These days, when Cold War superpowers are squaring up over Ukraine, and revelations of shoot-to-kill policies in detention camps serve as a visceral reminder that China’s authoritarianism grows grimmer, it can be hard to get too worked up about little old North Korea. Even brandishing nuclear weapons, its rotund, baby-faced, spiky-haired leader, Kim Jong-un, can seem something of a joke – “Little Rocket Man”, as Donald Trump dubbed him in 2017.
But the North Korean regime does not take mockery well. And while its principal victims will always be its own 26 million-strong population who have, for decades, endured famine and poverty, it has in recent years developed a way of lashing out at the West that is not delivered by an ICBM: hacking.
“It’s a top-tier threat to the UK,” says Geoff White, author of a new book, The Lazarus Heist, which details the rise and rise of North Korean cyber warfare units from petty criminals to sowers of international mayhem. When it comes to cyber warfare, he says: “North Korea is a terrifying combination of very skilled people and a [regime] agenda to put and keep itself on the world map. There’s always a possibility it decides it’s going to get its revenge on the West by doing something very indiscriminate and very disruptive.” Or, as Rafe Pilling, who has studied North Korea for many years as principal researcher for the cyber security firm, Secureworks, puts it, “This is a country that has no red lines.” Which begs the question, how well are we protected?
Britain discovered the devastating capacity of the cyber threat in 2017 when, out of the blue, computers across the NHS were locked, and doctors and nurses trying to log on to register patients, or access blood results, X-ray and CT images, were greeted with the message: “Oops your files have been encrypted. Maybe you’re busy looking for a way to recover your files. But do not waste your time. Nobody can recover your files without our decryption service.”
It was a ransomware attack in which hackers take control of computers and their vital data, holding them hostage until a fee is paid to “unlock” them. Widely attributed to North Korea, the hack, which came to be known as Wannacry, left a third of NHS trusts either infected with the malicious computer code or having to disconnect computers to protect themselves. Almost 7,000 appointments had to be cancelled, including more than 100 urgent cancer cases. Only the freak intervention of a 22-year-old computer whiz in Ilfracombe, who spotted a “kill switch” in Wannacry, brought the attack to an end.
But if, as most experts presume, Wannacry was the work of North Korea, it was by no means the country’s opening cyber salvo. In fact, it came about halfway through a decade of increasingly outrageous operations presumed to have been launched by North Korea’s state military – and which continue to this day. The sophisticated team thought to be behind them is now known as the Lazarus Group.
Perhaps inevitably, it was North Korea’s neighbour and rival, South Korea, that first felt the chill digital wind blowing from Pyongyang, back in 2013. Then it was major broadcasters and banks that were hit. As White notes, there had been “many physical incidents which had inflamed tensions between the two states. But now a new front was opening up in the conflict. North Korea’s military had discovered the Internet, and things would never be quite the same again”.
The next year, it was America – or more precisely, Hollywood – which was the victim, when Sony was humiliated by the release of a vast trove of hacked emails. In some, Sony’s co-chairman Amy Pascal described Angelina Jolie as a “minimally talented spoiled brat” and suggested that then-president Barack Obama might like the movie 12 Years a Slave. The hack was so devastating that, six weeks later, a café on the studio lot could still not accept card payments. In all, 8,000 computers had to be disconnected to prevent the carnage spreading further. And why Sony? Because it planned to release The Interview – a spoof film in which journalists who land a scoop invitation to meet Kim Jong-un are then recruited by the CIA to kill him. Sony might have considered it a joke. North Korea most certainly did not.
The more the “hermit kingdom” flexed its cyber muscles, the more it found it could get away with. Soon hackers were planning what White calls “a legendary heist, as though its hackers had watched Ocean’s Eleven”. The target: Bangladesh’s central bank. The loot: almost a billion dollars. The sheer audacity of the plot is dazzling. Planned for a year and launched over a holiday weekend, computer robbers accessed the SWIFT banking system through Bangladesh Bank and drained its account at the Federal Reserve Bank of New York. As always in such heists, it is the details that entrance. The hackers had established that any Fed queries to such large payments would be spat out of a single printer at Bangladesh Bank’s HQ in Dhaka, so they disabled it. When the printer was fixed, it did indeed churn out endless pages of queries from the Fed. But by then it was too late, the money was on its way. Indeed, only the chance use of a bank on Jupiter Street in Manila, in the Philippines, prevented Bangladesh losing the full billion, for Jupiter was also the name of a sanctioned Iranian ship, and that word alone raised red flags on the international bank transfer system.
Nor has Wannacry been the last of North Korea’s alleged hacks. For in the last five years, the dictatorship has surfed the swelling popularity of cryptocurrencies, attracted not just to the riches stored in digital “wallets” around the world, but to the ease with which they can be anonymously and tracelessly spirited away. Crypto, in other words, is easy to launder.
Indeed, for all its threat to the NHS, Wannacry was not actually a successful heist. Only ransoms totalling a few hundred thousand pounds were paid. But the scheme allowed the hackers to perfect their new, crypto, laundering technique.
In the years since then, myriad crypto owners, dealers and traders have fallen victim to scams presumed to have emanated from North Korea. The aim is devastatingly simple: to make money. “On the whole, it’s not done for ideological reasons, but to raise currency,” says Alan Woodward, who has worked in the field for the UK Government, advises Europol, and is now a professor at the University of Surrey’s Centre for Cyber Security. “They haven’t got two beans to rub together and this is a good way of getting hard currency.”
