North Korea is one of the least wired nations on Earth. It has two internet connections to the outside world, one that crosses the Yalu River into China, and the other plugs into Russia’s Far East.
Even with that, its internet traffic is scant.
“It’s infinitesimally small for a country,” said Doug Madory, director of analysis for the Oracle Internet Intelligence team, comparing the traffic to “a small corporate office.”
So an enigma of modern times is how North Korea has become a global hacking power, one that is destructive, intrusive, larcenous and surprisingly muscular. Its rise might be akin to a singer with little musical talent grabbing a Grammy. Or a blind basketball player routinely swishing three-pointers.
Even after North Korean hackers penetrated Sony Pictures Entertainment in 2014, they still got only grudging respect. In that attack on the Culver City, California, movie studio, North Korea sought to prevent the release of The Interview, a Seth Rogen satire that depicts a plot to kill North Korea’s supreme leader, Kim Jong Un.
Since then, North Korean hackers have chalked up one brazen attack after another, underscoring their rise as a cyber force. In early 2016, they plundered $81 million from the central bank of Bangladesh. They’ve besieged neighboring South Korea with attacks. They’ve hit targets in Vietnam, Poland and Mexico. They’ve looted bitcoin exchanges.
In May 2017, hackers unleashed the WannaCry attack that took down computers in 150 countries, using a cybertool that a top U.S. intelligence agency lost. More recently, hackers sought to intrude in the systems of U.S. electric utilities last September, and just last week Ontario accused North Korea of trying to hack a rail system around Toronto.
“They are more effective than we give them credit for,” said Priscilla Moriuchi, a former National Security Agency expert on cyber threats in East Asia who now is director of strategic threat development at Recorded Future, a Somerville, Massachusetts, cyber intelligence firm.
Other experts also warn against underestimating North Korean hackers.
“I do think there’s a general inclination to dismiss them. I think that’s to our detriment,” said Ross Rustici, senior director for intelligence research at Cybereason, a Boston cybersecurity company. “The people who follow them in the security industry have a lot of respect for what they’ve been able to pull off.”
Part of the problem is that it is nearly reflexive to shrug off a nation so isolated that it is known as the Hermit Kingdom, and so ill-lit that satellite images show a black patch at night.
“It’s like if the (Cleveland) Browns win the game, it’s because the other team screwed up rather than the Browns were actually good,” Rustici said. He added that North Koreans “have proven time and again that they are very, very capable.”
The story of how North Korea gained cyber mastery may begin at a high-rise hotel in Shenyang, China, and then meander to surprising locations in Africa, South Asia and other areas where North Korean hackers are thought to be operating, researchers say.
Unlike the freewheeling culture of Silicon Valley, where individuality is celebrated, North Korean hackers are forged by an all-seeing Leninist state, one piece of code at a time, experts say.
“They were able to develop what I would call a cyber training pipeline. It’s a very, kind of, Soviet system. They would identify kids with promise in math, or science and technology in middle school, send them to one or two particular middle schools, that filter into one or two universities,” Moriuchi said.
Moriuchi and other analysts believe Pyongyang’s Kim Il Sung University and Kim Chaek University of Technology cranked out hackers. Most students went on to a cyber operations unit, known as Bureau 121, in the Reconnaissance General Bureau, analysts said.
Initially, the most promising hackers were sent overseas, specifically to Shenyang, the largest city in northeast China and a one-hour bullet train ride from the North Korean border.
It was there, ensconced at the Chilbosan Hotel, a facility that is North Korea’s largest overseas investment, where early hackers practiced their skills. Shenyang has always been a hub of North Korean illicit activity, including trafficking in counterfeit products.
Over the years, the best hackers would fan out to other countries where North Koreans were permitted to live, Moriuchi said, sometimes associated with legitimate businesses like restaurants but also engaged in other activities. Seven countries known to have a physical presence of North Koreans, in addition to China, are India, Indonesia, Kenya, Malaysia, Mozambique, Nepal, and New Zealand. It is in those countries, perhaps behind legitimate businesses, that hackers may be operating.
Today, North Korea is believed to have “between 3,000 and 6,000 hackers trained in cyber operations,” says a report by the Congressional Research Service, titled North Korean Cyber Capabilities, dated Aug. 3.
Many of them are believed to be overseas. Successive U.S. administrations have sought to pressure allies to end trade and diplomatic relations with Pyongyang.
“Another element of that pitch should be: Don’t let them (resident North Koreans) work in IT. Don’t let them learn computer science,” said Anthony Ruggiero, a senior fellow at the Foundation For Defense of Democracies, a Washington think tank focused on national security.
One characteristic of North Korean hackers is an ability to design their own hacking tools, often modular in nature, and to comb the internet for any discovery of exploits that they can plug into their own malware.
“We’ve seen them using some unique malware, homegrown stuff that we haven’t seen used in any other attack,” said Mark Nunnikhoven, vice president of cloud research at Trend Micro, a cybersecurity firm with headquarters in Tokyo.
