North Korea’s Hacking Army

Listen to this episode

Lizzie O’Leary: I wonder if I can get you to play translator for for me with the Treasury Department?

Speaker 2: Sure. I’ll try my best.

Lizzie O’Leary: That’s Jason Bartlett. He’s an expert in international sanctions policy. Among other things, he studies North Korea. So he was the perfect person to help understand this statement from the Treasury Department from early May. It says They sanctioned virtual currency mixer blender, not bio blender, which is used by the Democratic People’s Republic of Korea, a.k.a. North Korea, to support its malicious cyber activities and money laundering of stolen virtual currency. I wonder, as an expert on all of this, if you could put that into plain English for me, what does that mean?

Advertisement

Speaker 2: It was a very significant measure by Treasury because it was the first ever designation of a cryptocurrency mixer. And why that matters is that for the past year and a half, the Biden administration has really tried to wrap its head around cryptocurrency and how it is potentially used to finance bad activity.

Lizzie O’Leary: And if you use crypto to finance shady things like terrorism or nuclear weapons, you don’t want a digital trail. And that’s where a mixer comes in. Think of it as a technology where you put in one kind of crypto and another kind comes out.

Speaker 2: So some mixers have different functions. Some allow you to put in Bitcoin. It can come out of Syria or other times they allow you to switch around the addresses. So it’s really hard to tell who is putting the crypto, when, where and why and how it’s coming out.

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

Lizzie O’Leary: If that sounds to you like a great way to launder money, you’re not alone. North Korea think so too.

Speaker 2: Unfortunately, usually by the time that law enforcement is able to attribute a hack to North Korea, the hack already happened either a couple of days or a couple of weeks ago or even a couple of months ago. So it’s very hard to try to try to get that money back, really find out where it went.

Lizzie O’Leary: Sanctioning a mixer, Jason says, is a signal that the U.S. may finally be upping its game against North Korea’s hacking army. Today on the show, how North Korea got so good at crypto hacking and whether the international community can stop them. I’m Lizzie O’Leary and you’re listening to what next TBD a show about technology, power, and how the future will be determined. Stick with us.

Advertisement

Lizzie O’Leary: It’s hard to know exactly how much money North Korean hackers have stolen in cryptocurrency. But one recent report estimated that they got about $400 million in 2021 alone. By some estimates, money from cybercrime makes up about 8% of the country’s economy. Jason Bartlett says that this kind of cybercrime prowess long predates even the famous Sony hack in 2014. He traces its origins back to the 1980s.

Speaker 2: Specifically 1986. That is when under Kim Jong s. So the current North Korean leader, Kim Jong un’s father created or allegedly he created by it could have just been the government in general. They like to kind of associate everything to the leader. A institution called Medium College. Some people call it medium university and it’s medium to high school, which was essentially a training school for hackers. And it started from the resources that we’re able to see the late eighties, early nineties. And the point was to kind of weaponize North Korea’s growing computer science education programs into a way to steal money for the North Korean regime. And this is way before cryptocurrency, way before cyber really became even close to what it is now. But we start to see some form of emphasis on cybercrime in the late eighties, and that evolved throughout the nineties.

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

Lizzie O’Leary: To steal money because they were under sanction by the international community. And this was a way to get around that.

Speaker 2: So during the late eighties, financial crime was not nearly at the rate that it currently is in terms of it coming from North Korea. For the first several years of North Korea’s cyber development after the late eighties, it focused mainly on political targets. A lot of South Korean government agencies, government websites, the military. Lots of defamation of of the Blue House website, which is basically South Korea’s White House. And it was mainly politically motivated towards South Korea.

Speaker 2: But what we saw in around 2014, 2016, was a major shift in North Korea’s M.O. and they started to target financial institutions. And in two caveats for that, that was around the time that U.S. and U.N. sanctions on North Korea really started to get more teeth. There were new sanctions programs that were enhanced sanctions programs. And that was also the time that cryptocurrency came around and really started to be adopted, especially in 2016. And that’s when North Korea decided to supposedly focus most of its cyber bandwidth on stealing funds, as opposed to really only targeting government agencies.

