The North Koreans are using everything from ransomware, which lets hackers seize control of a business important systems and then demand payment in exchange for getting out, to outright electronic bank heists.
FBI cyber investigators have identified the North Korean hackers behind a 2016 cyberattack on Bangladesh’s central bank. The North Koreans infiltrated Bangladesh Bank’s systems with hopes of stealing as much as $1 billion from accounts held at the New York Federal Reserve, FBI investigators found. The hackers got away with $81 million before the bank transfers were stopped.
John Demers, assistant attorney general for national security at the Justice Department, says the North Koreans have quickly become a major cyber threat in recent years alongside Iran, China and Russia. But unlike the other countries, which focus more on intelligence operations, the North Koreans focus their energy on cash, he said.
“Straight up cyber bank theft — that’s a significant piece of what they do in cyberspace,” Demers said in an exclusive interview with CNN.
US prosecutors first noticed the sophistication of the North Koreans in the 2014 hack of Sony Pictures Entertainment, in which hackers broke into the company’s systems and began releasing embarrassing internal emails and documents in retaliation for a Sony movie satirizing North Korean leaders.
Since then, the increasing effectiveness of sanctions has prompted the North Koreans to turn to cybercrime to steal money.
Anthony Ferrante, a former FBI and White House cybersecurity official, says that in just a few years the North Korean intelligence services have grown capable of stealing large sums through sophisticated methods.
“The North Koreans have quickly become the world’s most advanced and persistent digital bank robbers,” says Ferrante, now head of cybersecurity at FTI Consulting and a CNN analyst. “It’s clear that global economic penalties are working and have forced the North Koreans to turn to alternative approaches to create revenue.”
The Bangladesh Bank case shows that the North Korean hackers know to target institutions they believe might have less advanced cyber protections even for small sums of money, US officials say.
“They just need money,” Demers said. “They need hard currency. That’s a good way to get it, and then if you’re going to choose among the banks you’re not going to start with the largest, most sophisticated bank with the most sophisticated cyber defenses, you’re going to look around and see maybe who you think might be more vulnerable.”
The North Koreans have denied their connection to the 2014 Sony hack. In 2018, after an indictment against computer programmer Park Jin Hyok was unsealed, an official from the North Korean Ministry of Foreign Affairs wrote in the country’s state news agency that Park was “a non-existent entity.” He further called the indictment “none other than a vicious slander and another smear campaign full of falsehood and fabrication designed to undermine” North Korea.
The Justice Department is using criminal charges to try to thwart the North Koreans — even if there’s little likelihood of arresting the hackers responsible.
In the indictment brought against the computer programmer in June, the Justice Department attributed the Bangladesh Bank heist to hackers backed by Pyongyang and detailed the scheme, which officials called the largest successful cyber-theft from a financial institution to date.
According to the federal court filings, North Korean hackers posed as job-seekers and sent simple spearfishing emails to bank employees with links containing malware that allowed them to gain entry to bank systems.
Once inside the bank’s computer network, the hackers allegedly gained access to an inter-bank communication system and requested the Federal Reserve Bank of New York to transfer the bank’s funds to accounts in separate institutions controlled by the North Koreans.
North Korean hackers have used the same techniques in cyberattacks on banks across South America, Asia and Africa, according to the Justice Department and private-sector cybersecurity firms tracking malicious activity.
In another scheme in 2017, North Korean hackers orchestrated a series of WannaCry 2.0 ransomware attacks that infected computer systems around the world, including those of the British National Health Service, the US, Australia and the United Kingdom announced in December 2017.
Despite the US law enforcement actions, the North Korean government has continued its use of cyberattacks to raise cash, officials say.
In an October report, FireEye, a US cybersecurity firm, described the high skil level of the North Korean hacking group, saying they “operate more similarly to an espionage operation, carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems.”