“They continue to show a high level of acumen,” Nunnikhoven said.
Another researcher, Paul Rascagneres, of Cisco Talos, spoke highly of North Korean tradecraft: “They have the capability to perform espionage and destruction campaigns. They are able to create a really convincing decoy document.”
A wake-up call came in February 2016, when news emerged of attacks on banks in Bangladesh and Southeast Asia that reaped a windfall and may have helped Pyongyang withstand economic sanctions imposed to curb its nuclear and ballistic missile program.
The hackers surveilled the global banking system and mastered the arcane global messaging service known as SWIFT (Society for Worldwide Interbank Financial Telecommunication), which is used by 11,000 banks and companies and is the backbone of global money transfers, the congressional report says.
North Korean hackers spoofed requests from the Bangladesh central bank to the Federal Reserve Bank of New York to transfer money to accounts in the Philippines, ordering some $1 billion to be transferred. The New York bank rejected most of the requests, but $81 million got through — and vanished.
At the same time, the hackers peppered banks in other countries, including Poland, Vietnam and Mexico, with SWIFT demands for transfers.
As North Korea suffered under sanctions, its cyber units branched out toward what Hultquist called “smash-and-grab theft” to raise cash, including schemes to hack automatic teller machines, mostly in South Korea, and defraud cryptocurrency exchanges in London and Seoul.
Bitcoin exchanges have been hit repeatedly, beginning with the theft of $7 million in cryptocurrency from Bithumb in Seoul in February. Since then, hackers have stolen 7,000 bitcoin from Youbit, another South Korean exchange, then hit it again in December. In September, hackers stole an undisclosed amount from Coinis, and attempted thefts from another 10 exchanges in October.
Moriuchi, the forensic researcher, said she observed a bitcoin later getting spent.
“I was able to see one instance of someone, some North Korean leader, purchasing something with Bitcoin, an actual good or service. I couldn’t see what that was,” Moriuchi said.
It was in May last year that North Korea displayed its use of cyber for destruction — a brazen display of cyber strength that caused a measure of global disorder.
Barely six week earlier, the top-secret National Security Agency suffered a major embarrassment when a hacking group calling itself The Shadow Brokers released what appeared to be a toolkit of NSA offensive cyber weapons, including one called EternalBlue.
North Korean hackers are suspected of taking that sophisticated, self-propagating tool and embedding it in a ransomware strain called WannaCry, unleashing it on the world on May 12, 2017. Some 300,000 computers around the world saw their hard drives lock up.
In a statement of blame, White House homeland security adviser Thomas Bossert wrote in a Dec. 18 Wall Street Journal column that, "The attack was widespread and cost billions, and North Korea is directly responsible."
The attacks in 2017 left researchers reassessing North Korea’s level of cyber threat.
In the cyber intelligence world, nations are ranked in tiers. Tier One includes countries that have a full scope of capabilities, from developing malware and training people to breaking into networks, interrupting supply chains and carrying out sophisticated attacks.
“There are a few countries, you know, up in the Tier One level — Russia, Israel (and) the United States,” Moriuchi said. “China bounces back and forth between Tier One and Tier Two but I would call it Tier One at this point.”
“North Korea is in that second tier, Tier Two. They have their own indigenous capability. They have the training pipeline. They develop all of their own malware. They acquire their infrastructure. They have a range of both destructive and successful espionage tools,” she said.
The Trump administration threatens a more vigorous response against foreign hackers. White House cyber coordinator Rob Joyce said Monday that the U.S. posture against hackers from other countries may increasingly be “shooting the archer rather than duck the arrows and block the arrows as they arrive at you.”
But North Korea is a difficult target. A cyberattack in retaliation would do little damage since the nation is largely unplugged. Other forms of retaliation will have to be devised.
Hultquist said the campaign to contain North Korean hackers might be compared to the difficulty of U.S. forces in Iraq in contending with roadside bombs, known as improvised explosive devices, or IEDs, triggered to explode near passing convoys.
The IEDs of the Middle East, he said, “allowed adversaries to do a lot of damage with very little investment.”
Timeline of major hacks blamed on North Korea
2013: Attacks labeled DarkSeoul hit television stations and a bank in South Korean capital.
2014: Hackers hit Sony Pictures, sabotage network, later release internal emails. Hackers call themselves ‘Guardians of Peace’ and demand Sony block release of movie ridiculing North Korean leader.
Late 2015-early 2016: Hackers steal $81 million from Bangladesh central bank, hit banks in Poland, Vietnam and Philippines.
2017: A dozen or so attacks on cryptocurrency platforms take place in Seoul and London.
May 12, 2017: Massive WannaCry worm slams around 300,000 computers worldwide, causing over $1 billion in damage globally.
September 2017: North Korean hackers probe networks of U.S. electric utilities, FireEye says.
January 2018: Ontario blames North Korea for hacking its Metrolinx rail system but provides no conclusive evidence.