to hack the Internet of North Korea.

P4X notes that he largely automated his attacks on North Korean systems, periodically launching scripts that list which systems remain online and then run exploits to destroy them. P4X claims that he has found many known but not fixed vulnerabilities in North Korea's systems that allowed him to single-handedly carry out attacks such DDoS servers as on and, on routers which the country's few networks connected to depend. to the Internet

Basically, P4X refuses to publicly disclose these vulnerabilities, which he says will help the North Korean government defend against its attacks. But as an example, the hacker named a known error in the software of the web server, Nginx which incorrectly processes certain HTTP headers, allowing you to overload the servers on which this software runs and disable them. P4X also hinted at the discovery of older versions of software the web server. Apache^[3]

2021

North Korean hackers are much more reckless than their "colleagues" from other countries

DPRK, crushed by sanctions and cut off from the whole world, relies on much to maintain its economy, cyber attacks experts say. Over the past few years, North South Korea ON DDoS Korea has turned from an annoying neighbor specializing in ransomware and ransomware into a real thunderstorm of banks and cryptocurrency exchanges. According to experts interviewed in the spring of 2021 by The Daily Swig, North Korean hackers have honed their tactics and skills so much that the DPRK has become one of the most serious opponents in cyberspace^[4]

One of the most dangerous APT groups in the world is the North Korean Lazarus, which, among other things, attacked Sony Pictures in 2014 and stole $81 million from the Central Bank of Bangladesh in 2016. The group is considered one of the most highly qualified in the world due to the exploitation of zero-day vulnerabilities, the development of its own proprietary malware and the use of destructive malware and ransomware to remove or hide evidence of malicious activity in compromised networks.

North Korean hackers are constantly improving their methods, especially mechanisms to bypass detection and maintain persistence.

"The widespread use of packers, the use of steganography to embed malware into images, erasing traces from the device at runtime, or constantly changing encryption keys/algorithms (even within an hour of detection), file-free attacks are examples of such detection bypass methods," said Hossein Jazz, an analyst at information security company Malwarebytes.

According to experts, North Korean cybercriminals differ from other highly qualified groups in their recklessness.

"One factor making North Korean cybercriminals more dangerous than hackers from other countries is that Pyongyang's regime is isolated and disconnected from global economic trade and diplomatic engagement. As a result, North Korea has less incentive to "play by the rules" and the country continues to overstep the boundaries that define acceptable behavior for other states. This is a key reason why only North Korean groups carry out such state-funded cybercrimes as cyber robberies of banks, and are more prone to deploying destructive viper malware, "explained Fred Plan, an information security specialist at Mandiant.

North Korea's hacking army's strength soars

The incredible rise in the strength of North Korea's hacking army has allowed cybercriminals to make billions of dollars for the good of the country using a variety of criminal schemes, from ATM hacks to cryptocurrency theft. This was reported in April 2021 by The New Yorker^[5] is^[6].

North Korea is the only country in the world whose government carries out outright criminal hacks for monetary gain. Especially for these purposes, groups of the military intelligence unit of the Intelligence Directorate of the General Staff of the DPRK were created and prepared. Unlike terrorist groups, North Korea's cybercriminals do not take responsibility for the hack, and the government denies involvement in such crimes. As a result, even experienced information security specialists sometimes disagree when attributing individual attacks.

In 2019, a U.N. panel of experts published a report that found North Korea made two billion dollars through cybercrime. According to the UN, many of the funds stolen by North Korean hackers go to develop the weapons program of the Korean People's Army, including the development of nuclear missiles. Cybercrime is also a cheap and effective way to circumvent tough sanctions that have long been imposed on the country. North Korea is "using a keyboard, not a weapon," and has "become a flag crime syndicate," according to John C. Demers, Assistant Attorney General of the US Department of Justice's National Security Division.

As Priscilla Moriuchi, a researcher at the Belfer Center for Science and International Relations at Harvard University, noted, although North Korean hackers are technically perfect, their more important attribute is criminal skill. In the case of the theft of more than $100 million from the Central Bank of Bangladesh, the robbers waited seventeen months after the intelligence before committing the robbery. They identified the ideal time period for the attack and selected institutions with weak security protocols to steal and cash out money as quickly as possible.

