North Korea’s Army of Hackers Has a New Target: Bank Accounts — “Operates Like Organized Crime”

Emphasis on finances represents a significant shift from Pyongyang’s prior patterns of attack

North Korean leader Kim Jong Un watches a military parade in Pyongyang.
North Korean leader Kim Jong Un watches a military parade in Pyongyang. PHOTO: WONG MAYE-E/ASSOCIATED PRESS

July 27, 2017 12:05 a.m. ET

SEOUL—North Korea’s cyberarmy has splintered into multiple groups and is unleashing orchestrated attacks increasingly focused on funneling stolen funds to the secretive nation, according to a government-backed South Korean report released Thursday.

The emphasis on finances represents a significant shift from Pyongyang’s prior patterns of attack seeking to obtain military information, destabilize networks or intimidate. It also shows how North Korea’s fast-evolving—but costly—nuclear-missile program has accelerated its need for cash as it is subjected to financial sanctions.

Pyongyang has been blamed for major cyberattacks including 2014’s Sony Pictures Entertainment hack, last year’s daring cyberheist at Bangladesh’s central bank and this year’s WannaCry global ransomware attack.

Cybersecurity researchers have long suspected the hacking group Lazarus carried out those attacks with the backing of North Korea. Earlier this year, Russian cybersecurity firm Kaspersky Lab AO identified an offshoot of Lazarus, called BlueNoroff, which specializes in heists of foreign financial institutions.

In the new report, the government-funded Korea Financial Security Institute said it had identified a second group linked with Lazarus that has carried out a range of cyberattacks on South Korea. FSI researchers found eight attacks from 2013 to May conducted by this new hacking operative, which they call “Andariel,” and whose coding and internet-protocol address bear similarities to Lazarus attacks.

The efforts include even low-level scams such as planting malware in South Korean ATMs to steal bank-card information, according to the FSI report, the country’s first-ever public report on North Korean cyberattacks, with law enforcement and intelligence officials getting briefed on the findings. That is behavior more typical of an organized-crime ring.

Image may contain: 2 people, people standing

 Kim Jong-un North Korea’s top leader, and his wife Ri Sol-ju in

North Korean operatives then sold the swiped data to people in Taiwan, China and Thailand who would try to withdraw money from ATMs in their own regions. But only several thousand dollars were withdrawn before South Korean law enforcement identified the ruse after six days.

“North Korea now cares more about making money than causing disruptions or cyberterrorism,” said Joon Kim, owner of Naru Security Inc., who has advised South Korean law enforcement on cyber issues.

South Koreans have a unique lens into North Korea’s cyberoffenses, as Pyongyang’s longest-running and most frequent target. South Korean government groups and agencies withstand 1.4 million hacking attempts a day, according to law-enforcement and intelligence officials.

The eight Andariel attacks shared similarities in hacking tools and encrypted codes. To access “web shells,” or servers used by hackers that allow them to control computers remotely, the Andariel group used one of two passwords: “iamboss” or “youaredied,” according to a person familiar with Andariel’s techniques.

Andariel has also recently teamed up with BlueNoroff to target a large South Korean financial institution, according to the FSI report. The institution wasn’t identified.

Korea Internet and Security Agency employees monitor possible ransomware cyberattacks.
Korea Internet and Security Agency employees monitor possible ransomware cyberattacks. PHOTO: YUN DONG-JIN/ASSOCIATED PRESS

The report helps paint a fuller picture over how North Korea’s digital army has grown into a web of specialist teams.

“The problem is that it’s not just simple attacks anymore with North Korea. It’s more orchestrated now, as if it were a military operation,” said Kim Seung-joo, a Korea University professor who sits on a South Korean government cybersecurity advisory team.

The broader Lazarus group, discreet and meticulous in covering its tracks, has specialized in breaching computers or networks, foreign and South Korean cybersecurity experts said. BlueNoroff then follows up with the actual heists or data swipes with less regard for cloaking its moves.

Outside of South Korea, the Lazarus group has recently set its sights on casinos, financial-trade software firms—and even organized-crime rings, said Vitaly Kamluk, a global research and analysis director at Kaspersky Lab, who is focused on the Asia-Pacific region.

“It sounds like a perfect crime,” Mr. Kamluk said. “When you steal from a thief, nobody will go after you. Law-enforcement will focus on the criminal that stole the money in the first place.”

Lazarus and BlueNoroff in recent years have made attempts to breach financial companies or institutions in at least 18 countries, including Mexico, Norway and India, according to Kaspersky.

Write to Timothy W. Martin at






Rigged Debates: Wikileaks Emails Confirm Media in Clinton’s Pocket



Tags: , , , , , , , , , , ,

2 Responses to “North Korea’s Army of Hackers Has a New Target: Bank Accounts — “Operates Like Organized Crime””

  1. Brittius Says:

    Reblogged this on Brittius and commented:
    Criminal enterprise. state sanctioned by the NK government.

  2. daveyone1 Says:

    Reblogged this on World Peace Forum.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: