National Security

The North Korea worry you haven't heard of: Cyber bank robbers

North Korean leader Kim Jong Un reacting to the successful test March 19, 2017, of a new type of high-thrust rocket engine. The letters read, “New type engine.”
North Korean leader Kim Jong Un reacting to the successful test March 19, 2017, of a new type of high-thrust rocket engine. The letters read, “New type engine.” AP

Following an $81 million heist of the central bank of Bangladesh 14 months ago, suspicions slowly fell on North Korea.

That suspicion has since escalated into a confident assessment by some of the world’s leading cybersecurity firms that North Korean hackers not only hit Bangladesh but also are targeting dozens of banks worldwide in a sustained attempt at global digital robbery.

An informal alliance of cyber forensics groups in the United States and Europe have dubbed the North Korean hacking group “Lazarus.” In addition to banks, the cybersecurity firms say the group has its sights set on casinos, and trading firms dealing in digital currency.

“The scale of the Lazarus operations is shocking,” concluded a 58-page report this week by Kaspersky Lab, a Moscow-based firm that is a global giant in cybersecurity and virus protection.

The report does not single out North Korea’s government as being responsible for the attacks, but very little goes on in that country without regime leaders knowing about it, and it’s unlikely an operation the size of Lazarus would not have official endorsement.

Kaspersky Lab’s report, “Lazarus Under the Hood,” says its forensic specialists had detected malicious code, known to be deployed only by North Korea, on the networks of banks and other businesses in 18 countries “in the last couple of years.”

In at least one case, the report says, a server that had been hijacked by Lazarus hackers pinged back to a server in North Korea.

Kaspersky is far from alone in its assessment. Symantec, a Mountain View, California, powerhouse in security software, issued a statement March 15 saying that multiple pieces of Lazarus malware had turned up in sustained attacks on banks in Poland that began last October.

Symantec said it had come across a target list by Lazarus hackers that indicated they were seeking to break into 104 entities in 31 countries, including more than 15 targets in the United States.

“It’s one thing to go after a bank in Bangladesh. It’s another thing to go after a big U.S. bank,” said Eric Chien, director of Symantec Security Response and a renowned cyber sleuth who helped uncover the Stuxnet offensive cyberattack on Iran’s nuclear program late in the last decade. That attack, which is believed to have been designed by Israel and the United States, caused thousands of Iranian centrifuges to spin out of control and shatter.

Experts like Chien have been studying North Korean computer code since the 2014 hack of Sony Pictures, when a group calling itself Guardians of Peace demanded that Sony pull a comedy about a plot to assassinate North Korean leader Kim Jong Un from theaters. In anger, the group disclosed embarrassing internal Sony emails. The FBI blamed North Korea.

“When they made the attack on Sony, it reminded us of how kids operated in the 1990s,” Chien said of the hacking technique. “Their code, and the way they wrote it, it was very clear that they weren’t drawing on prior art. It seemed like their code was written in a vacuum.”

North Korea, a nation so isolated it is known as the Hermit Kingdom, tightly controls access to the internet and blocks most foreign websites.

The Kaspersky report says it believes North Korea created Lazarus in 2009 and that the country is climbing fast into the ranks of nations with significant cyber capabilities.

“We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations, while a substantially smaller unit within the group, which we have dubbed Bluenoroff, is responsible for financial profit,” the report says.

Kaspersky said its forensic experts had collected at least 150 samples of malicious code deployed by the hackers. The Kaspersky experts sat as observers on networks for an unnamed Southeast Asian bank and a European institution that were under attack by Lazarus.

The digital heist of the Bangladesh central bank was supposed to be much larger than the $81 million the thieves managed to steal, transferring the cash to casinos in the Philippines, then on to unknown locations. Hackers ordered money transfers from Bangladesh totaling $951 million but the U.S. banking system rejected most of the orders, thwarting the heist.

Lazarus Group hackers started looking elsewhere around the globe once defenders foiled their thefts in South and Southeast Asia, the report says.

By October 2016, the hackers had a foothold in the server of the Polish Financial Supervision Authority, the nation’s regulatory body. There, they installed what experts call a “watering hole,” a compromised website that allowed them to infect any visitor, just as an African lion can wait by a watering hole for a gazelle or other prey to visit.

From Poland, the hackers “rushed into new countries, selecting mostly poorer and less developed locations, hitting smaller banks because they are, apparently, easy prey,” the report says.

Among the countries where the hackers set up watering holes, it says, are Mexico, Uruguay, Peru, India, Nigeria, Australia, Russia and Norway. Other types of malicious code associated with Lazarus were found in Costa Rica, Brazil, Chile, Gabon, Kenya, Ethiopia, Malaysia, Vietnam, Thailand and Iraq.

Banks in those countries haven’t publicly reported illegal transfers.

Chien, the Symantec expert, said Lazarus Group hackers had extended their operations.

“We can tell you that their command and control servers were all over the world,” Chien said, adding that Lazarus malware remained embedded in financial networks and hackers awaited the chance to transfer funds.

“This is the first time we’ve seen a nation-state stealing a lot of money,” Chien said.

Cybersecurity firms in addition to Symantec and Kaspersky that have analyzed Lazarus malware include Novetta, a McLean, Virginia, analytics company, Anomali Labs of Redwood City, California, and BAE Systems, of Farnborough, England.

Tim Johnson: 202-383-6028, @timjohnson4