The scope and creativity of North Korea's digital crime has taken many by surprise. Pyongyang-based cybercriminals could hack into computer networks around the world, as well as demonstrating real innovations in using new technologies. In most countries, hackers develop their skills by experimenting on home computers as teenagers. But North Korea's hackers are growing in special conditions, as few families have computers and the state controls internet access . The most promising students are advised to use computers in schools. Those who do well in mathematics are transferred to specialized high schools.

Most cybercriminal activities are carried out by the KPA General Staff Intelligence Directorate, in which the so-called Unit 180 is responsible for "conducting cyber operations to steal foreign money from outside North Korea." Lazarus Group is the most famous division of North Korean financially motivated hackers.

The most common target of North Korea's cyber army is South Korea, which has been hit by hundreds of major attacks.

Over the past two years, the tactics of North Korean cybercriminals have become more cautious. In addition to attacks on large financial institutions, hackers have developed a faster and less vibrant "operational pace." They managed to systematize financial fraud, attacks on small financial institutions and ordinary citizens. Now they are more like an ordinary criminal gang.

The most reliable source of income for North Korea was the theft of cryptocurrency. Chainalysis specialist Jesse Spiro said North Korean hackers stole cryptocurrencies worth more than $1.75 billion from trading exchanges. That revenue stream alone could cover about 10% of North Korea's total defense budget.

North Korean hackers pose a greater threat than nuclear missiles

North Korean nuclear missiles, fortunately, are idle, which cannot be said about hackers. Hackers working for the DPRK have gone from cyber espionage behind their main adversary, South Korea, to stealing huge amounts of money and cyber looting advanced technology companies. According to many experts, North Korean hackers pose an even greater threat than nuclear missiles, which Kim Jong-un is so proud^[7].

"If you compare hackers to nuclear weapons, I'm sure these guys are a big threat. They are ready to use their missiles, but they are not doing so yet. And hacking, as we can see, happens everywhere every day, "Simon Choi, who is the founder of IssueMakersLab, a non-profit organization that tracks North Korean hacker groups, said in an interview with Foreign Policy magazine.

IssueMakersLab recorded the activities of several different hacker groups associated with various branches of the DPRK government, including the army and intelligence services. According to Choi, there is a clear trend: North Korean hackers are becoming more active and experienced.

'They've been soaring lately. In the past, they have used the same methods as China and the United States, based on open-source information. But recently, they have been showing progress in finding vulnerabilities in their victims, "Choi said.

According to Choi, when it comes to finding new vulnerabilities, North Korea is among the top three in the world. Last year, US Secretary of State Michael Pompeo noted that from the point of view of cyber attacks, the DPRK is even more dangerous than Russia.

"At first, experts underestimated North Korea's cyber potential, and were more focused on its nuclear and missile programs. However, Pyongyang has developed advanced cyber warfare technologies that only a few countries can surpass. The government has improved its cyber programs to create a reliable and global set of destructive military, financial and espionage capabilities, "said Bruce Klingner, former deputy chief of the Korean CIA unit.

Of course, hackers cannot do more damage than nuclear weapons. But the difference is that Pyongyang can turn to hackers even in peacetime, while keeping its nuclear arsenal pending. Meanwhile, the DPRK is using cybercriminals to ensure the stability of its currency, which may be affected by strict sanctions imposed on North Korea. According to CNN, most of the stolen money goes to the weapons program. Such tactics are not war, but they help finance the DPRK's weapons program.

2019: North Korean hackers attack Russia for first time in history

North Korean hackers attacked organizations based in Russia for the first time in the history of information security research. This was reported in February 2019 by Check Point specialists. Prior to this, North Korean hackers did not attack Russia, as countries maintain friendly relations^[8].

As Check Point explains, this malicious activity has been recorded over the past few weeks. "This is the first time we have seen what looks like a coordinated North Korean attack against Russian entities," the researchers note.

