More on “North Korean Hackers”


North Korean hackers are an unavoidable subject of discussions considering the recent hype about them yet again. Hence, it is worth looking into the wrongdoings they have been accused of and to what extent they are guilty once more.
On 30 May 2019, radio station Voice of America reported that in the opinion of US intelligence agencies, the DPRK, facing economic difficulties due to imposed sanctions, was engaging in cyberattacks against banks and other financial institutions in order to obtain money. Erin Cho, the head of the National Cybersecurity and Communications Integration Center (an agency of the Department of Homeland Security), pointed out that North Korean cyber attacks were targeting virtual currency, a relatively new means of stealing money.
Former US State Department senior adviser Balbina Hwang also generated publicity with her statements in August 2019.  The visiting professor at Georgetown University talked about a story by the Associated Press that “cited a report from the United Nations Security Council” about North Korea’s use of cyberspace to launch “increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income. The hardest-hit was South Korea, the victim of 10 North Korean cyberattacks, followed by India with three attacks and Bangladesh and Chile with two each”.
As it turns out, “South Korea’s Bithumb, one of the largest cryptocurrency exchanges in the world, was reportedly attacked at least four times”. Two attacks occurred in February and July 2017, each resulting in losses of approximately $7 million, “while a June 2018 attack led to a $31 million loss and a March 2019 attack to a $20 million loss”.
13 September 2019, the US Department of the Treasury imposed sanctions against hacking groups from the DPRK: the Lazarus Group and two of its subsidiaries, Bluenoroff and Andariel. According to the Treasury Department, in 2014, the Lazarus Group was responsible for the cyber attack against Sony Pictures and also for infecting 300,000 computers with viruses in 150 nations world-wide. Bluenoroff managed to steal $1.1 billion from various financial institutions, including $80 million from the central bank of Bangladesh. Andariel is suspected of crimes targeting the South Korean government and infrastructure, and also of attempting to steal classified military information.
At the end of September 2019, experts from the Kaspersky cybersecurity company detected previously unheard of spyware Dtrack, designed by the Lazarus Group, in networks of Indian finance organizations and research centers. This malware can provide access to a device it has infected allowing data to be either uploaded to it or downloaded from it. The spyware is somewhat similar to DarkSeoul, linked to a cyber attack against South Korea in 2013.
In October 2019, Patrick Wardle, the Principal Security Researcher at Jamf (a software provider for the Apple platform), said that hackers, believed to be sponsored by North Korea, had “found a novel way to attack Apple Macs”. They did so by using a fake cryptocurrency trading app. To add legitimacy to the software, the group even created JMT Trading, a front company “complete with an official-looking website”.
In January 2020, Russian cybersecurity company Kaspersky reported that the Lazarus Group had accrued large amounts of cryptocurrency by using Telegram, a popular messaging app that uses its own proprietary security protocol. In fact, links to groups hosted by malicious Telegram users can be found on many fake websites. In addition, the Lazarus Group continues to design and launch numerous fraudulent websites (as for instance, Union Crypto Trader) that appear to be trading platforms for cryptocurrency or ICO hosts (Initial Coin Offering) but, in reality, they are used to steal users’ confidential information. The malware developed by the Lazarus group is also “capable of loading in devices’ memory (RAM) exclusively, bypassing hard drives”, which makes it even more dangerous.
The latest incident possibly related to hackers from the DPRK occurred in January 2020 when 16 North Korean computer programmers were “found to have been working in Cambodia illegally” and were subsequently ordered to leave the country. However, soon it came to light that they were not hackers but temporary IT staff working for a “Chinese online gambling operation”.
On 17 February 2020, ESTsecurity (a cyber security company based in Seoul) reported that a North Korea-linked group was probably responsible for hacking the smartphone belonging to Thae Yong-ho, a former DPRK diplomat who defected to South Korea in 2016. The hackers used “spear phishing” to access his new name, text messages, photographs and other information.  According to security experts, their attack patterns “were similar to those formerly used by North Korean hacking groups”, such as Geumseong121, that targeted “the websites of government departments, North Korea-related organizations and media officials”. The name of the group is fairly patriotic. There is also a possibility that some other team of hackers “used such attack patterns to give the impression of being a North Korean group”. According to Mun Chong-hyun from ESTsecurity, Geumseong 121, believed, in the opinion of South Korean experts, to be backed by DPRK intelligence agencies, was capable of hacking mobile phones of a number of ROK citizens, such as Thae Yong-ho, whose work is related to North Korea and foreign policy. Mun Chong-hyun also pointed out that phishing emails and messages contained, for example, “an attachment that, when clicked, directed the reader to a website masquerading as the website of a North Korean human rights organization based in the US”. Once users were lured to such a website, their devices were infected with malicious files or software that then accessed “systems and sensitive data”.
2 March 2020 The US Department of Justice charged two Chinese citizens, Tian Yinyin, and Li Jiadong, with money laundering. They were indicted for stealing more than $100 million as a result of two cyber attacks. But, according to a joint investigation conducted by U.S. intelligence and South Korean law enforcement agencies, starting at the end of 2017, North Korean hackers have stolen cryptocurrency from exchanges, and have then laundered approximately $250 million with the aid of the Chinese nationals. The funds are believed to have been used to finance North Korea’s nuclear weapons program. It was not the first time such accusations were made. In 2017, the United States alleged that Chinese company Mingzheng International Trading Ltd “facilitated prohibited” monetary transactions on behalf of a North Korean bank. Prosecutors “said they would seek $1.9 million in civil penalties”.
On 23 March 2020, the Cyprus Police issued a public warning saying they had received a number of complaints regarding telephone calls that appeared to come from North Korea, as the numbers started with 00850 (the DPRK country code). There were grounds to believe that it was a “scam leading to recipients” being overcharged.
Unfortunately, all of these disconcerting reports do not provide any evidence to support their claims. And some time ago, the author conducted his own investigation into such incidents. And we would simply like to remind our readers about its outcomes.