Advertisement

Lizzie O’Leary: Even though it’s difficult to link thefts to specific transactions like this missile program or that chemical. Jason says most experts who follow North Korean crypto hacking think the money is likely going toward the country’s nuclear program. I think a lot of Americans who maybe only pay a glancing attention to this might have registered this for the first time in 2014. During the Sony Pictures hack, they leaked embarrassing things. They threaten to, you know, commit acts of terrorism unless Sony pulled this movie, The Interview, a comedy about James Franco and Seth Rogen assassinating Kim Jong un.

Advertisement
Advertisement
Advertisement
Advertisement

Speaker 2: Hello, North Korea. Wow. What side?

Lizzie O’Leary: How critical a moment was this in in the history and evolution of North Korean hacking?

Advertisement

Speaker 2: I think it was equally critical in North Korea’s evolution of hacking as it was in the US’s understanding of North Korea’s capabilities to do that. During that time, we also saw a massive focus of more attention on cybercrime in general, not just North Korea. And that was the creation of the first cyber sanctions program was after the Sony Pictures attack in 2014. We didn’t have a sanctioned cyber program before then. So I think that was a wakeup call for the US government. I think that was also a call for North Korea to to realize that it can conduct these attacks and can hack the United States. Being able to target and successfully hack the United States and try to embarrass the United States definitely plays to domestic propaganda in the sense of of empowerment for the regime.

Advertisement

Lizzie O’Leary: I’m curious if you could describe, like, who is behind all of this? You mentioned the early hacker training. But who’s doing this work?

Speaker 2: So what we call them is the Lazarus Group. So that’s the umbrella term for all of North Korean hackers. Allegedly, there are many separate subunits within the larger group that focus on different sectors, some financial, some more military base, some government base. And it’s hard to really figure out exactly how the larger group is organized, but that’s the general umbrella and that is directly under the RGV.

Speaker 2: So North Korea’s primary intelligence agency and it’s directly linked to their intelligence apparatus. So they’re very highly funded by the North Korean regime. They’re trained by the North Korean government, North Korea’s many domestic education training programs. So the one I previously mentioned, medium back or medium college, is one of them. But we know very little about that training program for intentional reasons. They don’t want us to know much about it, but they also have many computer science programs, master’s programs, bachelor’s programs that are offered at leading North Korean universities. And clearly, they must have very high quality if they’re still able to conduct these type of attacks.

Advertisement
Advertisement
Advertisement
Advertisement

Lizzie O’Leary: I feel like there’s this really interesting tension here where North Korea is obviously an isolated country. And as you wrote in one of your papers, the U.S. seems to have sort of underestimated their cyber capabilities, maybe because of that. How did they get so good at hacking?

Speaker 2: I still think that China and Russia tend to dominate the cybersecurity field because their attacks tend to focus on espionage, stealing information, stealing government secrets, military secrets in terms of the U.S. whereas if we’re looking internationally, North Korea presents a major threat in the cyber world to South Korea because they target their banks just as much as they’re targeting the government.

Advertisement

Lizzie O’Leary: Jason says one way North Korea got so good at hacking is by drilling its people over and over again for years and then by training them to look for human weakness.

Speaker 2: Essentially tricking people through socials. So that can be emails, Twitter, LinkedIn, Facebook, where they pretend to be someone that they’re not. They have some type of infected link or file that they tricky to download. And even if a company has 100 very cyber hygienic employees, and if 99% of them don’t click on a bad link but one does, then that’s it. It can be compromised. It only takes one person. So North Korea successful at this because they rely on human error and the majority of North Korean cyber attacks is cyber intrusions that we’re able to track shows that they use social engineering as their main way of getting into the targeted network.

Advertisement

Lizzie O’Leary: That’s something Jason saw when he analyzed three big hacks on cryptocurrency exchanges over the past few years. Exchanges are the central platforms where people buy and sell cryptocurrency that makes them an appealing target for hackers.

Advertisement
Advertisement
Advertisement

Speaker 2: So the majority of these attacks started with a phishing email. We did see an increase in sophistication. We saw one email where they didn’t just create a very legitimate looking signature, but they also created a fake website and fake social media accounts for the people that were allegedly working at that company. Even if you were to do your due diligence and try to Google them or Facebook stalk them, they would come up as seemingly legitimate people.

