OPTIV THREAT ACTOR INTEL SERIES #2 ’S CRIMINAL HACKERS Courtney Falk, Aamil Karimi

OPTIV THREAT ACTOR INTEL SERIES #2 | NORTH KOREA’S CRIMINAL HACKERS 1 The Optiv Threat Actor Intel report is a who’s who primer of threat actors across the globe intended to educate readers. The report provides a synopsis of the threat actor, their history and their motivators for easier understanding. Information in the report is a combination of intelligence gathered from public, third- party sources and Optiv’s Global Threat Intelligence Center (gTIC). INTENT

OPTIV THREAT ACTOR INTEL SERIES #2 | NORTH KOREA’S CRIMINAL HACKERS 2 INTRODUCTION The Democratic People’s Republic of Korea (DPRK) is unique among nation-states in the way that it combines sanctioned cyber capabilities with cyber-crime. This report looks at the ways that North Korea uses its nation-state assets to commit common crimes. The key question: will the criminal activities of a nation such as North Korea have follow-on repercussions in the event of either a political collapse or reformation?

Many modern nation-states have built a cyber-focused military force. Every such cyber force has a defensive component; it implements network and endpoint security measures in order to protect the nation’s resources. Some cyber forces are built to include an offensive component that is able to reach out across the wire and interfere with the functioning of another nation.

As with cyber forces, most nations now have their own cyber-criminals, who are technologically skilled yet unemployed/underemployed citizens who want to make more money using their computers to take from others. How the nation-state addresses the cyber-criminal element is a useful way to categorize them. On one extreme are liberal Western nations such as the United States where cyber-crime is just crime by another name. These cyber-criminals are not welcome to participate in most aspects of the nation’s functioning. Moving towards the other end of the spectrum are nations like Russia, China, and Iran. These nations have indigenous cyber-criminal undergrounds, but the government harnesses the skills and resources of the cyber-criminals to prosecute the nation’s policy. By hook or by crook, these criminals follow instructions and tasks given to them by government minders. Sometimes the instructions include the requirement to only target victims outside of the nation they themselves are in.

At the farthest end of the government-crime spectrum is North Korea. North Korea has both offensive and defensive cyber capabilities. What makes North Korea unique is not that they harness cyber-criminals, but rather they train their own forces to be criminals.

OPTIV THREAT ACTOR INTEL SERIES #2 | NORTH KOREA’S CRIMINAL HACKERS 3 A SOCIO-POLITICAL ANALYSIS OF NORTH KOREA

POLITICAL North Korea is a single-party hereditary dictatorship. The nation was founded upon communist ideals by Kim Il-Sung. His son, Kim Jong-Il, took control after his death. The 2011 death of Kim Jong-Il resulted in the transfer of power to his third son, Kim Jong-Un. He is both the Supreme Leader and the Chairman of the Workers’ Party of Korea (WPK).

North Korean line of succession (l-r): Kim Il-Sung, Kim Jong-Il, Kim Jong-Un

MILITARY The Korean People’s Army (KPA) is one of largest and most powerful organizations in the North Korean government. The KPA claims to be able to mobilize over 5 million personnel, which would account for one quarter of the North Korean population.

Stated spending on the military was 15% of GDP, but analysts speculate that it may be twice that. As a reference point, the United States spends 3.5% of GDP on its military. The spending does not necessarily produce results. The North Korean air force has more aircraft than the combined air forces of South Korea and the United States on the Korean Peninsula. However, these 1980s-vintage aircraft are outdated and flown by pilots with less flight hours than their southern counterparts (Hackett & Fitzpatrick, 2018).

North Korea has existed in a perpetual state of war since its 1950 attempt to invade its southern neighbor. While an armistice was signed in 1953, there still is no signed peace treaty. The border at the 38th parallel, known as the demilitarized zone (DMZ), is one of the most highly militarized in the world.

