Written by Patrick Howell O'Neill

In the shadow of nuclear weapons, bank robberies tend to be forgotten. In North Korea’s case, the two are closely connected.

Conventional wisdom says North Korea is an arsenal-craving backwater under the rule of despots. The regime, however, is driving toward a modern version of authoritarianism, with cyberwar capabilities complementing hydrogen bombs. While the nukes purposefully grab the world’s attention, the regime is taking unprecedented steps in the cyber domain. And it’s targeting more than just its critics.

It’s been just over one year since the collective known as Lazarus Group stole $81 million from the central bank of Bangladesh in a heist that ran through the Federal Reserve Bank of New York. The theft, one of the biggest bank robberies in modern history, initially targeted $1 billion but came up well short because of a simple typo during the online bank transfer process. It’s now the subject of a U.S. federal inquiry looking into North Korea’s possible role in what amounts to modern bank robbery.

This is just one in a series of hacks that prompted accusations against North Korea of targeting, hacking and stealing money from financial institutions from at least 18 different countries.

Never before has a nation-state attempted billion-dollar bank heists like North Korea is now accused of masterminding. The goal, experts say, is funding the nuclear weapons that act as a morbid guarantee of the regime’s survival. While the amount of money stolen is unprecedented, the country’s actions match its longstanding tactic of borrowing from the criminal playbook to skirt crushing economic sanctions.

“What the North Koreans are very good at is continuing to find ways to earn income around the sanctions regime,” Stephan Haggard, visiting fellow at the Peterson Institute of International Economics, said. “Because they’re sanctioned and because they have absolutely no compunction about violating international law and norms, they’re perfectly happy to devote resources to sanctions circumvention. The cyber piece of this is an income earning piece of a larger picture.”

If the bank hacks continue to be successful, there’s no reason to believe they will stop anytime soon.

“If I were a consumer bank right now, I would be pretty concerned about attempts from North Korea to exfiltrate money,” Jon Condra, director of East Asian research and analysis at the threat intelligence firm Flashpoint, told CyberScoop.

The Lazarus-Pyongyang Connection

Lazarus’s involvement in the heists was first pointed out by Symantec as it investigated both the group and North Korea’s increasingly aggressive and idiosyncratic cyberattacks.

“We find them to be quite unpredictable,” Eric Chien, technical director at the security firm Symantec, said. “People try to put [North Korean hackers] in a box and say, ‘This is how they operate.’ They did the Sony wipe, they did the South Korean wipe. If you asked me at that time, ‘Are they going to try to steal $1 billion out of the Bangladesh Bank?’ I would have said, ‘No, that doesn’t fit their profile at all.'”

Earlier this month, Symantec announced a new set of links between Lazarus and hacking attempts on Polish regulators and banks, a cybersecurity incident deemed the most serious the Polish banking system has ever faced.

Chien’s team at Symantec has been actively tracking the Lazarus Group since the Sony hack in 2014, an attack the U.S. government has attributed to North Korea. Researchers have watched the group grow in both ambition and impact but, despite it all, Chien says Lazarus remains “quite low” on a technical perspective.

“Only now they’re starting to take on some of the most modern techniques, the regular techniques you’d see any cybercriminals use in these latest Polish attacks,” he said. “Just because you have low sophistication doesn’t mean you can’t have high impact. We see that with the attack on the Bangladesh Bank. It was really only a typo and some procedural errors that prevented them from getting away with $1 billion and only getting away with $81 million.”

A Connected Dictatorship

For the Kim dynasty, criminal activity is a matter of national security. North Korea’s cyber activity is just the latest step in a decades-long provocation performance.

“They have switched across different domains,” Jon R. Lindsay, a professor at the Global Affairs at the University of Toronto, told CyberScoop. “In the last 10 years, it’s switched to cyber. North Korea keeps trying to find ways to come in under threshold deterrence, response, retaliation. The means it uses to do that have continually varied as the U.S. and South Koreans have come up with more effective deterrent regimes to lock that out.”

Even while revenue has been choked out of the country with sanctions, the dictatorship has poured considerable resources into developing cyber capabilities over the last 38 years. According to South Korean intelligence, it came into stark focus in 1986 when North Korea hired 25 Russian instructors to train “cyber-warriors.” The training took place at Mirim Command Automation College (now known as Kim Il Military College), an institution that became legendary for its shadowy activity. The Korea Computer Center, a top research center from the Pyongyang regime, was established in 1990 and has since branched out to offices and commercial dealings around the world.

The hackers who make up Lazarus may have been part of the North Korean programs that educate students from middle school to the university level at institutions like Kim Il Sung Military Academy, the top school in the nation. By 2000, as the country emerged from a four-year long famine that killed as many as 3.5 million people, North Korea increased investments in technology, connectivity and personnel that slowly began to open the country up, albeit through the internet, to the outside world.

“North Korea is not famous for its considerable levels of access to the international community nor its internet infrastructure,” Condra said. “That said, they’ve invested significantly in developing asymmetric cyber capabilities as a means of countering a symmetric military advantage on behalf of the United States and its allies in the region.”

Beyond attacking financial institutions, information warfare provides North Korea with a force multiplier in the looming specter of military conflict with its southern counterpart. South Korean intelligence assessments show a low enough stockpile of conventional weapons to emphasize North Korea’s need for asymmetric weapons that would enable it, in theory, to strike quickly and with a high impact. Along with cyberweapons, nuclear arms, biological weapons and electronic warfare characterize this approach.

