North Koreans Indicted for Stealing $1 Billion in Cyberattacks

The indictment contends that Park Jin Hyok, 36, Kim Il, 27, and Jon Chang Hyok, 31, and stole $1 billion US dollars worth of money and cryptocurrency in multiple cyberattacks targeting financial and fintech institutions as part of their work for the North Korean military intelligence services. This local government department, when translated to English, is called “The Reconnaissance General Bureau”.

Images of the accused suspects: Park Jin Hyok, Kim Il and Jon Chang Hyok (Photo credit: US Justice Dept via the LA Times)

Background

Before the indictment, a series of cyberattacks against Sony Entertainment, the Bangladesh Bank, entertainment firms, various defense and energy companies, among others—in Mexico, Indonesia, Vietnam, Pakistan, the Philippines, South Korea, and the US and UK—was attributed to Lazarus, also known as Hidden Cobra or APT38.

Cyberint’s Take

North Korean threat actors are renowned for their aggressive financial motivation, given the limitation on their economic structure and disadvantageous stand on foreign trade. North Korea is largely dependent on trade and foreign aid from China, and multiple international sanctions have been placed against the state for their harsh stand on nuclear weapons and longstanding cases of human rights violations.

Their operations have brought about noticeable shifts from targeting private users, to large-scale attacks on the infrastructure of the organization, to targeting cryptocurrency users.

While large-scale attacks targeting organizational infrastructure require a greater investment in time and effort, the outcome of a successful, sophisticated attack can result in substantially greater gains. Cryptocurrency users have also been a viable target for the group, as stolen funds are much easier to move through territorial borders while evading detection.

Cyberint’s Research Team highlights the following findings on their SWIFT attacks, which were the main focus of the indictment:

Nowadays, there are over 11,000 financial institutes using SWIFT (Society for Worldwide Interbank Financial Telecommunication) for executing electronic funds transfers. SWIFT, also known as the “backbone” of international banking, transports financial messages in a highly secure way but does not hold accounts for its members.

North Korean threat actors leverage the SWIFT system to steal money, while demonstrating extensive knowledge about the system behavior and operation.

The attacks targeting SWIFT share similar pattern:

• The attacks exploited vulnerabilities in the systems of member banks, allowing the attackers to gain control of the banks’ legitimate SWIFT credentials.
• The attackers then used those credentials to send SWIFT funds to transfer fraudulent requests to other banks, which, trusting the messages to be legitimate, then sent the funds to accounts controlled by the attackers.

Based on past campaigns, this is the general flow of SWIFT systems attack:

• Initial Access – the attack vectors used by Lazarus Group vary, from spear phishing campaign using emails with lure content and a malicious attachment, exploiting a vulnerability, which enables malicious payload download, through compromised websites[2], loading malicious JavaScript code that downloads the malicious payload, and to social engineering techniques tricking an employee into downloading the malware, demonstrated in the recent Redbanc case [3]. Known malicious payloads associated with Lazarus Group’s attacks on the financial industry are: Banswift, Bankshot, Ratabanka [4], WannaCry [5].
• Reconnaissance, lateral movement, and data exfiltration – the malware collecting network and environment information, aiming to gain access to SWIFT credentials for payment transfers. A recent example of this step would be the HOPELIGHT malware, discovered a few months ago by US authorities [6].
• Fraudulent use of SWIFT systems – When trusted credentials are gained, the attackers send fraudulent instructions for funds transferring to accounts belonging to the threat actors.
• There is also clear evidence of attempts to temper with SWIFT messages, as discovered and reported by BAE Systems on their blog [7]. Part of the adversaries’ toolkit was a malware that registers itself to the SWIFT service and inspects SWIFT messages for strings defined in the configuration file, it then enables deleting specific transactions, or update a transaction amount, as well as other monitoring functions — believed to be a tool for covering tracks.
• Disruption as a diversion – Lazarus Group is known to be using destructive malware and DDOS attacks as a diversion technique, as demonstrated by the Banco del Chile incident, where killdisk wiper tool rendered over 9,000 computers unusable[8], covering for an attempt to steal 10 million dollars[9].

[1] Finnegan, Michael, and Del Quintin Wilber. North Korean Military Hackers Indicted in Cyberplot to Rob Banks, Attack Companies. 17 Feb. 2021

[2] Kaspersky (2018), LAZARUS UNDER THE HOOD

[3] Flashpoint, Analysts Team. “Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties.” 15 Jan. 2019. Accessed 18 Feb. 2021.

[4] Johnson, AL. “Attackers Target Dozens of Global Banks with New Malware .” Endpoint Protection – Symantec Enterprise, 2 Dec. 2017.

[5] Team, Symantec Security Response, et al. “What You Need to Know about the WannaCry Ransomware.” Symantec Blogs, .

[6] “Malware Analysis Report (AR19-100A).” Cybersecurity and Infrastructure Security Agency CISA.

[7] Shevchenko, Sergei. Two Bytes to $951m, Bae Systems, 25 Apr. 2016.

[8] Cimpanu, Catalin. “Hackers Crashed a Bank’s Computers While Attempting a SWIFT Hack.” BleepingComputer, BleepingComputer, 11 June 2018, .

[9] Threat TeamBluVector’s Threat Report is written by BluVector’s expert security team. “Lazarus Group Uses KillDisk as a Distraction for SWIFT Attacks.” Home, 28 Jan. 2020, www.bluvector.io/threat-report-lazarus-group-killdisk-swift/.