SEOUL — North Korea is behind an increasingly orchestrated effort at hacking into computers of financial institutions in South Korea and around the world to steal cash for the impoverished country, a South Korean state-backed agency said in a report.
In the past, suspected hacking attempts by North Korea appeared intended to cause social disruption or steal classified military or government data, but the focus seems to have shifted in recent years to raising foreign currency, the South’s Financial Security Institute (FSI) said.
The isolated regime is suspected to be behind a hacking group called Lazarus, which global cybersecurity firms have linked to last year’s $81 million cyber heist at the Bangladesh central bank and the 2014 attack on Sony’s Hollywood studio.
The U.S. government has blamed North Korea for the Sony hack and some U.S. officials have said prosecutors are building a case against Pyongyang in the Bangladesh Bank theft.
In April, Russian cybersecurity firm Kaspersky Lab also identified a hacking group called Bluenoroff, a spinoff of Lazarus, as focused on attacking mostly foreign financial institutions.
The new report, which analyzed suspected cyberattacks between 2015 and 2017 on South Korean government and commercial institutions, identified another Lazarus spinoff named Andariel.
“Bluenoroff and Andariel share their common root, but they have different targets and motives,” the report said. “Andariel focuses on attacking South Korean businesses and government agencies using methods tailored for the country.”
Pyongyang has been stepping up its online hacking capabilities as one way of earning hard currency under the chokehold of international sanctions imposed to stop the development of its nuclear weapons program.
Cyber security researchers have also said they have found technical evidence that could link North Korea with the global WannaCry “ransomware” cyberattack that infected more than 300,000 computers in 150 countries in May.
“We’ve seen an increasing trend of North Korea using its cyber espionage capabilities for financial gain. With the pressure from sanctions and the price growth in cryptocurrencies like Bitcoin and Ethereum — these exchanges likely present an attractive target,” said Luke McNamara, senior analyst at FireEye, a cybersecurity company.
North Korea has routinely denied involvement in cyberattacks against other countries. The North Korean mission to the United Nations was not immediately available for comment.
ATMs, online poker
The report said the North Korean hacking group Andariel has been spotted attempting to steal bank card information by hacking into automated teller machines, and then using it to withdraw cash or sell the bank information on the black market. It also created malware to hack into online poker and other gambling sites and steal cash.
“South Korea prefers to use local ATM vendors and these attackers managed to analyze and compromise SK ATMs from at least two vendors earlier this year,” said Vitaly Kamluk, director of the APAC research center at Kaspersky.
“We believe this subgroup (Andariel) has been active since at least May 2016.”
The latest report lined up eight different hacking instances spotted within the South in the last few years, which North Korea was suspected to be behind, by tracking down the same code patterns within the malware used for the attacks.
One case spotted last September was an attack on the personal computer of South Korea’s defense minister as well as the ministry’s intranet to extract military operations intelligence.
North Korean hackers used IP addresses in Shenyang, China to access the defense ministry’s server, the report said.
Established in 2015, the FSI was launched by the South Korean government in order to boost information management and protection in the country’s financial sector following attacks on major South Korean banks in previous years.
The report said some of the content has not been proven fully and is not an official view of the government.