North Korea has generated an estimated $2 billion in revenues for its weapons programme through the state-sponsored looting of financial institutions and cryptocurrency exchanges, according to a confidential UN report seen by Reuters.
The UN experts say North Korea “used cyberspace to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income.” They also used cyberspace to launder the stolen money, the report said.
A previous UN report released in March this year cited the case of Park Jin Hyok, who has been charged by the US with a host of high-profile cyberattacks, including the $81 million Bangladesh Bank hack. He is accused of involvement in the North Korean government-sponsored hacking team known as 'Lazarus Group' linked to the 2017 WannaCry 2.0 global ransomware attack, the 2016 Bangladesh Bank theft, and the 2014 hit on Sony Pictures Entertainment, among others.
The report also cites two 2018 bank attacks that, like the Bangladesh Bank incident, tapped into the Swift messaging system: a $10 million theft from Banco de Chile and a $13.5 million ATM cashout hit on Cosmos Bank in India.
It is not just traditional financial institutions under threat from the North Korean hackers, says the UN panel, which documents at least five successful attacks against cryptocurrency exchanges in Asia between January 2017 and September 2018, resulting in losses of $571 million.
The latest news comes as UK cybersecurity specialist Barac unveils details of how, in May 2019, it identified a sophisticated cyberattack targeting a major African-headquartered financial institution. At the time the attack was identified, hackers had infiltrated the bank’s infrastructure and had begun to make a small number of low-value transactions to other banks located in Bulgaria. Elements of the attack were encrypted in an attempt to evade detection; the encrypted certificates used were signed in North Korea.
Upon investigation, the bank discovered that malware had infected a number of endpoints at its headquarters, and that a small number of identical, low-value transactions had been made to other banks - again, located in Bulgaria - via the Swift Payments infrastructure. It is believed that these small payments were made to test the exfiltration mechanism of the attack, with the hackers fully expected to attempt the extraction of larger amounts at some future date.
"This was an extremely sophisticated, multi-faceted, and diligently-planned attack on a high-value target, which contained some very clear indications of North Korean involvement,” says Omar Yaacoubi, founder and CEO of Barac. “The hackers were using encryption is a particularly clever way. Knowing that the bank would, quite rightly, decrypt all of the data leaving its organisation, they buried their ‘command and control’ calls home in these traffic flows, in the hope that they would evade detection. Unfortunately for them, it didn’t work, and by identifying this suspicious traffic, the whole plot was blown wide open before any major harm could be done to the bank or its customers.”