Is North Korea a cybercriminal country?

Room 39

It was allegedly founded in the 1970s by Kim Jong-il and Kim Il-sung and would now have several thousand employees. When it was founded, the idea was to create front organisations and to tap into the wages of an emigrant workforce. However, the emergence of the Internet has changed the usual structures and has made it possible to raise large sums of money from small investments. With this success, the regime decided to focus on training and developing its cyber capabilities.

According to the UN, the North Korean leader uses this « slush fund » to finance his lifestyle, buy political support, and invest in his nuclear and ballistic missile research programmes. To capture this money, the regime is said to have put in place several tactics. It would send workers abroad and collect part of their salary, organise trafficking (ivory, drugs, counterfeit money), and open companies abroad. It would also rely on the North Korean army’s cyber units and would select future hackers from a very young age—following the Soviet model. Due to the limited access to computers, only the best in mathematics would be allowed to use them and would be sent abroad where they would have access to the best schools. In exchange, the regime would guarantee them a certain standard of living.

A former member of Room 39, now a refugee in South Korea, said « In the U.S., I have not seen any cases (of North Korean workers). Instead, we do everything to steal money from them. We have a technique for that: hacking with ransomware. North Korea will hack into industrial or computer infrastructure of the United States. We don’t have the means to analyse or use this data, we just hack. But in exchange for the promise not to share this data, we ask for money. North Korea is a computer data hacker. »

The cyber weapon

In North Korea, out of a population of more than 25 million, only 1% are reported to have access to the Internet. However, the government has succeeded in placing the country among the most competent nations in the cyber domain.

« If the Internet is like a gun, cyberattacks are like atomic bombs. » This quote—attributed to Kim Jong-il, father of the current leader—reveals the strategic importance that North Korea attributes to this field. Like other powers, Pyongyang will use cyber weapons for intelligence, influence, and action. However, instead of just copying existing models of cyber weapon use, it will innovate technically and tactically and conduct cyberattacks to finance itself.

North Korea’s cyber capabilities came to light in 2014. After the release of a film parodying Kim Jong-un, a group of hackers—the « Guardians of Peace »—hacked Sony Studios. In 2015, the same group—under the new name of Lazarus Group—targeted Bangladesh Bank and other financial institutions in that country. According to journalist Jean Marc Manach, the hackers were able to gain access to the networks by sending trapped emails to various employees. They prepared for several months before finally striking in February 2016. They sent fake money transfer requests to the New York Federal Reserve in the name of Bangladesh Bank, embezzling nearly a billion dollars. However, following a computer alert, most transactions were blocked, but the hackers were able to steal $80 million.

Another spectacular attack was carried out using the WannaCry ransomware. « The WannaCry attack—of an unprecedented level—infected over 300,000 computers in at least 150 countries in just a few days. This malicious ransomware locks users’ files and demands $300 (€275) to recover their use.« According to the U.S. Department of Justice, a North Korean citizen, Park Jin Hyok, was involved in the attack and is suspected of being a member of the Lazarus Group. The man worked for Korea Expo Joint Venture (KEJV), identified as a front company linked to North Korea’s intelligence services. Other attacks have been attributed to the Lazarus Group. According to the U.S. government, in 2017, ATMs were hacked in about 30 countries.

Cryptocurrencies

According to Chainalysis—a data platform dedicated to blockchain—North Korean hackers had a great year in 2021. They reportedly launched at least seven attacks against cryptocurrency platforms that netted nearly $400 million in digital assets. These attacks, which specifically targeted investment firms and marketplaces, « used phishing lures, exploit codes, malware, and advanced social engineering to steal funds from wallets.« Between 2017 and 2021, the Democratic People’s Republic of Korea (DPRK) is believed to have carried out 49 attacks that netted approximately $170 million. The DPRK has set up various computer and financial schemes to launder the money obtained from its hacks. According to a confidential UN report, accessed by Reuters, « The DPRK’s cyber actors—many of whom operate under the direction of the General Reconnaissance Office—are raising funds for its WMD (weapons of mass destruction) programmes, with proceeds estimated to be US$2 billion to date. »

It is estimated that between 2019 and 2020, the number of ransomware attacks increased by 300%. Although it is difficult to attribute all of them to North Korea, this country is only intensifying its attacks. Indeed, the Cybersecurity and Infrastructure Security Agency—a U.S. agency to fight cybercrime—has on its website a page dedicated to North Korea that lists the attacks that have been identified. And despite international protests and sanctions, Pyongyang perseveres in its strategy. The launch of a new missile on Thursday 27 January confirmed Kim Jong-un’s desire to continue the development of these weapons programmes that require significant funding. Definitely something to keep an eye on!