The attack was carried out by the Lazarus group, or rather its "commercial" branch Bluenoroff, which carries out hacking operations for profit. Lazarus also has another branch - Andariel - that deals with cyber attacks on South Korea. Bluenoroff is believed to be behind the hacking of Sony Pictures Entertainment servers in 2014. They are also credited with stealing $81 million from the Central Bank of Bangladesh in 2016 and robbing at least five cryptocurrency exchanges worth millions. dollars

The new attack took place as follows. An email was sent to the user's computer that contained malicious PDF and Word files packed in a ZIP archive. The researchers explain that Office documents were designed explicitly for Russian users. On the basis of this, it was concluded that the targets are Russian organizations.

The PDF file served as a bait, and the Word file containing the macros was directly malicious. The PDF decoy was a non-disclosure agreement allegedly drawn up on behalf of the Russian company StarForce Technologies (Trekshen Technologies LLC), which creates solutions to protect content from copying. Thanks to this file, the whole letter looked more reliable.

2018: We were just a bunch of poor, low-paid workers

North Korean hackers have been repeatedly accused of high-profile hacker attacks, including the theft and publication of correspondence between the leaders of Sony Pictures Entertainment and the global distribution of ransomware ON WannaCry. According to unconfirmed reports, the special forces of the DPRK hackers earn millions dollars for. Pyongyang Bloomberg journalists managed to talk with former North Korean hackers at the beginning of 2018 and find out how the DPRK cyber warfare is arranged.

According to one of the interlocutors of the agency, Chen Hek (name changed), he did not take part in high-profile hacks, but was engaged in simpler operations, the only task of which was to make money. For several years he worked as part of a hacker team huddled in a crowded three-story building in northeastern China. Each employee was obliged to earn at least $100 thousand a year, and the share of hackers themselves from earnings was only 10%, and failure to comply with the norm was punished.

At first, Chen did not even have his own computer - he was forced to rent it from one of his colleagues. Chen began by trading stolen software, then engaged in hacking custom-made programs. In the absence of orders, he and his colleagues hacked into gambling sites, developed characters in online games for sale and engaged in other activities.

"We were just a bunch of poor, low-paid workers," Chen recounted, adding that North Korea was willing to do anything for money, even force its citizens to steal.

The activities of each hacker team were carried out under the supervision of the "main representative," who was involved in organizing transactions and collecting payments. Another person was in charge of security-related matters.

Two other interlocutors of the agency were part of a group of programmers sent to China. There they developed applications for iOS and Android. They had to earn about $5 thousand a month for the government, and the working day could reach 15 hours.

The DPRK often places its cyber weapons outside the country, in particular, in China, India and Cambodia. North Korea has substantially expanded its cyber warfare and improved its hacking strategy in recent years, according to a former South Korean presidential adviser on Lim Chen Ying security. Presumably, only in Shenyang and Dandong alone there were more than a hundred firms that served as a cover for hacker activities. In order to comply with UN sanctions, China has taken measures to curb such operations, but the DPRK simply moved its hacker teams to other countries, such as Russia and Malaysia, the expert notes.

2017

Department called Unit 180

The main intelligence service of the DPRK allegedly has a department called Unit 180, which could organize some cyber attacks. This was reported in May 2017 by Reuters.

According to Kim Hyun-kwan, a former computer science teacher in the DPRK, who left the country in 2004, "this unit probably organized cyber attacks aimed at obtaining funds." Kim Hyun-kwan claims he still has sources in North Korea.

According to him, some of his former students joined the "cyber army" of the DPRK.

"Hackers go abroad to find an internet service somewhere better than in North Korea, so as not to leave traces," he said, adding that hackers can leave the DPRK under the guise of employees of various North Korean firms.

Attacks on South Korea's cryptocurrency exchanges

In September 2017, the South Korean National Police Agency reported attempts by hackers from the DPRK to carry out attacks on the country's cryptocurrency exchanges. The incident was investigated by the cybersecurity department of law enforcement agencies, the report said^[9][10]. Hackers sent 25 virus letters to specialists associated with four bitcoin exchanges. The senders posed as police officers and employees of government agencies. The police clarified that ten letters were sent in July and August. Hackers failed to inflict "real damage," authorities said.

