The Potential for Increased Financially-Motivated North Korean Cyber Operations in the Face of Increasing International Pressure

With North Korea becoming increasingly isolated from the world economy the likelihood that it will use its cyber capabilities for financial gain grows. The United Nations has already imposed significant sanctions on North Korea; however, a recent announcement by China that it will shut down North Korean companies operating within its borders could indicate significant financial trouble for North Korea.

Lawfare recently released a podcast of an excellent talk by UC San Diego professor Stephan Haggard that provides a description of the economic pressures that the international community is placing on North Korea. He describes how the US uses access to its financial system as one lever; however, China currently accounts for 90% of North Korea's trade making it the key factor in how severe financial pressure on North Korea can get. With the Chinese recently indicating that they will increasingly restrict North Korean business activity the chances are increasing that North Korea will turn to its cyber capabilities in an attempt to mitigate the effects of financial sanctions.

North Korea has previously shown a desire and ability to conduct financially-motivated cyber operations as evidenced by previous attacks on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) platform. More recently, it has been reported by FireEye that cyber activity linked to North Korea has targeted entities involved with Bitcoin indicating that it may have interest in cryptocurrencies as a way to circumvent sanctions and provide financial assets in the face of these measures.

In this post, the Cyber Intelligence and Policy Project (CIPP) briefly reviews the financially-motivated attacks on the SWIFT system by North Korean actors, and also looks at a couple of malicious files possibly linked to North Korean actors that may have been used in more recent operations targeting cryptocurrencies organizations and more traditional financial systems.

SWIFT Attacks

In February 2016 an attacker gained access to the Bangladesh central bank's SWIFT payment system and set into motion the transfer of a large sum of money from the bank's account to account   in The Philippines. The attackers attempted to steal nearly one billion dollars. The Bangladesh central bank was able put a stop to most of the transfer orders; however, $81 million was never recovered. 

The attackers used a number of tools to gain and maintain access to the bank's systems. Among the toolset used were multiple tools designed specifically to affect SWIFT systems. These tools were capable of collecting information about SWIFT transactions, disabling protection mechanisms present with the SWIFT software, and allow for the alteration of files passed within the system.

In addition to the Bangladesh incident there were a number of other incidents at banks around the world in which SWIFT systems were similarly targeted. Both Kaspersky and BAE noted code level similarities between the malware used in the SWIFT attacks and North Korean actors known as Lazarus.

Recent Financial-themed Attacks Potentially Linked to North Korea

The SWIFT attacks were the first high-profile incidents to highlight financially-motivated attacks linked to North Korean operators. Since that time additional North Korean cyber operations have been observed with possible financial motivations. In researching this post CIPP identified two financially-themed malicious document in open source that may be linked to North Korea.

Bitcoin-themed Incident (08e128a70d1c96ae403fde40e2471389)

This file appears to have been created in late July 2017 and bears the file name 비트코인_지갑주소_및_거래번호.doc (Machine Translation: Bit coin _ wallet address _ and _ transaction number .doc). The Hybrid Analysis platform shows that malicious macro code writes an executable named svchost.exe to the victim machine and then contacts the domain www.unsunozo[.]org for command and control (C2). A Korean language decoy document is also displayed which appears to contain details of a Bitcoin transaction.

Screen Shot 2017-10-01 at 9.29.33 PM.png

The C2 domain in this case is a legitimate site of a South Korean trade union for freight transport workers. It was likely compromised for use in this malicious activity; however, nothing else is known at this time about the nature of the network traffic to this site. CIPP was unable to identify the malware written by the document. 

Financial Institution-themed Incident (9b7efc5b1fce6bbe6e4538b9e38e4aa5)

A search based on code from the previous document revealed a second, similar document likely deployed a couple weeks after. This one also writes an executable to the victim machine and contacts 2 IP address for C2: 176.35.250[.]93 and 64.86.34[.]24. The decoy file in this case is an English language job description for a software developer at a US-based financial institution.

Screen Shot 2017-10-01 at 9.31.06 PM.png

Again, CIPP is not able to identify the malware written by the document.

CIPP cannot confirm these documents are linked to North Korean cyber espionage activity. However, as the previously cited FireEye report indicates, North Korean actors have targeted cryptocurrency entities in South Korea. The Korean language, Bitcoin-themed document described above fits within this reported tactic. The second, English language document shares code with the Bitcoin document. Open source does not indicate this code is widely used so it is possible that the two documents can be linked to the same actor or possibly different actors using similar tooling.

It should also be noted that while decoy content may indicate that these files were used to target the financial sector, CIPP cannot definitively identify targets in these instances.

Conclusion

As North Korea becomes increasingly isolated the probability that it will conduct financially-motivated cyber operations increases. The attacks on the SWIFT platform show that North Korean actors are capable of carrying out successful attacks against traditional financial systems. Cryptocurrencies such as Bitcoin could offer another avenue for North Korea as it attempts to bolster its financial stability in the face of intense international pressure. Current favorable exchange rates as well as uncertain legal and regulatory frameworks could make cryptocurrencies an attractive target for North Korea's cyber operations