The author constantly writes about the “crimes of hackers from the DPRK,” and after talking about the problems that the cybersecurity of the Republic of Korea is facing, it’s time to talk about what hackers from the North have recently been accused of.
The claim that the Pyongyang regime is making money for its nuclear missile program by hacking has become so common when directing accusations at the DPRK that almost every material in the media of the Republic of Korea or the West cannot do without writing a piece about it.
On April 20, 2022, Eric Penton-Voak, the coordinator for the UN body monitoring enforcement of sanctions on North Korea, spoke about this. And on November 17, 2022, White House spokesperson Anne Neuberger reported that a third of North Korea’s military spending was supposedly financed from cyber-attack proceeds.
On April 14, 2022, the FBI announced that North Korean hackers from the Lazarus Group had successfully attacked the website of the online game Axie Infinity. A feature of the game is the use of cryptocurrency and the opportunity for successful players to earn significant amounts while playing. During the attack on the website, hackers managed to steal $620 million. The media of the Republic of Korea stated that this amounted to the cost of more than 30 ballistic missiles.
On April 15, 2022, the US Department of the Treasury imposed sanctions on Lazarus Group.
On May 6, 2022, the United States for the first time imposed sanctions against the cryptocurrency mixer Blender.io, “which is used by the Democratic People’s Republic of Korea to support its malicious cyber activities and launder money from stolen virtual currency” in the amount of more than $20.5 million. Allegedly, Blender was used in the processing of illegal proceeds by the same “state-sponsored hacker group” – Lazarus Group.
In August 2022, similar sanctions were imposed on the cryptocurrency tumbler Tornado Cash, which allegedly helped launder more than $455 million stolen by Lazarus Group.
How much did the hackers pocket in total? In 2021, North Korea (more precisely, Lazarus Group) allegedly stole up to $400 million worth of digital assets in at least seven attacks on cryptocurrency platforms, according to blockchain analysis firm Chainalysis. And in 2022, North Korean hackers allegedly stole $1 billion of cryptocurrency, which is about half of the total amount of digital currency obtained illegally.
In other sources (as you can see, the numbers vary, which is apparently related to the question of which hackers are considered North Korean) they write that since the hacking of websites for trading cryptocurrencies and other virtual assets in 2017, North Korea has allegedly earned more than $1.17 billion, including more than $78 million from South Korea, with about 800 billion won in 2022 alone.
According to a former National Intelligence Service official named Mr. Choi, North Korea transfers funds using cryptocurrency as follows:
- Banks are hacked and money is stolen;
- The stolen money is used to buy cryptocurrencies such as bitcoin or ethereum;
- Bitcoin is transferred to Iran, Syria or the UAE via email or PayPal links;
- There, the cryptocurrency is additionally traded and increases in value;
- After several small transactions, the cryptocurrency is transferred to China;
- In China, the cryptocurrency is converted into cash, which is then transferred to North Korea.
Phishing and stealing data
The second block of accusations is extortion and attempts to steal not money, but information. Many people do this, and the author receives emails at least once a month with attached “documents” poisoned by malware.
FBI Director Christopher Wray called the DPRK, along with China, Russia and Iran, one of the threats to the US in cyberspace. According to him, North Korean hackers over the past two years have carried out repeated attacks on hospitals, medical centers, as well as educational and research institutions, involved in the development of vaccines against COVID-19. The attackers use ransomware as a toolkit that blocks computer networks and requires money to unlock them.
North Korea-linked hackers are said to have attacked readers of the DailyNK website with malware capable of stealing files and passwords. According to researchers at cybersecurity firm Volexity, the attack exploited two known vulnerabilities in Microsoft’s Internet Explorer and Edge web browsers to install malware dubbed “Bluelight”.
On September 12, 2021, cybersecurity firm ESTsecurity reported that “the hacker group Thallium with alleged ties to North Korea” attempted to steal data from South Korean experts working as members of a defense ministry advisory group.
In November 2021, NKNews reported that North Korean hackers, more specifically Lazarus Group, were using South Korean servers and Google Drive to cover up malicious attacks and install malicious code into corrupted PDF files disguised as job vacancies for Samsung.
On July 6, 2022, the FBI and the US Treasury issued cybersecurity advisories against ransomware, which they said was being used by “North Korea-sponsored cybercriminals.” North Korean hackers were said to be using Maui ransomware to attack healthcare and public health organizations. This is a code that allows a remote entity to interact with malware and identify files for encryption. Potential victims were reminded not to pay the ransom, as providing money or other goods to North Korea could result in penalties under US and UN Security Council sanctions.
In July 2022, Deputy Attorney General Lisa Monaco stated that the FBI and the Department of Justice stopped a North Korean government-sponsored hacker group targeting US hospitals through the above-mentioned “Maui” program. The FBI was able to recover half a million dollars, including the entire ransom paid by the hospital.
In October 2022, the 1718 Committee of the UN Security Council released an expert report on the DPRK. It states that North Korea has earned about $635 million selling confidential and personal data and voice phishing applications to cybercriminals, including from citizens of the Republic of Korea.
