Sanctions may be driving rather than discouraging North Korea’s financially-motivated cyber operations, analysts say.
North Korea-backed hackers have an elaborate network to launder money and are actively targeting banks across the world, according to a leading cyber security firm.
Sanctions against the isolated nation may also be driving an escalation in attempted cyber heists, senior intelligence analysts at FireEye said.
The firm was retained by the FBI to do malware analysis during the investigation into the North Korean government hacker Park Jin Hyokand has been following the activities of the so-called cyber crime Lazarus Group for a number of years.
The pace of financially-motivated hacking activity from Pyongyang “probably reflects increasingly desperate efforts to steal funds to pursue state interests”, the company said.
Describing the “Lazarus Group” as an umbrella term, FireEye has now identified two distinct missions within North Korea’s cyber operations unit, with APT38 its codename for the financially-motivated attacks.
APT38’s operations began in February 2014, according to FireEye, “and were likely influenced by financial sanctions enacted in March 2013 that blocked bulk cash transfers and restricted North Korea’s access to international banking systems”.
North Korea has historically manufactured drugs, counterfeit currency and engaged in smuggling to keep its economy afloat, and FireEye describes the hacking as a similar form of activity.
As the regime’s intelligence apparatus is familiar with money laundering networks in Southeast Asia, financial institutions there were among the first targeted – however APT38 is now functioning on a global scale.
FireEye’s analysts described a complex network of mules who established fraudulent bank accounts in separate countries used to transfer funds, including through cryptocurrency exchanges – which are themselves an additional target for APT38.
The cyber bank heists occur when the hackers have access to banks’ internal networks, and have often targeted the SWIFT messaging networks which banks use to exchange instructions.
By initiating a fraudulent transaction through the SWIFT network, APT38 has previously sent millions from Bangladesh Bank to four accounts in the Philippines, and another in Sri Lanka.
Court documents in China have explained how the money was laundered through casinos in lavish gambling junkets, in which the gamblers played Baccarat and attempted to minimise both their wins and losses so that they could conceal the source of the cash they took home – or sent to Pyongyang.
FireEye’s term “APT” describes advanced persistent threats and typically only refers to state-sponsored espionage and at times sabotage threats.
While many other countries invest heavily in cyber espionage apparatus, often to steal data from target networks, the end goal is rarely financially-motivated.
North Korea’s government is currently the only regime prepared to put considerable resources into cyber operations that will supplement its national budget.
Article By Alexander J Martin