#parent | #kids | The Incredible Rise of North Korea’s Hacking Army


Shimomura was a member of the Yamaguchi-gumi, the largest yakuza crime family in Japan. When one of his superiors asked him if he wanted to make a pile of fast money, he naturally said yes. It was May 14, 2016, and Shimomura was living in the city of Nagoya. Thirty-two years old and skinny, with expressive eyes, he took pride in his appearance, often wearing a suit and mirror-shined loafers. But he was a minor figure in the organization: a collector of debts, a performer of odd jobs.

The superior assured him that the scheme was low risk, and instructed him to attend a meeting that evening at a bar in Nagoya. (Shimomura, who has since left the Yamaguchi-gumi, asked to be referred to only by his surname.) When Shimomura showed up, he found three other gangsters, none of whom he knew. Like many yakuza, he is of Korean descent, and two of the others were also Korean-Japanese; for a while, they spoke in Korean. The superior finally arrived, and the five men moved into a private room. Each volunteer was given a plain white credit card. There was no chip on the card, no numbers, no name—just a magnetic strip.

The superior read instructions from a thin manual: early the next morning, a Sunday, they should go to any 7-Eleven and use their white card at the store’s A.T.M. They could not use a regular bank A.T.M., or one in another convenience store. The gangsters should each withdraw a hundred thousand yen at a time (about nine hundred dollars) but make no more than nineteen transactions per machine. If anybody made twenty withdrawals from a single A.T.M., his card would be blocked. Withdrawals could start at 5 a.m. and continue until 8 a.m. The volunteers were told to choose the Japanese language when prompted—an indication, Shimomura realized, that the cards were foreign. After making nineteen withdrawals, they should wait an hour before visiting another 7-Eleven. They could keep ten per cent of the cash. The rest would go to the bosses. Finally, each volunteer was told to memorize a PIN.

On Sunday morning, Shimomura rose early, and dressed in jeans, sunglasses, a baseball cap, and an old T-shirt. He walked to a 7-Eleven, where he bought a rice ball and a Coke, to settle himself. He inserted the card into the A.T.M. When the screen asked him which language he preferred, he felt a tremor of nerves while selecting “Japanese.” He withdrew a hundred thousand yen, then another, and then another. There was nobody else in the store apart from the guy at the register, who didn’t seem interested in him.

After making the first withdrawal, Shimomura printed a receipt. He saw a foreign name on the paper—he couldn’t tell what nationality the name was, but he knew it wasn’t Japanese—then stuffed the receipt in his pocket. Around 8 a.m., having completed a total of thirty-eight withdrawals at several A.T.M.s in the area, he headed home, waddling because of his bulging pockets: 3.8 million yen is a lot of cash. Shimomura took his ten per cent—about thirty-five hundred dollars—and stashed it in a drawer in his apartment. At 3 p.m., he met his superior to deliver the remaining money. (Later, he discovered that one of the other gangsters had absconded with the money and the card.)

The superior told Shimomura that he would retain five per cent of what his volunteers brought in and send the rest of the cash to his bosses. When Shimomura handed over his money, he sensed that the superior had enlisted many others. He was right. As the newspapers soon reported, more than sixteen million dollars was withdrawn from roughly seventeen hundred 7-Eleven A.T.M.s across Japan that morning, using data stolen from South Africa’s Standard Bank. The newspapers surmised that 7-Elevens had been targeted because they were the only convenience stores in Japan whose cash terminals all accepted foreign cards. Soon after the raids, the withdrawal limit for many A.T.M.s in the country was reduced to fifty thousand yen.

Shimomura deduced that he had been at the bottom of the food chain in the scam. The real money-makers were much higher up. What he did not know, until an interview with this magazine last year, was the identity of the villains at the top of the chain. Shortly after the A.T.M. thefts, according to Japanese police, the ringleader of the 7-Eleven operation crossed from China into North Korea. Shimomura had unwittingly been collecting money for the Korean People’s Army, as part of a racket that became known as FASTCash.

