It is known that North Korea uses ransomware and malware to conduct cyber attacks on countries. What is the history and status of such North Korean cyber attacks?
In 2016, a case of unauthorized withdrawal of an amount amounting to 2 billion yen occurred from ATMs installed at 7-Eleven nationwide. It is said that a white card with no number and trademark printed on it was used for the crime. Participants withdraw money from ATMs installed in various 7-Eleven locations on the condition that they receive 10% of the amount they withdraw without permission through the white card.
It is said that 90% of the withdrawn amount was delivered to the client, but at the time, 5% of this amount was left in hand and the rest was remitted to the upper level. Since then, the amount of unauthorized withdrawal from the whole country was reported to be 2 billion yen, which is said to have been transferred to North Korea through China.
North Korea only has 1% of its citizens to access the Internet. However, despite the small number of citizens with access to the Internet, cybercrime groups with the world’s best capabilities are one after another. For this reason, it is sometimes expressed that the appearance of excellent hackers in North Korea is as if the Jamaican bobsled team won the gold medal in the Olympics.
The activities of North Korean cybercrime groups include bank robbery, ransomway transmission, and theft of cryptographic assets from online exchanges. Unlike other national cybercrime groups, the North Korean group does not issue a crime statement. Therefore, it is said that it is difficult to judge how many cyber attacks are being carried out by North Korea.
According to a 2019 report, North Korea is estimated to have raised more than $2 billion through cybercrime groups. The United Nations also argues that most of the money stolen by North Korean cybercrime groups is spent on weapons development, including nuclear weapons. In February 2021, Deputy Secretary of Home Affairs John Muls said that North Korea is forming a criminal group using keyboards instead of guns. He said that financing through cyber attacks is an attractive method for North Korea, which faces harsh economic sanctions in each country. I guessed the background.
North Korea demands a suspension of the release of The Interview, a comedy film about the assassination of Chairman Kim Jong-un, scheduled to be released by Sony Pictures Entertainment in 2014. Then, in November 2014, Sony was attacked by a cyber attack by a group of hackers (Guardians of Peace). The cyber attack leaked employee e-mail pay stubs, medical records, and unpublished movie data including Specter, a new movie in the 007 series.
The FBI investigation raised the possibility that North Korea was involved in this hacker group. North Korea denied involvement, but at the same time declared that a cyber attack was a legitimate act.
In 2015, an incident occurred in which US$80 million was fraudulently remitted from the Federal Reserve Bank account held by the Central Bank of Bangladesh by the Lazarus Group, a hacker group suspected of involvement in North Korea. In countries other than Bangladesh, large amounts of illegal remittances have occurred using the same method.
In 2017, the ransomware WannaCry became popular all over the world, causing serious damage to major global corporations and government agencies such as aircraft manufacturer Boeing, the UK National Insurance Service, and German Railways. It turned out that a group of North Korean hackers were also involved in the development of this ransomware.
In North Korea, promising children are encouraged to use computers at school, and those who are good at math receive math-related education at specialized high schools. In addition, advanced programming education is being provided to talented young people at Kim Chak Industrial University or Kim Il Sung University in Pyongyang. The North Korean student team has also achieved high grades in the ICPC and Mathematics Olympics, an international university competition programming competition. It can be said that programming education and hacker training methods in Bukhak are similar to those of Soviet players in the past.
It is said that there is a cyber unit with 7,000 members in the Korean People’s Army. The cyber unit is divided into the Department of General Affairs, which supports military operations, and the Reconnaissance Office, a similar organization to the US CIA, and it is said that operations to steal foreign currency are being carried out outside of North Korea.
The Lazarus Group involved in the aforementioned cyber attack on the Central Bank of Bangladesh is considered to be part of the Korean People’s Army cyber unit, but details on the details of the cyber unit have not been disclosed. One expert tracked the metadata of North Korean Internet users from 2017 to 2020. As a result, most North Korean programmers have found that they are working outside of North Korea, such as China and Southeast Asia.
According to Lee Hyun-seung, who fled from North Korea to the United States in 2014, there were three teams in Dalian, China, consisting of 4-6 North Korean IT workers. He also said that the team of IT workers was receiving money for developing mobile game software in the Japanese, Chinese and Korean markets.
Another North Korean asylum testified that North Korea gave low-level work to good hackers and called them to Pyongyang when they were put on standby overseas and did important things. It is an analysis that North Korea seems to be giving low-level work to prevent top hackers engaged in high-priority operations from being caught abroad.
Simon Choi, a domestic security expert, learned that North Korea was attempting a cyber attack on South Korean troops while performing military service in 2008, and after completing the military service, he founded a volunteer team (IssueMakersLab) to investigate cyberattacks in North Korea with 10 members. During his investigation, he discovered a malicious script written by 1,100 North Korean hackers. He said the found scripts were less sophisticated than those made by US and Russian hackers, but they were very simple and practical, and that North Korean hackers persisted in attacking to achieve their objectives.
Jesse Spiro, who is in charge of policy work at blockchain analytics firm Chainalsis, claims that North Korean hackers stole crypto assets worth at least $1.75 billion from crypto asset exchanges. Another analyst firm, Elliptic researcher Tom Robinson, said that crypto assets have no administrator and can be traded completely anonymously. For this reason, trading crypto assets is an attractive target for North Korean hackers. In addition, many criminal organizations such as North Korean hackers use cryptographic assets that are difficult to leave evidence as a method of paying ransom money, and it is necessary to establish a method of tracking cryptographic assets. Related information can be found here.