In 2016, the tech world started to notice that certain players, believed to be North Koreans, were utilizing advanced intrusion methods to carry out cyber-crime, which was targeted at the global financial system and major banks. This was a clear departure from North Korea’s previous tactics that used cyber espionage to carry out traditional hacking activity against other nations’ governments. However, since North Korea is considered to be a pariah state that is isolated from much of the world’s financial institution – in addition to being a country that has a government bureau dedicated to illegal economic activities – this new development was not very surprising. With the tight control that the country has on its intelligence and military organs, it is likely that these activities are conducted to fund the personal coffers of the elite in Pyongyang due to the sanctions that have placed severe financial restrictions on the Hermit Kingdom.
It is now possible that we could see a second wave of the campaign – a state-sponsored effort that seeks to steal virtual currencies, such as Bitcoin, in order to evade sanctions and obtain money to fund the North Korean regime. From May 2017, actors believed to be from North Korea have actively targeted at least three Cryptocurrency exchanges in South Korea, looking to steal funds. In these cases of ‘spearphishing,’ the personal email accounts of digital currency exchange employees were targeted, often with tax-themed lures as well as malware. The attacks have been linked to North Korean hackers, suspected to have been responsible for the intrusions of global banks back in 2016.
The Origin of North Korea’s Interest In Bitcoin
With the digital currency Bitcoin price gains and a period of meteoric growth, a plum job post began to circulate online: the position of Chief Financial Officer at a leading Cryptocurrency services company based in London. While the company itself is real, the job posting was dreamed up by hackers in North Korea, according to a report published by a cybersecurity firm known as Secureworks Inc. The company discovered a document containing details of the fake job post in November. The document was intended to be circulated via email to people involved in the Bitcoin industry. Whenever someone clicked on the document, they would receive a prompt that it had been created using a later version of Microsoft Word, adding that the user should ‘enable content’ and ‘enable editing.’ If the user did this, the file would install malicious code on their computer. Although most tech savvy people would know better than to carry out these instructions, such an attack can pay off if they manage to fool a few distracted users.
There are many things that the hackers could have been after, but the most likely target is believed to be corporate or personal stashes of cryptocurrencies, including Bitcoin. For a rogue regime like North Korea, the emergence of cryptocurrencies offers new possibilities for them to raise revenues, while getting around the stringent sanctions it has been placed under. The price of Bitcoin has risen from under $1,000 by the close of 2016 to over $17,000 today, with the additional benefit that large amounts of the currency can be moved anonymously across geographical borders. According to Joshua Chung of Secureworks’ counter-threat division, responsible for identifying new computer vulnerabilities and cyber attacks, Bitcoin provides the ‘perfect mechanism’ for North Korea to make money.
Secureworks tracked the document hack back to about June 2016, when its researchers started to see it being used against people involved in the energy industry. Some of the code used to create the Bitcoin job hack has been linked to the Lazarus Group, a North Korean outfit which was responsible for hacking into the computer systems of Sony Pictures in 2014, stole $81 million of Bangladesh’s central bank’s money in 2016 and released the WannaCry worm lose on the internet in May. WannaCry worked by locking up computers, demanding payment in Bitcoin, before the infected computers were freed.
The Perfect Way to Hide North Korea’s Money
The North Korean interest in Bitcoin dates back to around 2013, when the team at Secureworks noticed a lot of activity from the country’s internet addresses carrying out research on the Cryptocurrency and Bitcoin startups, on underground internet forums. Chung guesses that the North Koreans wanted to find out just how Bitcoin worked and how it could be converted into fiat currency. Although the country’s hackers usually cover their tracks through the use of proxy servers, which are intermediate systems that hide the origin of internet traffic, the proxies failed on this occasion, revealing an address that had been used in previous attacks.
The theft of funds from Bangladesh’s central bank proves that the North Koreans are capable of stealing Bitcoin if they gain access to a company’s computer systems. A senior researcher at Secureworks says that Pyongyang has repeatedly demonstrated its effectiveness at turning initial access from an intrusion, into an in-depth understanding of a network. North Korean hackers are also adept at figuring out business processes that can be used to achieve their aims.
South Korea, which often bears the brunt of the North’s cybercrime activities, also boasts one of the most vibrant Bitcoin markets in the world. North Korea’s hackers have already managed to compromise a number of Bitcoin exchanges there and successfully made away with funds in at least one case. FireEye Inc.’s Luke McNamara says that North Korea has some of the most entrepreneurial hackers in the world, and are not limited to just stealing Bitcoin. He believes that they may also be actively mining the currency, which means that they are involved in the computational processes that verify Blockchain transactions, with the system rewarding them with new bitcoins.
Most of this is theory developed from tiny clues, the standard method of cyberthreat research. Among the few people who have direct knowledge on Bitcoin operations in North Korea is Federico Tenga, who is co-founder of a firm that develops Bitcoin management systems for various organizations. Federico spent a week in Pyongyang in November, delivering lectures on Bitcoin technology to university students. They seemed especially impressed by photographs that he showed them of Bitcoin mining. He believes that the regime still has a long way to go if it plans to use Bitcoin technology to get around sanctions or use Cryptocurrency to any practical use.
The Bottom Line
With Bitcoin and other cryptocurrencies continuing to increase in value, many nation states are starting to take notice. In fact, an advisor to Russian President Putin recently announced that the country has plans to raise funds which will be used to increase its share of Bitcoin mining. In addition, Australia’s parliament has proposed that the country develops its own Cryptocurrency. For this reason, it comes as no surprise that this emerging asset class has become an area of interest for a regime that is, in many ways, run like a criminal enterprise.