Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/17/2017
05:50 PM
Andy Patrizio
Andy Patrizio
Andy Patrizio
50%
50%

Cybercrime Is North Korea's Biggest Threat

While the world is watching a battle of words, North Korea has been attacking the West and funding its global operations through cybercrime.

With the media doing its best to scare the daylights out of Americans over the North Korean nuclear threat, it's missing out on the real menace that is causing real damage: Kim Jong-un's brigade of hackers and cyber thieves.

North Korea has two cyberwarfare units -- Bureau 121 and No. 91 Office. Both are part of the Reconnaissance General Bureau of North Korea's military and have over 6,000 hackers, many of whom are based outside of North Korea. One of the suspected locations of a Bureau 121 cell is the Chilbosan Hotel in Shenyang, China. This location is known thanks to a defector.

So even though North Korea's Internet feed is something of a joke and the country is fairly bereft of technology, it has access to high-speed Internet and modern PCs in other countries.

Bureau 121 reportedly engages in more traditional cyber-warfare efforts aimed at military assets. South Korea has repeatedly blamed Bureau 121 for conducting GPS jamming aimed at South Korea. Bureau 121 is also reportedly behind attempted hacks of the THAAD anti-ballistic missile system being deployed to stop the North Korean missiles.

There is another group, DPRK Office 91, also known as the Lazarus Group. The WannaCry ransomware was linked back to the Lazarus Group, and it has engaged in other cybertheft as well.

In January 2016, a division of Lazarus called Bluenoroff hacked into the SWIFT banking network attached to the central bank of Bangladesh. The bank was utilizing used routers, and the terminals to do money transfers internationally were linked wirelessly to very old systems. The North Koreans managed to drop in a back door, got credentials and ordered the bank to issue money transfers for $951 million.

The Bangladesh bank caught wind of it and asked the New York Fed to block 30 transactions totaling $850 million. But five transactions issued by hackers, worth $101 million, went through. About $20 million was traced to Sri Lanka and recovered and $81 million was sent to the Philippines, with about $18 million recovered.

That wasn't their only attempted bank heist. In May 2016, a Vietnamese bank said it managed to stop a $1 million transfer. Later that month, Ecuador's Banco del Austro was bilked out of $12 million, with the money transferred to Hong Kong.

All of the heists exploited the SWIFT system used by banks and used the Dridex malware tool. Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system of payloads delivered by macros in Microsoft Word. All that's needed is for an unwitting sucker to open a Word or Excel attachment and the macros download Dridex, infecting the computer and opening the victim to banking theft.

The FBI is reportedly working to build a case that North Korea directed the thefts, and it's getting help from Kaspersky Labs, Fire Eye, Symantec and BAE Systems Plc.


You're invited to attend Light Reading's Virtualizing the Cable Architecture event – a free breakfast panel at SCTE/ISBE's Cable-Tec Expo on October 18 featuring Comcast's Rob Howald and Charter's John Dickinson.

The Lazarus Group is also believed to be behind recent ransomware attacks on shipping giant Maersk, drug company Merck, DHL, FedEx, a British ad agency and a Russian oil and gas company.

The real question is how closely is China working with North Korea? While it pays lip service to wanting to reign in the North, it's allowing Bureau 121 to operate out of a hotel in China and is even rumored to be helping them. A group dubbed "Tonto Team" by FireEye is working from the same hotel in China as the North Korean Bureau 121 and targeting the THAAD system.

It's clear why they are doing this. North Korea has no economy to speak of and is under sanction by the UN. It needs money and is quite prepared to steal it. Education of bank employees is a must now with the Dridex malware, as well as securing the SWIFT system. Now that their methods are known, they can be defended against.

Related posts:

Andy Patrizio has been a technology journalist for more than 20 years and remembers back when Internet access was only available through his college mainframe. He has written for InformationWeek, Byte, Dr. Dobb's Journal, eWeek, Computerworld and Network World.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28452
PUBLISHED: 2021-01-20
This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request ...
CVE-2020-28483
PUBLISHED: 2021-01-20
This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.
CVE-2021-21269
PUBLISHED: 2021-01-20
Keymaker is a Mastodon Community Finder based Matrix Community serverlist page Server. In Keymaker before version 0.2.0, the assets endpoint did not check for the extension. The rust `join` method without checking user input might have made it abe to do a Path Traversal attack causing to read more f...
CVE-2020-25686
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same...
CVE-2020-25687
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This...