OPTIV THREAT ACTOR INTEL SERIES #2 | NORTH KOREA’S CRIMINAL HACKERS 4 ECONOMIC North Korea practices a philosophy known as “Juche,” or radical self-reliance. One of the products of this philosophy is Vinylon, a fabric made from limestone (Park & Pearson, 2018). This was a pragmatic response to a lack of raw fibrous material such as cotton. Not to be satisfied with a technological achievement alone, North Korea produced an animated Vinylon Man propaganda series to trumpet their ideological victory.

But in reality, sizeable portions of the North Korean population are starving at any given time with the famine that began in 1994 known as The March of Suffering. The military is given priority when it comes to the distribution of food, but estimates of famine-related fatalities vary from one quarter million to more than three million citizens.

Source Metric North Korea South Korea Top Rated Country Population 25,248,140 51,181,299 n/a GDP (PPP) $1,400 $39,400 n/a Corruption Transparency New Perceptions Index 174th of 183 54th of 183 International Zealand 2017 ICT Development ITU Not included 2nd of 176 Iceland Index 2017 Global World Economic Competitive Not included 26th of 137 Switzerland Forum Index (2017–2018) Portland Soft Power 30 Not included 20th of 30 United Kingdom Reporters With- 2018 World Press out 180th of 180 Norway Freedom Index 43rd of 180 Borders

SOCIAL The family is the core social unit in North Korea. Families are rewarded or punished as a unit. Politically-linked families are allowed to live in the capital, , and receive goods and services not available to the bulk of the country.

If a person is arrested and imprisoned for political crimes, their entire family may be imprisoned along with them. Up to three generations of a family might be sent to a camp for political prisoners. There, they are essentially slave labor for the government. BACKGROUND AND CONTEXT BACKGROUND

OPTIV THREAT ACTOR INTEL SERIES #2 | NORTH KOREA’S CRIMINAL HACKERS 5 INFRASTRUCTURE Infrastructure in North Korea is poor to non-existent especially outside Pyongyang. Nighttime satellite imagery of the Korean Peninsula show bright swathes of artificial light in South Korea and China with darkness abruptly beginning at the DMZ in the south and the Yalu River in the north.

Another example of the poor North Korean infrastructure is the Ryugyong Hotel in downtown Pyongyang. The construction project began in 1987 but was suspended for two decades due to lack of funding, leaving a concrete skeleton on display. Since 2012, the façade of the building was completed, enclosing the space in glass and steel. But the interior remains unfinished.

North Korea

INFORMATION Analyzing the accessibility of the in North Korea is a difficult task. North Korea doesn’t appear in the NGO Freedom House, Freedom on the Net report (2016), or the ICT index (International Telecommunications Union, 2017).

The DPRK exerts tights control over . Some North Koreans have access to Kwangmong, which is the name given to the walled garden Internet available in the DPRK (Fisher, 2015).

Internet backbone support is delivered by internet service providers based in Russia and China. Since 2009, North Korean Internet access relies on Star Joint Venture Co., a joint business venture between North Korean government-owned Post and Telecommunications Corporation and Thailand-based Loxley Pacific. Until recently, nearly all of North Korea’s internet traffic, including Star Joint Venture’s, was dependent on and routed through China-based . In October 2017, researchers from Dyn Research and 38 North observed route announcements to several known North Korean IP ranges coming from Russian Internet carrier and service provider Transtelecom (Chirgwin, 2017).

Russian Internet support and redundancy came at a time when Chinese and North Korean diplomacy began to falter as a more aggressive North Korean regime isolated itself further from the rest of the world, prompting China to pull diplomatic and economic initiatives out of North Korea. This shift is assessed to have allowed Russia to continue to further its own interests by aligning itself closer with North Korea as China was reducing its footprint.

OPTIV THREAT ACTOR INTEL SERIES #2 | NORTH KOREA’S CRIMINAL HACKERS 6 CONTROLS ON DISSENT

The kinds of hacker groups that arose organically in liberal Western democracies such as Cult of the Dead Cow, l0pht Heavy Industries, or the Chaos Computer Club would be quashed by DPRK authorities.

