North Korean crypto hacking: Separating fact from fiction
“The small IP space/access to the internet in the DPRK, as well as its less connected nature to global/online systems, arguably offers it an asymmetric advantage in relation to cyber operations.”
The Democratic People’s Republic of Korea is widely considered to be a state sponsor of cryptocurrency hacking and theft. While multiple United States presidents have attempted to stifle the growth of North Korean nuclear energy development through a series of economic sanctions, cyber warfare is a new phenomenon that cant be dealt with in a traditional way.
Unfortunately for the crypto industry, DPRK has taken a liking to digital currencies and seems to be successfully escalating their operations around stealing and laundering cryptocurrencies to bypass crippling economic sanctions that have led to extreme poverty in the pariah state.
Some evidence suggests that Pyongyang has racked up well over two billion U.S. dollars from ransomware attacks, hacks, and even stealing crypto directly from the public through a spectrum of highly sophisticated phishing tricks. Sources explain that the regime employs various tactics to convert the stolen funds into crypto, anonymize it and then cash out through overseas operatives. All this activity has been given a name by the United States authorities hidden cobra.
To achieve all this, not only does the operation need to be backed by the state, but many highly trained and skilled people have to be involved in the process to pull off the heists. So, does the DPRK indeed have the means and capability to engage in cyber warfare on a global scale, even as the countrys leadership openly admits that the country is in a state of economic disrepair?
How much exactly have the hackers stolen?
2020 continues the pattern of multiple updates on how much money the DPRK-backed hackers have allegedly stolen. A United Nations report from 2019 stated that North Korea has snatched around $2 billion from crypto exchanges and banks.
Most recent estimates seem to indicate that the figure is around the $1.5 to $2.5 billion mark. These figures suggest that, although the exact data is hard to come by, the hacking efforts are on the rise and are bringing in more funds each year. Furthermore, multiple reports of new ransomware, elaborate hacks and novel ransomware methods, only supports this data.
Madeleine Kennedy, senior director of communications at crypto forensics firm Chainalysis told Cointelegraph that the lower estimate is likely understated:
We are confident they have stolen upwards of $1.5B in cryptocurrency. It seems likely that DPRK invests in this activity because these have been highly successful campaigns.
However, Rosa Smothers, senior vice president at KnowBe4 cyber security firms and a former CIA technical intelligence officer, told Cointelegraph that despite the recent accusations from the United States Department of Justice that North Korean hackers stole nearly $250 million from two crypto exchanges, the total figure may not be as high, adding: Given Kim Jong Un’s recent public admission of the country’s dismal economic situation, $1.5B strikes me as an overestimate.
How do the hacking groups operate?
Its not very clear how exactly those North Korean hacking groups organized and where they are based, as none of the reports paint a definitive picture. Most recently, the U.S. Department of Homeland Security stated that a new DPRK-sponsored hacking group, BeagleBoyz, is now active on the international scene. The agency suspects the gang to be a separate, but affiliated entity to the infamous Lazarus group, which is rumored to be behind several high profile cyber attacks. DHS believes that BeagleBoyz have attempted to steal almost $2 billion since 2015, mostly targeting banking infrastructure such as ATMs and the SWIFT system.
According to Ed Parsons, managing director UK of F-Secure, The BeagleBoyz appears to be the U.S. government name for a recent cluster of activity targeting financials in 2019/2020, adding that its unknown if the unit is new or a new name attached to an initially unattributed campaign that was then later linked to DPRK activity. He further told Cointelegraph that the malware samples were associated with those under the hidden cobra codename, which is a term used by the U.S. government to identify DPRK online activity.
According to the U.S. Security & Infrastructure Security Agency, the hidden cobra-related activity was flagged in 2009 and initially aimed to exfiltrate information or disrupt the processes. The main vectors of attack are DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware, targeting the older versions of Microsofts Windows and Adobe software. Most notably, the hidden cobra actors make use of the DDoS botnet infrastructure, known as the DeltaCharlie, which is associated with over 600 IP addresses.
