When North Korean hackers tried to steal $1 billion from the New York Federal Reserve last year, only a spelling error stopped them. They were digitally looting an account of the Bangladesh Central Bank, when bankers grew suspicious about a withdrawal request that had misspelled “foundation” as “fandation.”
Even so, Kim Jong-un’s minions still got away with $81 million in that heist.
Then only sheer luck enabled a 22-year-old British hacker to defuse the biggest North Korean cyberattack to date, a ransomware attack last May that failed to generate much cash but brought down hundreds of thousands of computers across dozens of countries — and briefly crippled Britain’s National Health Service.
Their track record is mixed, but North Korea’s army of more than 6,000 hackers is undeniably persistent, and undeniably improving, according to American and British security officials who have traced these attacks and others back to the North.
Amid all the attention on Pyongyang’s progress in developing a nuclear weapon capable of striking the continental United States, the North Koreans have also quietly developed a cyberprogram that is stealing hundreds of millions of dollars and proving capable of unleashing global havoc.
Unlike its weapons tests, which have led to international sanctions, the North’s cyberstrikes have faced almost no pushback or punishment, even as the regime is already using its hacking capabilities for actual attacks against its adversaries in the West.
And just as Western analysts once scoffed at the potential of the North’s nuclear program, so did experts dismiss its cyberpotential — only to now acknowledge that hacking is an almost perfect weapon for a Pyongyang that is isolated and has little to lose.
The country’s primitive infrastructure is far less vulnerable to cyberretaliation, and North Korean hackers operate outside the country, anyway. Sanctions offer no useful response, since a raft of sanctions are already imposed. And Mr. Kim’s advisers are betting that no one will respond to a cyberattack with a military attack, for fear of a catastrophic escalation between North and South Korea.
“Cyber is a tailor-made instrument of power for them,” said Chris Inglis, a former deputy director of the National Security Agency, who now directs cyberstudies at the United States Naval Academy. “There’s a low cost of entry, it’s largely asymmetrical, there’s some degree of anonymity and stealth in its use. It can hold large swaths of nation state infrastructure and private-sector infrastructure at risk. It’s a source of income.”
Mr. Inglis, speaking at the Cambridge Cyber Summit this month, added: “You could argue that they have one of the most successful cyberprograms on the planet, not because it’s technically sophisticated, but because it has achieved all of their aims at very low cost.”
It is hardly a one-way conflict: By some measures the United States and North Korea have been engaged in an active cyberconflict for years.
Both the United States and South Korea have also placed digital “implants” in the Reconnaissance General Bureau, the North Korean equivalent of the Central Intelligence Agency, according to documents that Edward J. Snowden released several years ago. American-created cyber- and electronic warfare weapons were deployed to disable North Korean missiles, an attack that was, at best, only partially successful.
Indeed, both sides see cyber as the way to gain tactical advantage in their nuclear and missile standoff.
A South Korean lawmaker last week revealed that the North had successfully broken into the South’s military networks to steal war plans, including for the “decapitation” of the North Korean leadership in the opening hours of a new Korean war.
There is evidence Pyongyang has planted so-called digital sleeper cells in the South’s critical infrastructure, and its Defense Ministry, that could be activated to paralyze power supplies and military command and control networks.
But the North is not motivated solely by politics: Its most famous cyberattack came in 2014, against Sony Pictures Entertainment, in a largely successful effort to block the release of a movie that satirized Mr. Kim.
What has not been disclosed, until now, is that North Korea had also hacked into a British television network a few weeks earlier to stop it from broadcasting a drama about a nuclear scientist kidnapped in Pyongyang.
Once North Korea counterfeited crude $100 bills to try to generate hard cash. Now intelligence officials estimate that North Korea reaps hundreds of millions a dollars a year from ransomware, digital bank heists, online video game cracking, and more recently, hacks of South Korean Bitcoin exchanges.
One former British intelligence chief estimates the take from its cyberheists may bring the North as much as $1 billion a year, or a third of the value of the nation’s exports.
The North Korean cyberthreat “crept up on us,” said Robert Hannigan, the former director of Britain’s Government Communications Headquarters, which handles electronic surveillance and cybersecurity.
“Because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn’t take it seriously,” he said. “How can such an isolated, backward country have this capability? Well, how can such an isolated backward country have this nuclear ability?”
From Minor Leaguers to Serious Hackers
Kim Jong-il, the father of the current dictator and the initiator of North Korea’s cyberoperations, was a movie lover who became an internet enthusiast, a luxury reserved for the country’s elite. When Mr. Kim died in 2011, the country was estimated to have 1,024 IP addresses, fewer than on most New York City blocks.