State control of media is absolute in North Korea. As a protest measure, South Korea groups have taken to loading digitized TV shows, music, and movies on USB thumb drives, attaching them to balloons, and letting them drift north across the border (Halvorssen & Lloyd, 2014).

Even elite regime members are not immune from purges. Jang Sung-Taek, uncle of Kim Jong-Un and high-ranking member of the WPK, was arrested in December 2013 and subsequently executed. Jang’s images were edited out in a Stalinist-style purge. His arrest was reported to be for a number of counter-revolutionary failings, but was also a political tool for Kim to consolidate control.

The punishment for politically-motivated crime in North Korea is imprisonment of the accused and three generations of his/her family (Bureau of Democracy, Human Rights and Labor, 2017). The draconian punishments meted out by the North Korean government only stem the flow of defections to a limited degree. In November 2017, one dramatic defection was caught on video (Westcott & Kwon, 2017). A soldier sped into the DMZ and ran across the border all while being repeatedly shot. TODAY’S LANDSCAPE TODAY’S

OPTIV THREAT ACTOR INTEL SERIES #2 | NORTH KOREA’S CRIMINAL HACKERS 7 SOURCES OF INCOME

North Korea is the target of several international sanctions (Haggard, 2018). This limits the nation’s ability to do banking internationally, and to obtain important resources. The government has gone to great lengths to create alternative income streams.

WEAPONS North Korea is keen to develop missile technology. They possess a variety of indigenous designs and test fire them with varying degrees of success in order to signal other nations. The missile intellectual property is a prime export candidate. According to a confidential United Nations monitoring report, North Korea missile technology has made its way into the hands of Syria and Myanmar (formerly known as Burma) in a violation of sanctions (Nichols, 2018). These missile sales netted $200 million for the North Korean regime.

Not only are North Korea missiles for sale, but so too is North Korean nuclear knowledge. In 2007, Israeli fighter-bombers crossed into Syrian airspace, destroyed a complex of buildings, and returned to their bases. This raid is sometimes known as “Operation Orchard.” The fact that the Israeli Air Force penetrated Syrian air defenses without any casualties is a source of speculation in and of itself (Weinberger, 2007). More interesting than the how is the why. The consensus is that Syria was working with the help of North Korean experts to build their own nuclear reactor (Follath & Stark, 2009). North Korea certainly has the experience to build such a facility. And Israel also has shown itself willing and able to strike nearby Arab regimes in order to prevent the development of nuclear technology (Correll, 2012), which they see as an existential threat.

COUNTERFEITING Multiple reports, both public and governmental, talk about North Korea producing fake American currency in an effort of literal money making (Nando, 2009). $100 denomination bills seem to be the most popular target, but some reporting looks at $50 as well. Recent security updates to the $100 bill format may have thrown temporary wrenches into the counterfeiting machine.

ONLINE GAMBLING Online gambling is an area of dubious legality based on geographic location. But when done properly, gambling always profits the house. North Korea is filling a niche of the gray-black economy by operating online gambling web sites (Szoldra, 2016). This risk- based revenue stream nets hundreds of millions of dollars per year for the Kim regime.

OPTIV THREAT ACTOR INTEL SERIES #2 | NORTH KOREA’S CRIMINAL HACKERS 8 DRUGS One of the dubious areas of reporting on illicit North Korean activities is narcotics. North Korean citizens do not appear immune from the scourge of addiction. But in a country that is as tightly controlled as North Korea, this begs the question, “Where are the drugs coming from?” Some suggest from the nation itself (Hong, 2016).

THE HACKERS

North Korea lacks the access and freedom to enable an underground hacking movement to arise organically. And yet criminal hacking activity is attributed to threat actors in North Korea. This leads to the conclusion that the illegal hacking conducted by North Koreans is sanctioned by the government.

The most recognized North Korean threat actor is the Lazarus group. Lazarus has appeared in several high-profile breaches. The breadth of their hacking would be impressive if not for the damage they leave behind.