“Grooming prodigies, deploying them, setting up internet, buying programs, and providing conditions for them to operate in China or another third country is considerably cheaper than buying new weapons or fighter jets which cost hundreds of millions of dollars,” according to a North Korean defector interviewed in 2011.

According to former U.S. Director of National Intelligence James Clapper, the Reconnaissance General Bureau (RGB) — North Korea’s top spy agency — is responsible for Lazarus. Within RGB, different groups handle different aspects of cyberwar. It’s RGB’s 110 Institute, the Technical Reconnaissance Group, which South Korean officials say command the Lazarus Group. The 110 Institute is one among several known to send operatives abroad to work within international private and public industries as cover for conducting operations.

How Lazarus Works

The hacking group started operations in 2009, the same year as Operation Troy, a cyberattack in which South Korean military secrets were stolen. That same year saw a flurry of activity including denial of service attacks against South Korean and U.S. targets. Financial institutions and other targets have been hit with attacks every year since by North Korean-affiliated targets, though never with the same level of success that Lazarus saw inside the systems of the Bangladesh Bank. All of these attacks have been pinned on the Lazarus Group.

“Directly stealing money out of bank accounts is something that has not traditionally been the purview of nation-states,” Condra said. “This has been an interesting twist in the APT saga coming out of the East Asian region.”

Offering an estimate, Haggard said that over the last two decades North Korea has made from 10 to 15 percent of its foreign exchange earnings — several hundred million dollars per year — through various shifting forms of illicit activity.

Describing Lazarus’s tools, tactics and procedures, Symantec’s Chien said the whole package is very distinctive.

“When you look at the way they write their code, it’s all written in kind of a different way,” he explained. “If you didn’t have the internet as a reference manual, if you didn’t have the classic text books and computer science university knowledge, you would maybe do it in a different way, whatever way you thought. A bunch of their code is written in a nonstandard, nontraditional method.”

This almost exactly matches up with how North Korea universities operate. A former teacher at a North Korean university who spoke to CyberScoop on the condition of anonymity described students reading from books and other slow, tightly controlled sources of information because the country so thoroughly monitors and blocks internet usage. Whereas hackers in China, Russia or elsewhere might simply rely on Google to solve a problem, North Korea’s students have been thoroughly siloed. As a result of that relative separation and lack of contact, they’ve simply done things differently than the rest of the world.

“We go back to Sony as a start,” Chien said. “Just the most obvious things are when they got into Sony they displayed this blinking animation, skull and cross bones, a ‘was here’ animation with their names scrolling across the bottom. It was a bit laughable, but unfortunately, there was real impact there on Sony.”

That’s slowly changing now as North Korea’s cyber operatives increasingly adopt tactics like watering hole attacks.

“We had never seen them reuse off-the-shelf code before,” Chien said while discussing the recent attack on Polish banks. “It’s the kind of thing where if you took an average person in the U.S. and they became a hacker they might do this from the start: Go out on the internet, see how are people doing this and start there. [The Lazarus Group] is at that stage now.”

While the group does have sophisticated capabilities in regards to disk-wiping malware and destructive attacks, according to Condra, they’ve fallen so short of their goals when it comes to stealing money.

“They do seem to manage to get their way into financial institutions but as far as actually exfiltrating the money, they’ve proven less than capable at that,” he said. “It was $81 million they successfully got in the Bangladesh incident out of almost a billion they tried for. I think they are learning and evolving over time, I would certainly venture to say they are more sophisticated than they were in 2009 when they started, but they haven’t proven incredibly successful from the financial theft perspective yet.”

The Chinese Conundrum

When tracking the history of North Korea cyber capabilities, the trail runs right through Xi Jinping’s China.

“[North Korea has] obviously benefited tremendously from their relationship with China,” Condra told CyberScoop. “China is their primary benefactor and many people see China as the only reason North Korea continues to exist in its current form.”

While North Korea was top of discussion between Presidents Xi and Trump during their recent meeting, neither side expects the problem to be solved any time soon. Theft against banks by Pyongyang may end up continuing into the foreseeable future. The current U.S. investigation into the bank hacks could force North Korea to retool but few expect a stop to the hacking or, in a larger sense, provocation.

“I do think that North Korea is really going to be the issue that defines U.S.-China relations under the Trump administration,” Shannon Tiezzi, editor at the Diplomat magazine, said earlier this month. Secretary of State Rex Tillerson “put it quite directly that strategic patience, the Obama administration’s policy, is dead. The Trump administration is determined to craft a new policy. Realistically speaking, unless that policy is we’re going to enter into unconditional dialogue with North Korea, any of the other options are going to be upsetting to China.”

Although Flashpoint’s Condra warns banks to worry about North Korea’s activity, he says they face more common day-to-day threats from elsewhere. “[Lazarus is] a high-impact, low-probability event for most organizations. The more likely vector is cybercrime affecting consumer banks is still probably the cybercrime communities particularly coming out of Eastern Europe. Those guys don’t tend to go after the bank itself, they go after the customers,” he said.

“If we’re ever going to solve the North Korea issue, at least from the cyber domain, China’s going to have to play ball, Condra said. “China is going to have to make the determination that the status quo is no longer acceptable. Fundamentally, the decision is going to have to be made in Beijing.”

North Korean representatives have repeatedly denied the country has been involved in any hacking whatsoever.