  • The claim that the attack patterns were similar to those used by other North Korean groups is unjustified. After all, since there are few unique hacking tools, most hackers have a limited arsenal at their disposal.  It is common practice for them to use each other’s attack patterns to not only save time but also misdirect and shift the blame elsewhere. Considering the fact that North Korea’s involvement in the previous attacks was not proven, the so-called evidence could actually turn out to be an extrapolation. A vicious cycle is thus created, as one “highly likely” claim multiplies, and for some reason, this uncertainty is not reflected in conclusions drawn, and DPRK involvement is then viewed as an “incontrovertible” fact.
  • The hackers’ use of typically North Korean linguistic expressions also does not prove DPRK involvement. After all, any criminal group may choose to utilize such language (e.g. Chollima) in order to cover up their tracks and deceive law enforcement agencies.
  • Hiding IP addresses or caller ID spoofing are common tools used by scammers. In fact, a VPN (a Virtual Private Network) allows you to change your apparent location.
  • Discussions about hacking seemingly secure networks not connected to the internet (as for instance, banking systems) usually prompt the question “But how is that possible?”. A virus needs to be introduced somehow, and this is possible when a device is connected to the internet. If a network cannot be infected in this manner, then a saboteur (not malware) is probably involved.  Another possibility is that the system in question was not completely secure or isolated from the outside world due to a high level of incompetence.
  • Public accusations along the lines of ‘X could have been involved in Y’ are mere speculation if they are not supported by evidence. Statements, such as ‘groups with ties to Pyongyang’, also fall into the same category, as it is important to prove such a relationship. After all, simply saying ‘hackers target enemies of the DPRK’ is not evidence. In addition, the Lazarus Group, Bluenoroff and Andariel are highly unusual names for hacker groups, in comparison to Geumseong121, taking into account how isolated North Korea is as a nation.
  • In fact, there are ongoing debates about where the Lazarus Group is from among experts. It is especially enjoyable to hear the word “Chollima” in reference to its subgroups. Chollima is a mythical winged horse capable of travelling 1,000 li (400 km) per day. For a long time, the animal symbolized the speed of North Korea’s economic development, which, over a period of at least two years, has increased 10-fold. Hence, nowadays, it is customary to refer to such progress with the expression “Mallima”.

Interestingly, it is not only cyber crime that is on the rise in North Korea itself, where there are over 600,000 mobile phone users, telephone scams are spreading there too. According to defectors from the DPRK, criminals often “pretend to be law enforcers or financial supervisors” who threaten to arrest people they target if they do not pay up. “Such classic scams still work because victims do not dare question the identity of the purported government officials”.
In all likelihood, the DPRK and pro-North Korea hackers are responsible for the so called “phishing campaigns designed to obtain passwords and other personal information” once a victim opens a link or an attachment sent in a message. In September 2019, such correspondence with malware was sent to “people working in the North Korea field”. These types of attacks, using email addresses that appear to belong to “people working on North Korea issues”, started as far back as 2010.
According to a report by Palo Alto Networks, Inc. (a cybersecurity company) issued in January 2020, “a group of hackers suspected to be linked to North Korea” had attacked “a U.S. government agency and researchers working on DPRK issues with a new type of malware”. They “sent emails with six different Microsoft Word documents in Russian that contained malicious macros aiming to give attackers control over the recipients’ computers”.
The latest “malicious email campaigns” occurred at the end of February 2020.
In summary, an interesting situation is seemingly taking shape. Sanctions imposed against the DPRK are forcing the nation to look for new ways of generating income. And since the use of digital technologies is not prohibited by them and is also difficult to monitor, North Korea has seemingly started to bank on this sector. Any work performed by DPRK IT specialists and software developed by them are not covered by sanctions. And Pyongyang has begun to take advantage of this by, for example, using money transfer apps (designed similarly to Chinese analogues) that allow users to bypass standard bank procedures to send and receive money.
Clearly, there is a push to shut down such tools and tighten the digital blockade, hence, the reports about hackers. But for every action, there is an equal and opposite reaction, and it is possible that, just as in self-fulfilling prophecies, myths about North Korean hackers may just become a reality.
Konstantin Asmolov, PhD in History, Leading Research Fellow at the Center for Korean Studies of the Institute of Far Eastern Studies of the Russian Academy of Sciences, exclusively for the online magazine “New Eastern Outlook“.