In 2014, Motion Pictures planned the release of The Interview, an off-color action comedy about a superficial talk show host who somehow lands an exclusive interview with Kim Jong-un (Rogen & Goldberg, 2014). The movie did not portray Kim in a positive light. But before the release date, a group of hackers calling themselves the “Guardians of Peace” breached Sony’s networks and stole a treasure trove of data (Peterson, 2014). The subsequently released painted senior management at Sony in a negative light, adding brand reputation damage on top of network security damage.

2016 was the scene of a very different breach attributed to North Korea. Bangladesh Bank, the central bank of that country, was breached. Hackers set up a series of transactions utilizing the SWIFT international monetary transfer network (Zetter, 2016). The attackers made off with $81 million, which is a substantial amount of money, but not nearly the $1 billion worth of transfers that were initiated before the breach was found (Hammer, 2018). The unprecedented scope of the breach prompted SWIFT to update its security requirements for network members.

North Korean hackers have also shown an interest in pickpocketing the wallets of cryptocurrency users. Multiple cryptocurrency exchange breaches in South Korea are attributed to North Korean attackers. Individuals are also phished, circumventing multi- factor authentication using Korean-language emails and text messages.

OPTIV THREAT ACTOR INTEL SERIES #2 | NORTH KOREA’S CRIMINAL HACKERS 9 SPREADING CHAOS What then happens to these professionally trained criminals when they decide to walk away from their handlers? Russia has taken a different approach to their hackers, coercing and threatening independent cyber-criminals into being an ersatz arm of Russian computer network operations. But this strategy is starting to lose its effectiveness for the Russians (Leyden, 2017). Can North Korea prevent a similar outcome?

The game changer here is cryptocurrencies. Corruption is nothing new to the North Korean regime. Now, professional hacker criminals are stealing completely virtual money. The opportunities to skim and divert bitcoin and other cryptocurrencies abound. Once a North Korean hacker has a sufficient nest egg of cryptocurrency built up, he/she can escape their minders and be able to operate an independent criminal enterprise. This stands in stark contrast to more common who often live off the welfare of the South Korean government.

RECENT DEVELOPMENTS

Political developments on the Korean peninsula have seen a sudden uptick in activity. Kim Jong-un traveled to the south to meet with his Republic of Korean (RoK) counterpart, Moon Jae-in. The immediate outcome of those talks was North Korea adopting the same time zone as South Korea (previously they were offset by a half-hour). The significance of this change is undercut by the fact that North Korea only just adopted their previous time zone in 2015.

A senior intelligence officer of the DPRK defected to the West in early 2018 (Fitsanakis, 2018). This was much more significant, if much less visible, than a simple soldier sprinting across the DMZ. Reports suggest that the officer had in his possession a machine for counterfeiting American currency, which would support the hypotheses of North Korea counterfeiting high-value US currency as a revenue stream.

In September 2018, the United States Department of Justice released a criminal complaint that named one of the North Korean hackers by name (Office of Public Affairs, 2018). The complaint focuses on the Sony hack discussed earlier. But the complaint also explicitly ties together other attacks that were previously attributed to the DPRK such as WannaCry and the Bangladesh Bank heist. For the United States government to make such a public statement speaks to the strength of the evidence and the firmness of conviction on the part of government lawyers.

OPTIV THREAT ACTOR INTEL SERIES #2 | NORTH KOREA’S CRIMINAL HACKERS 10 Applying Optiv’s threat actor scoring methodology, North Korea scores a 78 out of a possible 100. This proprietary metric for scoring and comparing threat actors is based on the gTIC’s extensive intelligence gathering. Each threat actor is evaluated according to six dimensions that measure three areas of capabilities: technical, operations and preparation. These dimensions represent observable patterns and behaviors on the part of the threat actor.