Mr. Kim, like the Chinese, initially saw the internet as a threat to his regime’s ironclad control over information. But his attitude began to change in the early 1990s, after a group of North Korean computer scientists returned from travel abroad proposing to use the web to spy on and attack enemies like the United States and South Korea, according to defectors.
North Korea began identifying promising students at an early age for special training, sending many to China’s top computer science programs. In the late 1990s, the Federal Bureau of Investigation’s counterintelligence division noticed that North Koreans assigned to work at the United Nations were also quietly enrolling in university computer programming courses in New York.
“The F.B.I. called me and said, ‘What should we do?’ ” recalled James A. Lewis, at the time in charge of cybersecurity at the Commerce Department. “I told them, ‘Don’t do anything. Follow them and see what they are up to.’”
The North’s cyberwarfare unit gained priority after the 2003 invasion of Iraq by the United States. After watching the American “shock and awe” campaign on CNN, Kim Jong-il issued a warning to his military: “If warfare was about bullets and oil until now,” he told top commanders, according to a prominent defector, Kim Heung-kwang, “warfare in the 21st century is about information.”
The unit was marked initially by mishaps and bluster.
“There was an enormous growth in capability from 2009 or so, when they were a joke,” said Ben Buchanan, the author of “The Cybersecurity Dilemma” and a fellow at the Cyber Security Project at Harvard. “They would execute a very basic attack against a minor web page put up by the White House or an American intelligence agency, and then their sympathizers would claim they’d hacked the U.S. government. But since then, their hackers have gotten a lot better.”
A National Intelligence Estimate in 2009 wrote off the North’s hacking prowess, much as it underestimated its long-range missile program. It would be years before it could mount a meaningful threat, it claimed.
But the regime was building that threat.
When Kim Jong-un succeeded his father, in 2011, he expanded the cybermission beyond serving as just a weapon of war, focusing also on theft, harassment and political-score settling.
“Cyberwarfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly,” Kim Jong-un reportedly declared, according to the testimony of a South Korean intelligence chief.
And the array of United Nations sanctions against Pyongyang only incentivized Mr. Kim’s embrace.
“We’re already sanctioning anything and everything we can,” said Robert P. Silvers, the former assistant secretary for cyberpolicy at the Department of Homeland Security during the Obama administration. “They’re already the most isolated nation in the world.”
By 2012, government officials and private researchers say North Korea had dispersed its hacking teams abroad, relying principally on China’s internet infrastructure. This allowed the North to exploit largely nonsecure internet connections and maintain a degree of plausible deniability.
A recent analysis by the cybersecurity firm Recorded Future found heavy North Korean internet activity in India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. In some cases, like that of New Zealand, North Korean hackers were simply routing their attacks through the country’s computers from abroad. In others, researchers believe they are now physically stationed in countries like India, where nearly one-fifth of Pyongyang’s cyberattacks now originate.
Intelligence agencies are now trying to track the North Korean hackers in these countries the way they have previously tracked terrorist sleeper cells or nuclear proliferators: looking for their favorite hotels, lurking in online forums they may inhabit, attempting to feed them bad computer code and counterattacking their own servers.
'
Learning From Iran, Growing Bolder
For decades Iran and North Korea have shared missile technology, and American intelligence agencies have long sought evidence of secret cooperation in the nuclear arena. In cyber, the Iranians taught the North Koreans something important: When confronting an enemy that has internet-connected banks, trading systems, oil and water pipelines, dams, hospitals, and entire cities, the opportunities to wreak havoc are endless.
By midsummer 2012, Iran’s hackers, still recovering from an American and Israeli-led cyberattack on Iran’s nuclear enrichment operations, found an easy target in Saudi Aramco, Saudi Arabia’s state-owned oil company and the world’s most valuable company.
That August, Iranian hackers flipped a kill switch at precisely 11:08 a.m., unleashing a simple wiper virus onto 30,000 Aramco computers and 10,000 servers that would destroy data, and replace it with a partial image of a burning American flag. The damage was tremendous.
Seven months later, during joint military exercises between American and South Korean forces, North Korean hackers, operating from computers inside China, deployed a very similar cyberweapon against computer networks at three major South Korean banks and South Korea’s two largest broadcasters. Like Iran’s Aramco attacks, the North Korean attacks on South Korean targets used wiping malware to eradicate data and paralyze their business operations.
It may have been a copycat operation, but Mr. Hannigan, the former British official, said recently: “We have to assume they are getting help from the Iranians.”
And inside the National Security Agency, just a few years after analysts had written off Pyongyang as a low grade threat, there was suddenly a new appreciation that the country was figuring out cyber just as it had figured out nuclear weapons: test by test.
“North Korea showed that to achieve its political objectives, it will take down any company — period,” Mr. Silvers said.
...[ Continue to next page ]
Share This Post