John Jefferies, chief financial analyst at CipherTrace, a blockchain forensics company, told Cointelegraph that there are several prominent hacking groups and its extremely difficult to differentiate between them. Anastasiya Tikhonova, head of APT Research at Group-IB, a cybersecurity company, echoed the sentiment saying that regardless of the group name attached, the attack vectors are very similar:
Initial access to targeted financial organizations is gained using spear phishing either via emails with a malicious document masquerading as a job offer or via personal message on social media from a person pretending to be a recruiter. Once activated the malicious file downloads the NetLoader.
Additionally, several experts have outlined JS-sniffers as the latest thread to emerge, most commonly linked to the Lazarus group. JS-sniffers is a malicious code which was designed to steal payment data from small online stores, an attack in which all the parties who engaged in the transaction would have their personal information exposed.
Overall, the hacking groups seem to be perfecting the use of a very specific set of malicious tools that center around phishing, whereby unknowing company employees install the infested software which then spreads across the enterprise system targeting the core functions. Most notable examples of suspected activity are the 2014 hack of Sony Pictures and the spread of the WannaCry malware in 2017.
According to various sources most attacks are executed to a high standard with evidence of lengthy preparations. The latest examples from 2020 include a fake trading bot website built to lure in DragonEX crypto exchange employees which raked in $7 million in crypto.
In late June, a report warned that the Lazarus Group will seek to launch a COVID-19 specific attack in which the hackers would impersonate government offices in countries that are issuing pandemic-related financial relief to direct unwary email recipients to a malicious website that would siphon financial data and ask for crypto payments. Additionally, crypto industry job seekers also appear to be under threat as according to a recent report, the hackers are using LinkedIn-like emails to send fake job offers containing a malicious MS Word file.
Most notable are the attacks on the crypto exchanges. Although the exact amount stolen from trading platforms is unknown, several reports by cybersecurity firms and various government agencies put the estimated amount at well over a billion dollars. However, DPRK is only suspected of being behind some of those hacks with only a handful of cases having been tracked back to the regime. The best known example is the hack of the Japanese-based Coincheck exchange during which $534 million in NEM tokens was stolen.
In late August 2020 a statement from the U.S. Department of Justice outlined the details of an operation to launder stolen funds through crypto, which was traced back to 2019. It is believed that the North Korean-backed hackers initiated the heist with the support of a Chinese money laundering ring. The two Chinese nationals in question used the peel chain method to launder $250 million through 280 different digital wallets, in an attempt to cover the origin of the funds.
According to Kennedy, DPRK-linked hacking groups are indeed becoming more sophisticated at hacking and laundering: Specifically, these cases highlighted their use of “chain hopping, or trading them into other cryptocurrencies such as stablecoins. They then convert the laundered funds into Bitcoin. Chain hopping refers to a method where traceable cryptocurrencies are converted into privacy coins such as Monero or Zcash.
Addressing the apparent success of the hackers, Parsons believes that:
The small IP space/access to the internet in the DPRK, as well as its less connected nature to global/online systems, arguably offers it an asymmetric advantage in relation to cyber operations.
Speaking to Cointelegraph, Alejandro Cao de Benos, a special delegate of the Committee for Cultural Relations with Foreign Countries of DPRK refuted claims that the country is behind the crypto cyber attacks, stating that its a big propaganda campaign against the government:
Usually the DPRK is always portrayed in the media as a backward country without internet access or even electricity. But at the same time they always accuse it of having higher capacity, faster connectivity, better computers and experts than even the best banks or US government agencies. It does not make sense just from a basic logical and technological point of view.
Whats the size of the alleged cyber force and where are they based?
Another number that various reports and studies fail to agree upon is the size of the cyber force that the North Korean government allegedly backs. Most recently, The U.S. Army report North Korean Tactics stated that the figure stands at 6,000 operatives, mainly spread across Belarus, China, India, Malaysia, Russia and several other countries, all united under the leadership of a cyber warfare unit called Bureau 121.