Speaker 2: Something else that we saw within the actual laundering after the hack is that North Korea seemed to focus more on speed than obfuscation. So by justification, I mean hiding their tracks. So typically when a hacker wants to steal money, they never want to be found. So they use many different techniques to hide their addresses or the origin of where the funds are going. There’s many different techniques and tactics they could use to make it hard to figure out who is who.

Speaker 2: When did this happen? How did this happen? Where is it going? North Korea seems to put just enough energy and resources into. Having that hidden trail long enough for the money to then go into their hands or go into a jurisdiction that maybe doesn’t comply by general or standard legal laws in terms of laundering. And then they don’t really care about attribution afterwards, because even if we find out it’s North Korea weeks later, it’s weeks, it’s weeks later. So the money is gone. Whether it’s all of the 600 million, we don’t know, but it’s gone. And for a country like North Korea, even a small amount of that is beneficial. And something else about that is what the attribution factor is, that even if we’re able to prove it’s North Korea at an early time, chances are we’re not going to be able to ever charge them. There’s been very limited cases of the U.S. or other countries being able to extradite North Korean hackers of criminals to charge them for their crimes.

Advertisement
Advertisement
Advertisement
Advertisement

Lizzie O’Leary: I want to break this down in as accessible language as possible, because I think it’s confusing to people who it’s confusing to me and I have some familiarity with crypto. When you hack a cryptocurrency exchange. What exactly are you doing and how are they getting the money? Because people tend to hold their crypto in a so-called crypto wallet. Right. That tells them how much they’ve got. So what’s a hacker going after?

Speaker 2: So that’s a very important distinction. They’re not hacking cryptocurrency itself. I think there’s a lot of language. Some people talk about crypto hacks and they’re hacking crypto. They’re not necessarily hacking cryptocurrency itself. It’s the exchange, especially in the case of North Korea. And this tends to be through email phishing campaigns. And what these malware that North Korea puts out tends to be are Trojan. Are these these kind of backdoor viruses that then allow them to take control of a device or a network system? And when they do that, then they can go in and they can find the private keys that can give them access to these crypto wallets. And then that’s how then they could steal the funds from there.

Speaker 2: So they’re mainly targeting the cryptocurrency exchange, not the individuals. Because if you target the individual, then you only have access to that person’s. If you have the keys, then you only have access to that person’s wallet, not someone else’s. But if you target the exchange as a whole and you’re able to compromise and they control the entire network, and if you’re able to get the keys, then you know that the world that the world is yours essentially.

Advertisement
Advertisement
Advertisement

Lizzie O’Leary: Have these exchanges admitted they’ve been hacked?

Speaker 2: Not all of them. And I think that’s one of the major issues here is we only know and not just for North Korea, but we only know hacks that are disclosed or discovered.

Lizzie O’Leary: Perhaps the most well-known case is the so-called Ronin Hack. That’s the name of the network on which the game Axie Infinity is played. Hackers breached the network and stole roughly $625 million in cryptocurrency. It’s the first time North Korea has hacked a play to earn crypto game, at least that we know of.

Speaker 2: A lot of cryptocurrency exchanges don’t publicly announce when they’re when they’re hacked. And I think there’s several reasons. One might be reputation, even though being dishonest to your customers is arguably another form of damaging your reputation. But that that’s one of that they don’t want to bring the negative attention. They want to deal with it themselves. They don’t want to have the interference from law enforcement sometimes. They generally don’t know that they were hacked, although I kind of take that with a grain of salt. It’s obviously never easy for any institution, traditional or not. So whether it’s a bank or cryptocurrency exchange to tell, you know, possibly hundreds, thousands or millions of users that they were hacked. But it’s it should be a requirement. So that’s one reason that it makes it pretty difficult to really not just attribute these hacks to North Korea, but try to stop them if there’s not this close level of communication.