This final, cumulative score provides public and private entities with a useful way to quickly evaluate and compare threat actors. These scores are meant to serve as a quick reference to help decision makers determine where to focus and how to best spend their resources. ACQUISITION

DURATION ADAPATABILITY

78

BREADTH PUBLICITY

ORGANIZATION

The North Korean government has shown a willingness to use whatever means it has on hand to generate income. One of those resources is its offensive cyber capabilities. In addition to gathering intelligence, North Korean nation-state hackers are stealing money intended for government coffers. The DPRK may unwittingly be creating a monster; a body of hackers who are skilled in theft are likely to realize the viability of going into work for themselves. As such, the criminal nation-state hackers of North Korea may soon be a diaspora of self-funded entrepreneurs. CONCLUSIONS

OPTIV THREAT ACTOR INTEL SERIES #2 | NORTH KOREA’S CRIMINAL HACKERS 11 REFERENCES

Bureau of Democracy, Human Rights and Labor. (2017, August 25). International Telecommunications Union. (2017). Measuring the Prisons of North Korea. Retrieved from U.S. Department of State: Information Society Report 2017, Volume 2. ICT Country Profiles. https://www.state.gov/documents/organization/273891.pdf Retrieved from International Telecommunications Union: https:// www.itu.int/en/ITU-D/Statistics/Documents/publications/misr2017/ Chirgwin, R. (2017, October 4). Russian telco backs up North MISR2017_Volume2.pdf Korea’s sole Internet link. Retrieved from The Register: https://www. theregister.co.uk/2017/10/04/north_korea_adds_second_internet_ Leyden, J. (2017, June 6). Russia is struggling to keep its cybercrime link/ groups on a tight leash. Retrieved from The Register: https://www. theregister.co.uk/2017/06/06/russia_cyber_militia_analysis/ Correll, J. T. (2012, April). Air Strike at Osirak. Retrieved from Air Force Magazine: http://www.airforcemag.com/MagazineArchive/ McClory, J. (2018). The Soft Power 30. Retrieved from https:// Pages/2012/April%202012/0412osirak.aspx softpower30.com/wp-content/uploads/2018/07/The-Soft-Power-30- Report-2018.pdf Feinburg, A. (2014, December 23). So Who Shut Down North Korea’s Internet? Retrieved from Gizmodo: https://gizmodo.com/so-who- Nando, D. K. (2009, June 12). North Korean Counterfeiting of U.S. shut-down-north-koreas-internet-1674589139 Currency. Retrieved from Congressional Research Service: https://fas. org/sgp/crs/row/RL33324.pdf FireEye. (February, 20 2018). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved from FireEye: https://www.fireeye.com/blog/ Nichols, M. (2018, February 2). North Korea earned $200 million threat-research/2018/02/apt37-overlooked-north-korean-actor.html from banned exports, sends arms to Syria, Myanmar - U.N. report. Retrieved from Reuters: https://www.reuters.com/article/ Fisher, M. (2015, March 19). Yes, North Korea has the internet. us-northkorea-missiles-un-exclusive/exclusive-north-korea-earned- Here’s what it looks like. Retrieved from Vox: https://www.vox. 200-million-from-banned-exports-sends-arms-to-syria-myanmar-u-n- com/2014/12/22/7435625/north-korea-internet report-idUSKBN1FM2NB Fitsanakis, J. (2018, May 3). Senior North Korean counterintelligence Office of Public Affairs. (2018, September 6). North Korean Regime- official believed to have defected. Retrieved from IntelNews: https:// Backed Programmer Charged With Conspiracy to Conduct Multiple intelnews.org/2018/05/03/01-2316/ Cyber Attacks and Intrusions. Retrieved from Department of Justice: Follath, E., & Stark, H. (2009, November 2). How Israel Destroyed https://www.justice.gov/opa/pr/north-korean-regime-backed- Syria’s Al Kibar Nuclear Reactor. Retrieved from Der Spiegel: http:// programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and www.spiegel.de/international/world/the-story-of-operation-orchard- Park, J.