Parsons believes that the number was most likely derived from previous estimates obtained from a defector who fled DPRK in 2004, although conceding that: The figure may also have been generated from internal U.S. intelligence that is not publicly attributable. Tikhonova agreed that its hard to assess the size of the force: Different reports can give a clue to the regimes hiring strategy, she said, continuing that:
The North Koreans have been allegedly attracting students from universities. In addition, some of the North Korean hackers were recruited while working for IT companies in other countries. For example, Park Jin Hyok, an alleged member of the Lazarus APT wanted by the FBI, worked for the Chosun Expo IT company based in Dalian, China.
Smothers was more skeptical of the report’s conclusion, however stating that: This is consistent with reporting from South Korea’s Defense Ministry who had, just a few years ago, estimated their number at 3,000, adding that if anyone has such information, it would be South Korea. Addressing the question of how the set cyber force is organized and where its based, she also agreed that most hackers would be stationed around the world given the limited bandwidth in North Korea.
Jefferies also believes that North Korean hackers are based all around the world a privilege afforded to very few in the country, also adding that in most cases, hacks attributed to North Korea are not conducted by hackers-for-hire. Tikhonova provided a possible reason behind both assertions, saying:
It is unlikely that they would give someone access to their list of potential targets or their data given the sensitivity of the operations, so those are carried out by North Koreans themselves.
What can be done to stop the hackers?
It seems that, so far, identifying the movement of money and uncovering some of the third parties is the only thing that has been done successfully at least in public. One report by BAE systems and SWIFT has even outlined how the funds stolen by the Lazarus Group are processed through East Asian facilitators, eluding the Anti-Money Laundering procedures of some crypto exchanges.
Jeffreries believes that more needs to be done in that regard: Authorities need to enact and enforce crypto anti-money laundering laws and Travel Rule regulation to ensure that suspicious transactions are reported. He also stressed the importance of authorities ensuring that virtual asset service providers deploy adequate Know Your Customer measures:
One known tactic used by North Korean-backed professional money launderers was the use of fake IDs to create accounts at multiple exchanges. The exchanges with stronger KYC controls were better able to detect these fraudulent accounts and prevent the abuse of their payment networks.
According to the information revealed by the U.S. DOJ, those laundering the money target exchanges with weaker KYC requirements. Although no platforms have been named, these are likely smaller exchanges operating solely in the Asian market. Theres also the issue of some authorities being unable to do take action when it comes to companies that are not under their jurisdiction, as Smothers points out:
The global nature of these exchanges, as well as the Chinese OTC (over-the-counter cryptocurrency trading) actors, limits our Justice Department’s ability to take swift action. For instance, the DOJ filed a civil action in March, but the Chinese OTCers pulled all funds out of the target accounts within hours of the DOJ’s filing.
But what complicates things even further is that according to a Chainalysis report from 2019, those laundering the funds may take months if not years to complete the process. According to the authors supported the notion that attacks were for financial benefit as the stolen crypto could sit idle in wallets for up to 18 months prior to being moved due to fear of detection.
However, researchers believe that since 2019, the tactics employed by the criminals have changed to accommodate faster withdrawals through the extensive use of cryptocurrency mixers to obscure the source of the funds. Kennedy explained further:
We can’t speak to the reasons behind their techniques, but we have noticed that these actors often move money around from one hack, then stop to concentrate on moving money around from another hack, and so on. […] Cryptocurrency exchanges were critical in the investigations, and the public and private sectors are working together to address the threats posed by these hackers.
How serious is the issue?
When discussing DPRK, its hard to avoid the topics of human rights violations and the nuclear program that the country reportedly continues to run, despite tightening economic sanctions.
In that sense, the dynastic government guided by supreme leader Kim Jong Un is seen to be of considerable threat to the world: But now, its not just because of the regimes nuclear aspirations. Even though cybersecurity attacks in most cases are not directly harmful to a human life, these efforts provide a steady stream of income for the state to continue strengthening its ideals and goals.
But, perhaps more worryingly, is that, according to several commentators cited in this article, the hacking groups that seem to be backed by the North Korean regime continue to expand and branch out their operations since their methods are proving to be exceedingly successful. Jefferies for one believes that: Its not a surprise that they would continue to build upon and invest in their cyber capabilities.