Lizzie O’Leary: Do you see any irony here that crypto enthusiasts who talk about blockchain technology talk up its security, that that it is decentralized and supposedly the you know, the ledger makes it more secure. And yet that’s clearly not what is happening in this case.

Advertisement
Advertisement
Advertisement

Speaker 2: I think like most technologies, it can be improperly used or misused for dual purposes. And it does have a certain level of security and privacy and transparency in. And anyone like you mentioned can go on Google and look up a blockchain and they could it’s complete transparent. However, it’s not transparent who owns it. It’s not transparent exactly where it’s going. And these new technologies that are built on top of cryptocurrency technology get rid of that sense of security, such as mixers and potentially when they’re misused and abused. And these new technologies, every time resident technology, there’s going to be something newer that tries to exploit it. So cryptocurrency is by no nature negative, nor is it inherently positive.

Lizzie O’Leary: When we talk about rules and regulations, the Biden administration released an executive order on crypto with the intention and again I’m quoting and going to ask you to play a translator to mitigate illicit finance and national security risks. It sounds like they’re saying, yeah, we’re watching these kind of crimes, but an executive order is not a regulation. It’s just sort of a list of priorities.

Speaker 2: Yes, an executive order can sometimes strengthen existing laws and regulations, but I think this was one of hopefully many governmental approaches that the Biden administration will take to crypto. I think this was also supposed to be a very strong signaling message to cryptocurrency exchanges, to people who participate in crypto in a positive way and also a negative way to know that regulations are coming down the pipeline. They’re just trying to figure them out.

Speaker 2: Also, the use of national security, that’s a very broad term. You can almost pile anything into national security. And I think it intentionally stays general so that it can be applied to many different forms of activity. Even within the cyber world, cyber enabled financial crime is a very niche area that a lot of cyber security experts, you know, have competing opinions on, whether it’s really cyber or whether it’s just financial crime that’s used or that’s carried out with the computer. And what does that mean to cyber? I think we’ll continue to see many more down the pipeline from Congress, from the executive branch.

Advertisement
Advertisement
Advertisement

Speaker 2: We saw Treasury issuing sanctions on cryptocurrency exchanges that were facilitating ransomware payments that were going to Russia. So this is, I think, just one leg in the larger wheel that the Biden administration is starting to turn to to try to ramp up their efforts to target illicit crime that’s funded or related to some degree to cryptocurrency.

Lizzie O’Leary: To go back to the beginning of this interview and thinking about the Treasury Department’s announcement, is that a signal to you that the U.S. government is focusing on North Korea and crypto a little more seriously? Or is this a one off?

Speaker 2: I think it’s a mixture of both. I think by targeting the blender mixer and specifically mentioning its relation to North Korean cyber operatives, misusing this mixer and the mixer kind of being complacent and it’s in its abuse to help support North Korean illicit activity. I think that one sends a message to the cryptocurrency community in general, especially illicit actors within it, that the U.S. government is aware of these technologies. They know how they’re being misused and they will target them.

Speaker 2: The case of North Korea, I think that was a great way of issuing impactful sanctions that are targeting new areas that North Korea has already been occupying for many, many years. But targeting these new financial technologies, one sends a signal, hey, we know what you’re doing to we’re aware of these issues. And three, we’re not just going to stop it. We’re going to continue to build on these approaches. And I think this is folding into the Biden administration’s just declared initiative to really understand more about crypto and try to consider what type of regulations that we currently have in the financial sector that we can apply to crypto and which ones we can’t.

Advertisement
Advertisement
Advertisement

Lizzie O’Leary: Jason Bartlett Thank you so much.

Speaker 2: Thank you so much for the opportunity to talk. Lizzie. This is great.

Lizzie O’Leary: Jason Bartlett is a research associate in the Energy Economics and Security Program at the Center for a New American Security. That is it for the show today. TBD is produced by Evan Campbell. Our show is edited by Tori Bosch. Joanne Levine is the executive producer for What next? Alicia montgomery is the vice president of Audio at Slate. TBD is part of the larger what next family, and we’re also part of Future Tense, a partnership of Slate, Arizona State University and New America. We’ll be back next week with more episodes. I’m Lizzie O’Leary. Thanks for listening.