In satellite images of East Asia at night, lights blare almost everywhere, except in one inky patch between the Yellow Sea and the Sea of Japan, and between the thirty-eighth and the forty-third parallels: North Korea. Only Pyongyang, the capital, emits a recognizably modern glow. The dark country is one of the last nominally Communist nations in the world—a Stalinist personality cult centered on Kim Jong Un, the peevish, ruthless scion of the dynasty that has ruled North Korea since 1948, after the peninsula was divided. The D.P.R.K. purports to be a socialist autarky founded on the principle of juche, or self-reliance. Its borders are closed and its people sequestered. Foreigners find it profoundly difficult to understand what is happening inside North Korea, but it is even harder for ordinary North Korean citizens to learn about the outside world. A tiny fraction of one per cent of North Koreans has access to the Internet.

Yet, paradoxically, the North Korean government has produced some of the world’s most proficient hackers. At first glance, the situation is perverse, even comical—like Jamaica winning an Olympic gold in bobsledding—but the cyber threat from North Korea is real and growing. Like many countries, including the United States, North Korea has equipped its military with offensive and intelligence-gathering cyber weapons. In 2016, for instance, military coders from Pyongyang stole more than two hundred gigabytes of South Korean Army data, which included documents known as Operational Plan 5015—a detailed analysis of how a war with the country’s northern neighbor might proceed, and, notably, a plot to “decapitate” North Korea by assassinating Kim Jong Un. The breach was so egregious that Kim Tae-woo, a former president of the Korea Institute for National Unification, a think tank in Seoul, told the Financial Times, “Part of my mind hopes the South Korean military intentionally leaked the classified documents to the North with the intention of having a second strategy.”

“We’ve got ways of making you stop talking.”
Cartoon by Benjamin Schwartz

North Korea, moreover, is the only nation in the world whose government is known to conduct nakedly criminal hacking for monetary gain. Units of its military-intelligence division, the Reconnaissance General Bureau, are trained specifically for this purpose. In 2013, Kim Jong Un described the men who worked in the “brave R.G.B.” as his “warriors . . . for the construction of a strong and prosperous nation.”

North Korea’s cybercrime program is hydra-headed, with tactics ranging from bank heists to the deployment of ransomware and the theft of cryptocurrency from online exchanges. It is difficult to quantify how successful Pyongyang’s hackers have been. Unlike terrorist groups, North Korea’s cybercriminals do not claim responsibility when they strike, and the government issues reflexive denials. As a result, even seasoned observers sometimes disagree when attributing individual attacks to North Korea. Nevertheless, in 2019, a United Nations panel of experts on sanctions against North Korea issued a report estimating that the country had raised two billion dollars through cybercrime. Since the report was written, there has been bountiful evidence to indicate that the pace and the ingenuity of North Korea’s online threat have accelerated.

According to the U.N., many of the funds stolen by North Korean hackers are spent on the Korean People’s Army’s weapons program, including its development of nuclear missiles. The cybercrime spree has also been a cheap and effective way of circumventing the harsh sanctions that have long been imposed on the country. In February, John C. Demers, the Assistant Attorney General for the National Security Division of the Justice Department, declared that North Korea, “using keyboards rather than guns,” had become a “criminal syndicate with a flag.”

North Korea’s leaders have been attuned to the nefarious opportunities of a connected world since at least the early nineteen-nineties. A 2019 paper on the regime, written by scholars at Korea University, in Seoul, notes that Kim Jong Il, having watched the United States’ military engagement in the two Gulf conflicts, concluded that “modern war is decided by one’s conduct of electronic warfare.” (Among other tactics, American planes jammed Iraqi radar systems.) In 2005, a Korean People’s Army book quoted Kim as saying, “If the Internet is like a gun, cyberattacks are like atomic bombs.” His son Kim Jong Un came to power in 2012 and saw the commercial potential of the technology, noting that his army could “penetrate any sanctions.” Cyber prowess, he soon declared, was an “all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking capability, along with nuclear weapons and missiles.” Yet the West didn’t really wake up to the danger posed by North Korea’s cyber forces until after the country executed three spectacular crimes, between 2014 and 2017.

