TOKYO The North Korean state-sponsored hacker group Lazarus appears to have resumed its efforts to steal desperately needed foreign currency for the rogue regime, according to recent evidence uncovered by the U.S. computer security software company McAfee.
McAfee said in mid-January it had detected a link to a suspicious file disguised as an employee recruitment document sent to financial institutions and cryptocurrency users in various countries. The document was embedded with a malicious file designed to activate when users open it.
Judging by the file's characteristics, McAfee said it believed Lazarus was back in business.
The file, discovered in mid-January, shares many features with those used repeatedly by Lazarus in attacks on financial institutions and defense companies through October 2017. When an unsuspecting user opens the file, the computer is infected and data stolen.
The U.S. government concluded that Lazarus was responsible for simultaneous worldwide cyberattacks in May 2017 that used a type of malicious software known as ransomware to render computer files inaccessible.
With international sanctions on North Korea over its nuclear and missile programs now tighter than ever, the country is desperate for foreign funds. Even as Pyongyang attempted to project a friendly diplomatic image at the Pyeongchang Winter Olympics in South Korea, its cyberattacks continued behind the scenes.
Lazarus belongs to Unit 180 of North Korea's Reconnaissance General Bureau, a military intelligence body, according to Kim Heung-kwang, a defector from North Korea who heads the nonprofit group North Korea Intellectuals Solidarity in the South. A former computer science teacher at a North Korean university, he still has contacts in the country.
Unit 180 is believed to have been established by Kim Jong Un in 2013. According to Kim Heung-kwang, its role is to obtain foreign currencies to pay for nuclear weapons and long-range missiles. It is believed to have about 500 members.
South Korea's intelligence agency suspects the unit is responsible for a recent theft of the cryptocurrency NEM from Tokyo-based exchange operator Coincheck.
Pyongyang's largest cyberwarfare body, Unit 121, was established in 1998 by Kim Jong Il, the country's previous leader and father of Kim Jong Un. It has a staff of several thousand, and its main missions include cyberattacks on communications, power and traffic infrastructure in targeted countries.
The threat posed by Unit 180, on the other hand, comes in two forms -- hacking for money, and the installation of malware through the software development business in Japan and China.
In Japan, it uses individuals and companies with no apparent connection to North Korea to solicit orders for programming work through a website. By ignoring labor costs, they are able to take on jobs at low prices and then quickly complete them using Unit 180 programmers in North Korea and China. Many of these programs are used in home appliances and industrial equipment.
According to Kim Heung-kwang, programs written by Unit 180 for Japanese customers are "highly likely" to be embedded with "backdoors" -- malicious codes that make it possible to remotely control the devices they are installed in. This opens up the possibility that North Korea could wreak havoc in Japan by, for instance, manipulating such devices during a military conflict.