For several decades North Korea, often described as a “hermit kingdom,” has been subject to economic and financial sanctions implemented by the EU, the UN, and the United States in response to North Korea’s nuclear weapons program and violation of human rights. The Democratic People's Republic of Korea (DPRK), for its part, has developed a number of techniques to evade international sanctions and support its struggling economy, which includes constantly evolving cyber capabilities.

Over the years, the DPRK has demonstrated remarkable growth in sophistication of its cyberattacks ranging fr om ATM heists and cryptocurrency platforms hacks to ransomware deployment and crippling global financial networks.

In fact, a recent report from the blockchain analysis company Chainalysis estimated that in the last year alone hackers linked to North Korea stole almost $400m in at least seven attacks against cryptocurrency exchanges. The hackers used various techniques, including phishing attacks, exploits and malware to steal funds from the organizations' “hot” wallets and then moved them into North Korea-controlled addresses. Many of the thefts were likely carried out by a state-sponsored advanced persistent threat (APT) group known as Lazarus Group, a collective believed to be a unit of North Korea's primary intelligence bureau, the Reconnaissance General Bureau.

Previously Lazarus had been linked to high-profile attacks against Sony Pictures Entertainment in 2014, the 2016 theft of $81 million from Bangladesh Bank via SWIFT, and the spread of WannaCry ransomware in 2017, which compromised more than 300,000 computer systems across 150 countries by exploiting vulnerabilities in Windows operating system.

The attack on Sony Pictures Entertainment was conducted in retaliation for the movie “The Interview,” a comedy film that depicted the assassination of the North Korea’s leader Kim Jong Un. The hackers breached Sony Pictures Entertainment’s network to steal confidential data, threatened SPE executives and employees, and damaged thousands of computers.

North Korean hackers are also thought to be behind the theft of at least $1bn from financial institutions across the world, including the attempt to siphon $81 million from the Bangladesh Bank through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network.

The threat actor compromised the bank’s computer network via spear-phishing emails targeting bank’s employees, and gained access to the computer terminals that interfaced with the SWIFT network. The attackers then sent fake messages directing the Federal Reserve Bank of New York (wh ere Bangladesh keeps a US-dollar account) to transfer funds out of the Bangladesh Bank’s Federal Reserve account to accounts at Manila-based Rizal Commercial Banking Corporation. The money then was withdrawn and converted into Philippine pesos and then converted into casino chips at Manila's casinos. The idea was to make it impossible for investigators to trace the stolen money by converting it to chips, gamble over the tables and then change the chips back into cash.

In September 2018, the US authorities indicted an alleged member of Lazarus for his involvement in destructive cyberattacks that led to extensive loss of data, money, and other resources. Separately, in February last year, the US charged three North Korean computer programmers with a massive hacking spree aimed at stealing more than $1.3bn in money and cryptocurrency.

It is difficult to assess how successful North Korea’s hackers have been, because they do not claim the responsibility for the attacks and Pyongyang has repeatedly denied any wrongdoing. Nevertheless, in 2019 a UN sanctions report estimated that $2bn had been raised for Kim Jong Un’s weapons program through illicit cyber activities.

In August 2020, the US Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and US Cyber Command (USCYBERCOM) released a joint advisory detailing a global bank robbery scheme orchestrated by a threat actor known as the BeagleBoyz, a group of hackers linked to North Korean government’s Reconnaissance General Bureau.

Active since at least 2014, the group conducts well-planned, disciplined, and methodical cyber operations using complex malware. BeagleBoyz is believed to be behind the sophisticated ATM cash-out campaigns knows as “FASTCash.” According to CISA, the BeagleBoyz have attempted to steal nearly $2 billion since at least 2015.

According to analysts, North Korea’s cyber army is headquartered in Reconnaissance General Bureau, specifically, under Bureau 121. The size of North Korea’s cyber army is estimated to be between 3,000 and 6,000 people trained in cyber operations. The authorities identify talented students and train them at domestic universities such as Kim-Il-Sung University, Kim Chaek University of Technology, and the Command Automation University. Some security research indicates that some students are trained in Russia and China, and North Korean hackers often live abroad to take advantage of other countries’ more advanced internet infrastructure.

In the next installment of this article series we’ll take a closer look at Tactics, Techniques, and Procedures (TTPs) of the hacker groups associated with North Korea.