WannaCry shows how North's hackers can punch above their weight
Pyongyang's cyber troops thought to number 7,000
JIRO YOSHINO and SOTARO SUZUKI, Nikkei staff writer
TOKYO/SEOUL -- A growing mound of evidence links North Korea to a cyberattack that disabled computers around the world in recent weeks, a sign that even the isolated state's middling corps of hackers can do serious damage with access to more sophisticated tools.
On May 12, workers in Europe and elsewhere found their computers flashing a simple message: pay up, or lose your data. Malicious software known as WannaCry had encrypted files both on individual machines and network servers, demanding payment to unlock them. This so-called ransomware attack spread within days to at least 150 countries, bringing a number of businesses to a halt, suspending surgeries at British hospitals and taking down train ticket machines in Germany.
Cybersecurity experts worldwide began hunting for the perpetrator. Researchers have discovered "traces of attempts to obscure commonalities" with the malware used in the 2014 attack on Sony Pictures Entertainment, said Rintaro Kawai, head of the Japanese unit of Russian information security firm Kaspersky Lab.
The U.S. government holds North Korea responsible for the 2014 attack on the Sony subsidiary. Other firms such as Symantec of the U.S. also have unearthed a slew of similarities between the code for this month's malware and past programs apparently authored by North Korean hackers.
One name stands out: Lazarus, a hacker group with apparent links to North Korea's Reconnaissance General Bureau, the state's top intelligence agency involved in foreign operations. Lazarus was allegedly involved in last year's cyberattack theft of $81 million from Bangladesh's central bank. The reconnaissance bureau, or RGB, is thought to be behind the killing of Kim Jong Nam, half-brother of North Korean leader Kim Jong Un, earlier this year.
Only the best
Pyongyang's cyberwarfare program took off in 1998, when then-leader Kim Jong Il ordered the creation of "Unit 121" at the RGB. The North has plucked the best of the best from around the country to join this elite force, said Kim Heung Kwang, head of North Korea Intellectuals Solidarity, an organization of defectors from the North.
High-performing students are brought to Pyongyang for thorough training in information technology at dedicated schools, then move on to universities such as Hamheung Computer College, where Kim Heung Kwang formerly taught. Around 500 graduates are brought on as cyber soldiers annually, enlarging a corps now thought to number 7,000 strong.
Joining the cyber force opens doors normally closed to ordinary North Koreans. Members enjoy posh apartments, order any books or computers they want and may even travel abroad to hone their skills. Those at the top of their class can bring their families to Pyongyang and gain membership in the ruling Workers' Party.
When the time comes for an attack, programmers split into groups -- systems analysis, cryptographic processing and the like -- and fan out, heading to internet cafes in northeastern Chinese cities such as Dandong, Shenyang, Changchun and Qingdao. Some travel to countries such as Malaysia, in the guise of migrant workers.
Poor man's weapon
Experts often view North Korea's cyberattack capability as being in the middle of the pack, behind the U.S. and China and on par with Iran. The ransomware in the recent attack was likely developed by someone of below-average skill, said Symantec's Vikram Thakur.
But tools that circulate among cybercrime groups can make up for an organization's lack of development prowess. Software developed by the U.S. National Security Agency and leaked on the internet enabled WannaCry to spread rapidly this time.
Many North Korean-linked attacks appear motivated by a desire to earn foreign currency, as international economic sanctions imposed over Pyongyang's nuclear weapons and missile development have cut off other sources of income. The cyberwarfare unit also produces software for IT devices and appliances on a contract basis, masquerading as companies in China and elsewhere.
North Korea is ruled by a dictator with little apparent regard for the international community's norms. Computer experts liken the country's cyberattacks, which occur at the whim of Kim Jong Un, to other facets of its diplomatic brinksmanship. The latest operation shows such attacks can have heavy social impacts. Pyongyang may reach for this poor man's weapon again, if the regime considers it sufficiently disruptive.