Money Theft Software

The DPRK government employs 6,000 highly qualified hackers who are constantly improving their skills. Moreover, North Korea has developed effective software to steal money. This was announced in October 2017, the New York Times reported, citing American and British specialists investigating attacks by North Korean hackers^[11].

Unlike nuclear weapons tests, which invariably entail international sanctions, cyber attacks remain unpunished. Just as experts previously underestimated the DPRK's nuclear program, information security experts doubted its cyber potential. Now, however, they are forced to admit that cyberattacks are the perfect weapon for an isolated North Korea that has nothing to lose.

The country's primitive infrastructure is much less vulnerable to attack, and the hackers themselves work outside North Korea. According to the authorities, no one will dare to respond to cyber attacks with real military actions in order to avoid an escalation of the conflict between the DPRK and South Korea. "Cyberspace is an ideal powerful weapon for them (North Koreans - ed.). It provides a low cost of attacks, greater asymmetry, a certain level of anonymity and the ability to go unnoticed, "said Chris Inglis, former deputy director of the US National Security Agency.

As Inglis noted, North Korean hackers can pose a threat to national and private infrastructures. In addition, cyber attacks are a source of income for the DPRK. Pyongyang The cyber program is one of the most successful in the world, said the former deputy director. NSA The secret of its success lies not in high technology, but in low cost.

See also The head of Microsoft accuses the DPRK of WannaCry attacks

2016: Electronic mailboxes of South Korean government employees attacked by DPRK hackers

In the summer of 2016, South Korea accused Pyongyang of hacking into the mail of government employees: electronic mailboxes of South Korean government employees were attacked by hackers from the DPRK, the South Korean Prosecutor General's Office said in a statement.

As noted in the document, from January to June 2016, a "suspected group of hackers from North Korea" tried to hack into the computers of 90 people, including ministers and officials abroad. In particular, the hackers attacked the e-mail of employees of the Ministry of Foreign Affairs of South Korea, as well as the ministries of defense and unification of the country. "Passwords from 56 accounts were stolen," the statement said. According to prosecutors, hackers fraudulently tried to gain access to users' data, while using the same hacking methods as during previous cyber attacks.

2015

North Korea threatens US with disruptive cyber attacks

In June 2015, North Korea threatened the United States with massive cyber attacks if they did not stop their own attacks against Korea, IDG News Service reported, citing an article published in Rodong Sinmun, the official newspaper of the ruling Korean Labor Party^[12].

"The DPRK will respond to any form of aggression, actions and conflicts emanating from the American imperialists," the publication said. "We are determined to wage our own cyber war in order to achieve the speedy ruin of the United States, and to destroy those who are behind cyber attacks on our state."

An article in Rodong Sinmun was published after Reuters reported in May 2015 that the United States tried to disable uranium enrichment facilities in North Korea about five years ago with an attack using a virus similar to Stuxnet. According to representatives of the special services, which led the agency, the operation against North Korean objects was unsuccessful, since the virus failed to penetrate the computer network.

The Trojan Stuxnet was the "first cyber weapon" to hit nuclear facilities in September 2010, Iran exploiting vulnerabilities operating system Windows in and attacking automated control systems. Siemens Penetrating the internal network of the enterprise, the virus rewritten control algorithms in reprogrammable controllers and took control of the systems, trying to disable the equipment.

Increase in the number of fighters against cyber attacks to 6.8 thousand people

In the spring of 2015, North Korea increased the number of fighters against cyber attacks to 6.8 thousand people (about 1.7 thousand experts and 5.1 thousand support personnel). This was reported by IA "Renhap." According to the North Korean Ministry of Defense, the strengthening of cyber forces is associated with the desire to develop its capabilities in the issue of conducting asymmetric hostilities.

It is noted that the expansion of cyber warfare is associated with a series of data leaks at nuclear power plants in South Korea in December 2014.

North Korea is focused on destroying critical infrastructure, as evidenced by its attack on the operator of two nuclear power plants in South Korea.

In the 2000s, North Korea was accused of several cyber attacks against the South Korean government, South Korean banks and Incheon International Airport.

Notes