Like traders at an investment bank, says Pilling, Northern Korean hackers are even thought to have profit targets to hit. “The big focus is on making money for the regime.”
In this way, hacking is just a new version of an old trick. North Korea’s spooks have long sought ways of circumventing its financial isolation. Under Kim Jong-un’s predecessor, Kim Jong-il, it simply printed its own counterfeit dollars. In The Lazarus Heist, White quotes one US state department official as saying: “We found billions of dollars in illicit funds being produced. It was like a separate economy. It was extremely well run. And what made it particularly interesting to me was that it came right under Kim Jong-il. He was the mob boss. He was the Tony Soprano. He was the Pablo Escobar. But he also was the head of state.”
Back then, the scams were intended to stave off bankruptcy. Today, there is a grimmer destination for the funds – North Korea’s nuclear programme. The value of the cryptocurrency hacks attributed to North Korea alone adds up to $1.3 billion (£1 billion). As White puts it, “Those nukes don’t come cheap.” Flush with such lucrative success, and more isolated than ever, no one thinks that North Korea is stopping now. So, in an already highly destabilised world, how safe is the West? Experts say there are two particular issues of concern. The first is that, for all Hollywood’s mockery, and much as we like to imagine North Korea as backward, its hackers are in fact extremely skilled. The country may be, as Woodward says, “only connected to the rest of the internet by a bit of wet string”, but its hackers are, in true authoritarian style, identified early for their mathematical talent, then trained up and wholly integrated into the military. Doing so is one of the only ways, in North Korea’s near feudal system, for the low-born to rise up the social ladder. “They have really smart people,” says Pilling. “There’s strict filtering from a young age, a whole process.”
The second problem is that North Korea and its leader represent a prickly, unpredictable foe, at once highly capable and yet so removed from the normal web of global relationships that they are not particularly worried about the repercussions of their actions.
“North Korea is not connected like other countries,” says Pilling. “This is already a heavily sanctioned country. The normal diplomatic and economic threats have already been exhausted.” Military retribution over hacking is hard to imagine, especially because attribution with 100 per cent certainty is so hard. Had Wannacry led to thousands of deaths in the NHS, says White, Britain would have been pushed to retaliate. “North Korea has sealed itself off and it’s hard to touch it. It’s slightly terrifying.”
But that doesn’t mean there’s nothing we can do. While painstaking investigations of hacks may not lead to prosecutions of hackers safely ensconced in North Korea, unveiling methods, codes, tips and tricks deployed by the Lazarus Group sheds light on dark secrets. Like blowing a spy’s cover, says Don Smith, at Secureworks Counter Threat Unit, “you impose costs on the bad guy, force them to retool; you burn their code, and they have to republish.”
For while the hackers’ malicious computer code itself may be concocted by whizzkids, the way it is delivered is often more akin to old-fashioned espionage, updated for a digital age. A human target must be convinced to open an email attachment containing the code. To do so, North Korean agents create detailed social media accounts and email addresses – convincing personas to dupe their victims. Once these personas are blown, revealed in investigations whose findings are shared around the world, they can never be used again.
The same goes for well equipped front companies, based abroad. Last year, Google published a blog detailing how North Korea’s hackers had been attempting to infiltrate the West’s own cyber security community, having created multiple Twitter profiles and a research blog “to build credibility and connect with security researchers”. Sharing the information sinks such efforts, which must be restarted from scratch. So while more moles are certain to pop up, at least a few are whacked. The big danger is that North Korea decides to deploy its cyber warriors to wage war rather than just steal stuff. The nature of the regime means it’s not easy to predict what might tip it over the edge.
“What will North Korea use its highly effective cyber capability for in future? That’s the worry,” says Smith. “When someone upsets them, they pursue things, shall we say, very vigorously. An example of something that could have caused a problem but to my knowledge didn’t is when the BBC announced it was going to broadcast shortwave radio into Korea, which could threaten the regime given they’ve got such controlled messaging. You just don’t know which of these things is going to get a reaction.”
When it comes to resisting such lashing out, “Britain,” says White, “is better prepared than many countries.” Together, GCHQ and the National Cyber Security Centre offer a degree of protection at a national level, “blocking websites and servers [built as traps by hackers] to try to protect us.” Meanwhile, the established financial sector, says Pilling, is “very well regulated, very well protected, spots things early. It’s a hard target”.
The problem is that while systems and software can be perfectly ring-fenced, this is, for all its computer elements, essentially a human problem. It only takes one employee in one department to open one dodgy email. “We’re always vulnerable because people are always vulnerable,” says White. “Though the grooming through social media profiles has got more sophisticated, the techniques ultimately are depressingly familiar – it’s still the phishing email.” And no one wants the government monitoring every computer – that way North Korean style authoritarianism lurks. Digital defence is a delicate balance.
What is certain is that the Lazarus Group is sure to keep sniffing out new targets, innovating. “They never stop surprising me though I’ve spent a decade studying them,” says Pilling. “You might have guessed that they would hit South Korea, but would you guess that they would target Hollywood a year later, or try to steal a billion dollars from a central bank a year after that, or take down the NHS. What’s next? There’s just no constraint on their thinking.”
“The best the Government can do is share information,” says Woodward. Hence organisations like the Cyber Security Information Sharing Partnership, which allows industry to share their experience of cyber attacks securely and confidentially. “It’s a case of being stronger together,” says Woodward. That, and all of the rest of us not opening dodgy emails.
To read an exclusive extract from Geoff White’s The Lazarus Heist, click here: The day the NHS was held to ransom by North Korean cyber hackers