Published daily by the Lowy Institute

Daylight robbery: cyber escapades of North Korea

Everyone knows Pyongyang’s criminal hackers are hard at work – but what nobody knows is how to stop them.

Photo: Surian Soosay/Flickr
Photo: Surian Soosay/Flickr

When a gang robs a bank, it’s a crime. When a nation launches an attack on another state’s territory, it’s an act of war. But what is it when a nation state robs another state’s banks, without ever setting foot on their soil?

While political leaders and policymakers are increasingly aware of the regime’s cyber capabilities, the problem is there is no roadmap for how to respond.

This is the conundrum facing the international community as it struggles to address North Korea’s increasingly audacious and sophisticated cybercrimes. From relatively simple online gaming scams to multi-million dollar thefts from financial institutions, cybercrime is an increasingly significant source of revenue for North Korea, undermining sanctions and shoring up Kim Jong-un’s regime. In recent years North Korea’s cyber operations have become more complex, more ambitious, and more creative. And while political leaders and policymakers are increasingly aware of the regime’s cyber capabilities, the problem is there is no roadmap for how to respond.

Sanctions are not the answer. Far from deterring North Korea, it appears that sanctions may in fact be spurring the regime onto new and more innovative forms of cybercrime.

The more economically isolated North Korea becomes, the more dependent it is on criminal sources of revenue. The bulk of North Korea’s cybercrime takes place at a low level, such as online gaming scams. However, growing financial pressure as a result of sanctions has also been met with increasingly determined, sophisticated and audacious attacks on banks and financial institutions around the world.

In September, new research by cybersecurity company FireEye highlighted the existence of a specific unit within North Korea’s infamous Lazarus Group that appears to be almost entirely dedicated to carrying off modern-day bank heists, as opposed to conducting political or espionage operations.

This sub-group, which the researchers call APT 38, first appeared after sanctions were imposed in 2013 to block North Korea’s access to international banking systems and bulk cash transfers. Each successive round of sanctions has been met by a matching escalation in the group’s operations. This includes the audacious theft of US$81 million from the Bangladesh Bank in 2016, $60 million from a Taiwanese bank in 2017, and $10 million from the Bank of Chile in 2018. A number of other robberies were foiled during the same period, and researchers suspect there may be many more that have yet to come to light. As Jacqueline O’Leary, a senior analyst with FireEye, told me:

We believe we may only be seeing the tip of the iceberg in regards to APT38 targeting. Due to the sensitive nature of these heists it is likely that some targeting has not been publicly reported.

One of the particularly disturbing things about APT38 is its willingness to intentionally wreck systems and infrastructure to cover its tracks. O’Leary explained:

Over time, we have observed APT38 incorporate additional destructive attacks alongside attempted heists in order to hinder later forensic investigation and provide cover for money laundering.

The destructive nature of APT38’s operations raises the risks of a geopolitical flashpoint. If, in the course of committing a robbery, APT38 deliberately or inadvertently crippled a significant part of another nation’s financial system, what began as criminals covering their tracks might instead be interpreted as an act of war. A conflict which begins in the virtual world could quickly become all too real.

Photo: Getty

Along with traditional financial institutions, cryptocurrency exchanges have also become a major target. The lack of regulation has created a situation which could hardly be more ideal for North Korean hackers: huge stores of value which can be moved in ways that make it extremely difficult to determine where exactly the funds end up, and are held solely online in exchanges that are not subject to the security requirements of traditional financial institutions. The volatile exchange rates for cryptocurrencies makes valuations difficult, but security firm Recorded Future believes North Korea could have stolen anywhere from tens to hundreds of millions of dollars this way.

Best of all, even when North Korea hits a cryptocurrency hub and makes off with millions, in many jurisdictions it is not necessarily clear who, if anyone, is responsible for trying to stop them.

Diplomatic efforts have had no apparent effect in slowing North Korea’s cyber operations. During the Pyeongchang Olympics, even as North Korean athletes competed alongside their South Korean counterparts, researchers observed attacks on South Korean cryptocurrency exchanges. The attackers even used the Olympics as a lure to target organisations with malware.

Likewise, the mercurial relationship between Donald Trump and Kim Jong-un appears to have little impact on North Korean cyberattacks. Since the June summit between the two leaders, APT38’s operations have continued unabated. According to Jacqueline O’Leary:

We are aware of suspected APT38 activity currently and believe APT38 operations will continue in the future undeterred by diplomatic efforts.

The recent criminal indictment in the US against alleged North Korean government hacker Park Jin Hyok represents a new tactic in the efforts to curb the regime’s cybercrime. It remains to be seen how successful this will be. Early indications are not positive – North Korea has responded by denying not just its role in committing the hacks Park is accused of, but also denying Park’s existence entirely.

The problem of policing North Korea online combines the complexities of combating cybercrime with all of the political, military, and economic challenges of managing a rogue state. How do you respond to an attack which is not quite an act of war, not solely espionage, and not just a crime, and could be routed through a dozen jurisdictions at once?

Whatever the solution might be, the international community needs to find it fast. North Korea may be the most brazen, but it is far from the only state showing a willingness to dabble in cybercrime. How the world responds – or fails to respond – to North Korea’s criminal escapades online could set the tone for international diplomacy and security in cyberspace for many years to come.

You may also be interested in