The first was a hack of Sony Pictures. In June, 2014, Sony released a trailer for “The Interview,” a Seth Rogen and James Franco comedy about hapless journalists recruited by the C.I.A. to assassinate Kim Jong Un. A spokesperson for the regime called the film a “wanton act of terror” and promised a “merciless response” if the studio proceeded with releasing the film. Sony pressed ahead. (Rogen joked on Twitter, “People don’t usually wanna kill me for one of my movies until after they’ve paid 12 bucks for it.”)

That November, Sony employees reported that their computers had been hacked, by a group calling itself Guardians of Peace. After many of the company’s computers froze, Sony shut down the rest, stanching the bleed of data that was under way. For a few days, Sony Pictures operated without an electronic network, and in subsequent weeks the hackers leaked embarrassing—and, in some cases, damaging—e-mails, salaries, medical records, movies, and screenplays belonging to the company and its employees. Five upcoming Sony films were put online, as was the script of the next James Bond movie, “Spectre.” One of the studio heads, Amy Pascal, resigned after the hackers posted e-mails in which she joked with the producer Scott Rudin that at a meeting with President Barack Obama she’d be smart to bring up movies about slavery.

The F.B.I. soon attributed the attack to North Korean state actors. Pyongyang denied involvement but declared the hack a “righteous deed.” Obama promised to “respond proportionally” to what he called an act of “cyber vandalism.” Michael McCaul, who chaired the House Homeland Security Committee, later told reporters that the U.S. had launched a number of “cyber responses” to the Sony hack, not least a ten-hour Internet outage in North Korea in December, 2014.

If the attack on Sony had a cartoonish quality, the second major North Korean attack was like a caper. Around the time that the hackers were breaking into Sony’s network, members of the same gang—which became known as the Lazarus Group—began scoping out banks in Dhaka, Bangladesh. Accounts linked to the Lazarus Group sent e-mails to an array of targets at Bangladesh Bank and other financial institutions in Dhaka. The messages contained a link to malware that, if clicked, granted the North Koreans access to internal computer systems. In the first two months of 2015, at least three Bangladesh Bank employees were lured by these “spear-phishing” e-mails into downloading the infected attachment. By that March, the hackers had established a “backdoor” within the bank’s electronic communication system, allowing them to send messages to one another in a way that mimicked the bank’s encrypted-communication protocols, and did not alert security to their presence. The hidden hackers then spent ten months learning about Bangladesh Bank’s operations from the inside.

Like many national banks in developing countries, Bangladesh Bank holds a foreign-currency account with the Federal Reserve bank in New York. On February 4, 2016, the Federal Reserve received instructions from Bangladesh Bank to make dozens of payments, totalling nearly a billion dollars, to various accounts, including one in Sri Lanka and four in the Philippines. The requests were made via the swift network—a global conduit for money transfers, based near Brussels. In fact, the Lazarus hackers had sent the requests, using stolen usernames and passwords that they had collected while roaming around Bangladesh Bank’s network. In their fraudulent messages to the Federal Reserve, the Lazarus members had incorporated many details from genuine, previously executed SWIFT transfers, so that it would not be obvious their own requests were bogus. To further cover their tracks, the hackers had installed a network update that blocked SWIFT messages from being read at Bangladesh Bank—a piece of legerdemain that later impressed security experts. It was the equivalent of breaking into a bank’s vault after disabling its surveillance cameras.

Priscilla Moriuchi, a fellow at Harvard’s Belfer Center for Science and International Affairs who focusses on the North Korean cyber threat, worked at the National Security Agency for twelve years. She told me that the Bangladesh operation was “flashy.” But the robbers not only showed technical finesse, she said; their patient work in the Dhaka heist “signalled a larger tactical and operational maturity.”

The Federal Reserve granted the first five payment requests, a total of a hundred and one million dollars. The next thirty payments, which amounted to eight hundred and fifty million dollars, stalled only because of a stroke of luck. An automated alert system was activated after detecting, in the text of a transfer request, the word “Jupiter,” which happened to be in the address of a Philippines bank branch. This alert was tripped because an unrelated business, Jupiter Seaways Shipping, in Athens, was on a sanctions-evasion watch list for its activities relating to Iran.



Source link
.