North Korea resumes cyber attacks in desperate search for foreign currency
As sanctions bite, the rogue regime seeks funds for nuclear and missile programs
JIRO YOSHINO, Nikkei staff writer
TOKYO -- The North Korean state-sponsored hacker group Lazarus appears to have resumed its efforts to steal desperately needed foreign currency for the rogue regime, according to recent evidence uncovered by the U.S. computer security software company McAfee.
McAfee said in mid-January it had detected the link to a suspicious file disguised as an employee recruitment document sent to financial institutions and cryptocurrency users in various countries. The document was embedded with a malicious file designed to activate when users open it.
Judging by the file's characteristics, McAfee said it believed Lazarus was back in business.
The file, discovered in mid-January, shares many features with those used repeatedly by Lazarus in attacks on financial institutions and defense companies through October 2017. When an unsuspecting user opens the file, the computer is infected and data are stolen.
The U.S. government concluded Lazarus was responsible for simultaneous worldwide cyberattacks in May 2017 that made computer files inaccessible by means of malicious software, or "ransomware."
With international sanctions on North Korea over its nuclear and missile programs now tighter than ever, it is desperate for foreign funds. Despite the friendly diplomatic image it has been projecting at the Pyeongchang Winter Olympics in South Korea, behind the scenes its cyberattacks continue.
Lazarus belongs to Unit 180 of North Korea's Reconnaissance General Bureau, the military intelligence body, according to Kim Heung-kwang, a North Korea defector who heads the nonprofit group North Korea Intellectuals Solidarity in the South. He is also a former computer science teacher at a North Korean university who still has contacts in the country.
Unit 180 is believed to have been established by Kim Jong Un in 2013. According to Kim Heung-kwang, its role is to obtain foreign currencies to pay for nuclear weapons and long-range missiles. It is believed have about 500 members.
South Korea's intelligence agency suspects the unit is responsible for a recent theft of the cryptocurrency NEM from the Tokyo exchange operator Coincheck.
Pyongyang's largest cyberwarfare body, Unit 121, was established in 1998 by Kim Jong Il, father of current leader and the country's previous leader. It has a staff of several thousand, and its main missions include cyberattacks on communications, power and traffic infrastructure in targeted countries.
On the other hand, the threat posed by Unit 180 comes in two forms -- hacking to accumulate money, and the installation of potentially malicious software through the software development business in Japan and China.
In Japan, it uses individuals and companies that appear to have no connection to North Korea, and who accept programming orders through a website. They solicit orders with low prices that do not reflect labor costs, and fulfill them quickly by mobilizing Unit 180 programmers in North Korea and China. Many of the programs they write are used in home appliances and industrial equipment.
According to Kim Heung-kwang, the programs written by Unit 180 for Japanese customers are "highly likely" to be embedded with "backdoors" -- malicious codes that allow for the devices in which they are used to be controlled remotely. That creates the threat of North Korea playing havoc in Japan by manipulating such devices in the event of military conflict, for instance.