Cash-strapped North Korea uses hackers for income not espionage - report

28 Jul, 2017 17:14 / Updated 7 years ago

Sanctions against the North Korean regime appear to have sparked a major shift in its cyber warfare operations away from disruption and espionage in favor of money-making attacks aimed at replenishing foreign currency reserves.

The South Korean government-commissioned report produced by the Financial Security Institute (FSI) analyzed multiple high-profile cyber attacks between 2015 and 2017. The FSI was established in 2015 after multiple cyber attacks on South Korean banks.

"We've seen an increasing trend of North Korea using its cyber espionage capabilities for financial gain. With the pressure from sanctions and the price growth in cryptocurrencies like bitcoin and Ethereum –  these exchanges likely present an attractive target," said Luke McNamara, senior analyst at FireEye, a cybersecurity company as cited by Reuters.

Nuclear sanctions have hit the isolated, rogue nation hard, particularly in its foreign currency reserves which it needs to pay for imports.

Speculation is rife that North Korea may have played a significant role in the recent "WannaCry" ransomware attack which affected 150 countries in May, crippling sections of Britain's National Health Service in the process.

The FSI report also confirms suspicions that North Korea was responsible for the attack on Sony's entertainment business in 2014 which erased vast amounts of data while disseminating emails and personal data of employees, in addition to leaking pirated copies of upcoming film releases.

Meanwhile, US officials are also reportedly linking a $81 million digital heist on Bangladesh's central bank to North Korea, Reuters reported.

Russian cyber security firm Kaspersky Lab has also linked North Korea to similar attacks against Polish banks that had previously been pinned to other hacking groups. Kaspersky identified a hacking group operating under the codename Bluenoroff.

The FSI report also identified another suspected North Korean hacking group codenamed Andariel.

"Bluenoroff and Andariel share their common root, but they have different targets and motives," according to the FSI report.

"Andariel focuses on attacking South Korean businesses and government agencies using methods tailored for the country."

Andariel conducts skimming operations at ATMs and then accesses accounts directly or sells the information on the black market.

"South Korea prefers to use local ATM vendors and these attackers managed to analyze and compromise SK ATMs from at least two vendors earlier this year," said Vitaly Kamluk, director of the APAC research center at Kaspersky, as cited by Reuters.

"We believe this subgroup (Andariel) has been active since at least May 2016."

In total, the FSI identified eight specific hacking attacks against the South Korean government and financial and commercial institutions operating in the country.

FSI also believes that North Korea's cyber warfare unit has created malware which targets online poker and gambling sites to make quick cash grabs.

The report's findings have not been officially endorsed by the South Korean government.