U.S. Targets North Korean Hacking as Rising National-Security Threat

By Ian Talley and Dustin Volz (WSJ)

Updated Sept. 16, 2019 3:56 am ET

For Pyongyang, cyber prowess is crucial source of revenue, political leverage

WASHINGTON—New U.S. sanctions against North Korean hackers and revelations about North Korean malware show how Pyongyang’s cyber operations have become a crucial revenue stream and a security threat that soon could rival its weapons program, U.S. and industry officials say.

North Korea’s hacks of financial systems and critical infrastructure world-wide reveal sophisticated cyber capabilities developed to counter global sanctions and expand Pyongyang’s geopolitical power, according to these officials.

The U.S. Treasury Department, in blacklisting the three hacking groups allegedly run by North Korea’s primary intelligence service, said Friday they collectively were responsible for operations across 10 countries, stealing hundreds of millions of dollars from banks and cryptocurrency exchanges, pilfering military secrets, destabilizing infrastructure and intimidating adversaries.

Attacks that cyber experts suspect were orchestrated by North Korea are becoming more frequent.

December 2014: Emails are stolen in attack on Sony Pictures Entertainment.

February 2016: $81 million is stolen from Bangladesh central bank.

September 2016: South Korean defense minister's personal computer is hacked for military intelligence.

May 2017: WannaCry ransomware attack infects more than 300,000 computers in 150 countries.

November 2017: Adobe Flash “zero-day” malware is embedded in Microsoft Office files in South Korea.

December 2017: Attacks on South Korean groups affiliated with the Winter Olympics.

December 2017: South Korea cryptocurrency exchange Youbit is hacked, causing company to declare bankruptcy.

January 2018: Tokyo-based Coincheck cryptocurrency exchange says about $530 million was stolen.

March 2018: Adobe Flash “zero-day” attack on Turkish financial institutions and government groups.

March 2019: $49 million stolen from an institution in Kuwait.

August 2019: United Nations investigators estimate North Korean cyber-heists total $2 billion.

Treasury says one collective, called Lazarus Group, and two subsidiaries, known as Bluenoroff and Andariel, have stolen around $700 million in the last three years and have attempted to steal nearly $2 billion.

U.S. security officials and cyber experts say those sums of money likely underrepresent the amount of cash Pyongyang’s hackers have secured. United Nations investigators last month tallied proceeds from all reported operations, including those carried out by other North Korean hacking groups, at $2 billion in recent years. Some thefts likely aren’t reported to authorities for fear of embarrassment and exposure, a senior U.S. official said.

North Korean officials didn’t respond to a request for comment but historically have denied accusations of engaging in malicious cyber activity.

Treasury said it also has been working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, as well as with the U.S. military’s Cyber Command in recent months to disclose malware samples to private industry. Last week, under its North Korean malicious cyberactivity rubric “Hidden Cobra,” the administration issued a public alert about a new version of malware dubbed “ELECTRICFISH” that burrows into victims’ computers to steal data.

Senior administration and industry officials say that many reported, but not publicly disclosed, attacks on banks and other companies bear hallmarks of North Korean involvement.

“Though these operations may fund the hackers themselves, their sheer scale suggests that they are a financial lifeline for a regime that has long depended on illicit activities to fund itself,” said John Hultquist, director of intelligence analysis at the U.S. cybersecurity company FireEye Inc.

Cyber Command ranks North Korea’s capabilities along with China, Russia and Iran as top strategic threats to U.S. national security.

Underscoring the geopolitical leverage its hacking abilities give Pyongyang, industry experts say North Korean leader Kim Jong Un ’s willingness to at least talk about denuclearization over the past year may be from a belief that the country’s cyber arsenal can partially supplant its weapons as a threat to other nations.

“North Korea’s cyber operations broaden the Kim family regime’s toolkit for threatening the military, economic, and even the political strength of its adversaries and enemies,” said Mathew Ha and David Maxwell, North Korean experts at the Foundation for Defense of Democracies, a Washington nonpartisan think tank, in a report.

With the U.N. and U.S. squeezing traditional high-value revenue streams such as North Korean coal exports, the hacking operations appear to be so lucrative for the cash-hungry regime that cybersecurity experts say it is unlikely Pyongyang will be pressured through sanctions into curtailing its malicious behavior.

U.S. officials say their investigations show that some of the money from cyber-theft is channeled into Mr. Kim’s nuclear weapons and ballistic-missile programs. Cyber-enabled heists also have become an essential source of revenue keeping the regime in power and insulating the economy from the global sanctions meant to force Pyongyang into giving up its weapons of mass destruction, U.S. and U.N. officials say.

In addition, North Korea’s cyberattacks generate income in ways that are harder to trace than many of its other illicit activities, U.N. officials said in a report last month. The U.N. is investigating at least 35 reported North Korean cyberattacks across five continents targeting banks, cryptocurrency exchanges and mining companies.

The Trump administration previously has blamed the Lazarus Group for the WannaCry worm, which was unleashed in 2017, infecting more than 300,000 computers in more than 150 countries, crippling banks, hospitals and other companies. The Justice Department last year charged a North Korean operative, Park Jin Hyok, and unnamed co-conspirators, tying them to the WannaCry work, the 2014 hack on Sony Pictures and the $81 million stolen from Bangladesh’s account at the Federal Reserve Bank of New York in 2016.

It was only a typo in the Bangladesh heist that prevented the hackers from stealing $851 million they planned to transfer, officials say.

Since the beginning of 2019 alone, North Korean agents have attempted five major cyber-thefts world-wide, including a successful $49 million heist from an institution in Kuwait, according to the U.N.

U.N. investigators and members of a North Korean defectors group in South Korea say the North’s hackers are carefully selected and groomed at an early age by the military and secret services and given specialized training.

North Korean cyber collectives often use a variety of different schemes for revenue generation, as well as lay the groundwork for future hacks, according to experts on North Korea and cybersecurity.

U.S. intelligence, security companies and North Korea watchers say that while they believe many of the freelance operations are largely for revenue-generation purposes, they also represent a major threat because of their infiltration of Western security systems.

They do so by working as software programmers who contract their services through freelance platforms, concealing that they are North Korean agents.

Many companies rely on the freelance software platforms where “there’s no vetting process or validation to ensure you’re not working with sanctioned entities,” said a top official at a private technology company that sells its products to the U.S. government and other Western allies.

Write to Ian Talley at ian.talley@wsj.com and Dustin Volz at dustin.volz@wsj.com

RELATED COVERAGE

U.S. Treasury Sanctions North Korean Cyber Groups (Sept. 13, 2019)

Russia, Iran, North Korea Launch Hundreds of Cyberattacks on U.S. Political Groups, Microsoft Says (July 17, 2019)

North Korea, While Professing Peace, Escalated Cyberattacks on South (May 25, 2018)

How North Korea’s Hackers Became Dangerously Good (April 19, 2018)

North Korea Repositions Hacking Unit for Global Cyberattacks (Feb. 20, 2018)