North Korean has generated an estimated $2 billion in revenues for its weapons programme through the state-sponsored looting of financial institutions and cryptocurrency exchanges, according to a confidential UN report seen by Reuters.
A previous UN report released in March this year cited the case of Park Jin Hyok. Jin Hyok was charged by the US with a host of high-profile cyberattacks, including the $81 million Bangladesh Bank hack. He is accused of involvement in the North Korean government-sponsored hacking team known as ‘Lazarus Group’.
The group is linked to the 2017 WannaCry 2.0 global ransomware attack. In addition, it is cited in the 2016 Bangladesh Bank theft. Furthermore, the Lazarus Group is associated with the 2014 hit on Sony Pictures Entertainment, among others.
The report also cites two 2018 bank attacks that, like the Bangladesh Bank incident, tapped into the Swift messaging system. They include the $10 million theft from Banco de Chile. The second is a $13.5 million ATM cashout hit on Cosmos Bank in India.
It is not just traditional financial institutions under threat from the North Korean hackers, says the UN panel. The panel documents at least five successful attacks against cryptocurrency exchanges in Asia between January 2017 and September 2018. These resulted in losses of $571 million.
The latest news comes as UK cybersecurity specialist Barac unveils details of how, in May 2019, it identified a sophisticated cyberattack targeting a major African-headquartered financial institution.
African bank targeted by North Korean hackers
At the time the attack was identified, hackers had infiltrated the bank’s infrastructure. Further, the hackers had begun to make a small number of low-value transactions to other banks located in Bulgaria.
Elements of the attack were encrypted in an attempt to evade detection. The encrypted certificates used were signed in North Korea.
Upon investigation, the bank discovered that malware had infected a number of endpoints at its headquarters. It also discovered that a small number of identical, low-value transactions had been made to other banks – again, in Bulgaria. These were processed via the Swift Payments infrastructure. It is believed that these small payments were made to test the ex-filtration mechanism of the attack, with the hackers fully expected to attempt the extraction of larger amounts at some future date.
“This was an extremely sophisticated, multi-faceted, and diligently-planned attack on a high-value target, which contained some very clear indications of North Korean involvement,” says Omar Yaacoubi, founder and CEO of Barac.
“The hackers were using encryption in a particularly clever way. Knowing that the bank would, quite rightly, decrypt all of the data leaving its organisation, they buried their ‘command and control’ calls home in these traffic flows, in the hope that they would evade detection.
“Unfortunately for them, it didn’t work, and by identifying this suspicious traffic, the whole plot was blown wide open before any major harm could be done to the bank or its customers.”