On December 25, 2022 Tae Yong-ho, a defector-turned-lawmaker now living in the ROK, publicly warned Kim Jong-un against using fake accounts to send phishing emails on behalf of his office after police discovered that “North Korean hacker organizations” had been sending out mass phishing emails under the name of the lawmaker’s secretary. The story caused quite a stir: from April to October 2022, hackers allegedly from the Kimsuky group posed as reporters covering national security issues in the ROK, as well as Tae Yong-ho’s assistant. The targets of the attacks were 892 security, foreign policy and defense experts (professors and think-tank staff). 49 of them clicked the links received from the attackers and their emails were hacked.
South Korean media reported that hackers compromised 326 servers in 26 countries to mask their actions, however, the Internet protocol addresses, the type of virus and the usage of North Korean vocabulary were all similar to the North Korean attack on Korea Hydro and Nuclear Power (KHNP) in 2014.
But it should be mentioned that Kimsuky as the culprit for the hacking of KHNP in 2014 and the sending of e-mails on behalf of the National Security Administration in 2016 was reported by South Korean intelligence officials only in connection with this story.
North Korean IT workers under a different flag
In May 2022, the US Treasury Department reported that North Korea was sending thousands of skilled IT workers abroad in search of work, posing as citizens of the United States or other countries. The document, jointly released by the State Department and the FBI, states that the North Korean IT workers hired are usually engaged in work other than malicious cyberattacks, but they can still use the access they received as contractors to support cyberattacks, and the income they receive can be directed to WMD programs. Therefore, hiring North Korean IT workers could carry “reputational risks” as well as “potential legal consequences” for violating US and UN Security Council sanctions. With some modifications, this message was voiced throughout the year.
On June 15, 2022, Assistant Secretary of State for International Security and Nonproliferation Eliot Kang held a meeting with representatives of IT companies and warned them about the dangers of hiring North Korean computer scientists. On July 16, Eliot Kang again briefed industry and government officials on the risks involved in hiring North Koreans, warning of dangers including intellectual data theft, legal ramifications and reputational damage.
On December 8, 2022, South Korea issued an inter-agency recommendation against hiring North Korean IT workers in disguise. Local companies have called for stronger background checks when hiring IT workers at home and abroad, “as the reclusive North Korean state increasingly sends highly skilled people around the world to generate income to fund its weapons of mass destruction and ballistic missile programs.” “Forging identification documents is one of the easiest ways to obfuscate their identities. They illicitly collect foreigners’ driver’s licenses and identification cards, and replace the photos on identification document with their own using Photoshop. Moreover, they utilize a proxy phone call authentication service website when having to going through the process of phone call authentication,” the advisory says. A distinctive feature is the refusal to participate in video calls.
As a rule, North Korean infiltrators specialize in creating software, including for mobile devices. The Government of the Republic of Korea calls on national commercial structures to be vigilant and immediately inform the relevant authorities (police, MFA, NIS) in case of suspicious cases.
What does 2023 have in store?
In the 2022 National Cyber Power Index compiled by Harvard University’s Belfer Center in September 2022, North Korea ranked 14th overall (the US, China and Russia are in the top three, while South Korea is ranked 7th).
In terms of cyber defense, North Korea ranks last, but it ranks fifth behind the US, Russia, China, the UK, and Iran in terms of the destructive power of its cyber capabilities.
Fear (or rather hype) knows no boundaries, and on December 22, 2022, the National Intelligence Service of South Korea held a press conference on North Korea and cybersecurity, where the audience was diligently intimidated: after all, according to intelligence officers, every day the infrastructure of the Republic of Korea faces 1.18 million cyberattack attempts. North Korea is to blame for 55.6% (600,000), while only 4.7% falls on China.
First and foremost, in 2023, North Korean hacker groups are likely to focus on stealing South Korean technology related to nuclear plants, chips, and the defense industry, as well as gathering information about South Korea and the US policy towards the North. In addition, they will commit even more cybercrimes related to the theft of cryptocurrencies, being the best in the world in terms of the ability and potential to hack and steal digital assets.
Secondly, the DPRK can more actively use Deepfake technologies to produce and replicate videos designed to cause chaos and increase social instability in the ROK. However, the author has not yet heard of such videos and believes that the explanation “it was a Deepfake from Pyongyang” is intended to render obsolete a possible compromising video.
Thirdly, with a high degree of probability, the target of increased attention of North Korean hackers will be South Korean President Yoon Suk-yeol and the technology he uses (mobile phone, e-mail, instant messengers, etc.). Here the author is simply bemused in terms of the digital security of the Head of State – either Yoon Suk-yeol uses an unsecured email, which he has had since the time of being a prosecutor, or the digital border is locked in much the same way as the land border against North Korea’s UAVs.
Which of these will come true – only the new year will tell. Meanwhile, in the opinion of the author, Russian-speaking readers can consider “KimSuki” and “LazaRus” as North Korean hackers only with some stretch of imagination.
Konstantin Asmolov, PhD in History, leading research fellow at the Center for Korean Studies of the Institute of the Far East at the Russian Academy of Sciences, exclusively for the online magazine “New Eastern Outlook.”