-m., & Pearson, J. (2018, January 17). Special Report: The how-israel-destroyed-syria-s-al-kibar-nuclear-reactor-a-658663.html fabulous story of North Korea’s fabric made of stone. Retrieved from Freedom House. (2016, November). Silencing the Messenger: Reuters: https://www.reuters.com/article/us-northkorea-vinalon- Communication Apps under Pressure. Retrieved from Freedom special-report/special-report-the-fabulous-story-of-north-koreas- on the Net 2016: https://freedomhouse.org/sites/default/files/ fabric-made-of-stone-idUSKBN1F621H FOTN_2016_BOOKLET_FINAL.pdf Peterson, A. (2014, December 18). The hack, Hackett, J., & Fitzpatrick, M. (2018, June). The conventional military explained. Retrieved from The Washington Post: https://www. balance on the Korean Peninsula. Retrieved from The International washingtonpost.com/news/the-switch/wp/2014/12/18/the-sony- Institute for Strategic Studies: https://www.iiss.org/-/media/images/ pictures-hack-explained/?utm_term=.cf6312961141 comment/military-balance-/2018/june/the-conventional-military- Rogen, S., & Goldberg, E. (Directors). (2014). The Interview [Motion balance-on-the-korean-peninsula.ashx Picture]. Haggard, S. M. (2018, April 6). Those North Korea sanctions Szoldra, P. (2016, June 18). North Korea is raking in nearly $1 billion might be working. Here’s why. Retrieved from The Washington from online gambling sites. Retrieved from Business Insider: http:// Post: https://www.washingtonpost.com/news/monkey-cage/ www.businessinsider.com/north-korea-online-gambling-sites-2016-7 wp/2018/04/06/those-north-korea-sanctions-might-be-working- heres-why Weinberger, S. (2007, October 4). How Israel Spoofed Syria’s Air Defense System. Retrieved from Wired: https://www.wired. Halvorssen, T., & Lloyd, A. (2014, January 15). We Hacked North com/2007/10/how-israel-spoo/ Korea With Balloons and USB Drives. Retrieved from The Atlantic: https://www.theatlantic.com/international/archive/2014/01/we- Westcott, B., & Kwon, J. (2017, December 22). North Korean soldier hacked-north-korea-with-balloons-and-usb-drives/283106/ defects across demilitarized zone. Retrieved from CNN: https://www. .com/2017/12/20/asia/north-korea-soldier-defection-dmz/index. Hammer, J. (2018, May 3). The billion-dollar bank job. Retrieved from html New York Times: https://www.nytimes.com/interactive/2018/05/03/ magazine/money-issue-bangladesh-billion-dollar-bank-heist.html Zetter, K. (2016, May 17). That insane, $81M Bangladesh bank heist? Here’s what we know. Retrieved from Wired: https://www.wired. Hong, B. (2016, February 7). Kim Jong-un Breaking Bad: The Secret com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/ World of North Korean Meth. Retrieved from The Daily Beast: https://www.thedailybeast.com/kim-jong-un-breaking-bad-the- secret-world-of-north-korean-meth

OPTIV THREAT ACTOR INTEL SERIES #2 | NORTH KOREA’S CRIMINAL HACKERS 12 Want to learn more? Insight on cyber threat intelligence is an ongoing series of thought leadership at Optiv.

Click the links below to download other corresponding materials on the subject.

Threat Intel Report 2018 Cyber Threat Enemy Perspectives #1: Russia Intelligence Estimate Whitepaper

Optiv is a market-leading provider of end-to-end cyber security solutions. We help clients plan, build and run successful cyber security programs that achieve business objectives through our depth and breadth of cyber security offerings, extensive capabilities and proven expertise in cyber security strategy, managed security services, incident response, risk and compliance, security consulting, training and support, integration and architecture services, and security technology. Optiv maintains premium partnerships with more than 350 of the leading security technology manufacturers. For more information, visit www.optiv.com or follow us at www.twitter.com/optiv, Optiv Global Headquarters www..com/optivinc and www.linkedin.com/company/optiv-inc. 1144 15th Street, Suite 2900 © 2018 Optiv Security Inc. All Rights Reserved. Denver, CO 80202 800.574.0896 | www.optiv.com 9.18 | F1