70.8 F
Washington D.C.
Saturday, September 18, 2021

Advisory Issued to Raise Awareness of Cyber Threat Posed by North Korea

The U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation are issuing this advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The advisory highlights the cyber threat posed by North Korea – formally known as the Democratic People’s Republic of Korea (DPRK) – and provides recommended steps to mitigate the threat. In particular, Annex 1 lists U.S. government resources related to DPRK cyber threats and Annex 2 includes a link to the UN 1718 Sanctions Committee (DPRK) Panel of Experts reports.

The DPRK’s malicious cyber activities threaten the United States and the broader international community and, in particular, pose a significant threat to the integrity and stability of the international financial system. Under the pressure of robust U.S. and UN sanctions, the DPRK has increasingly relied on illicit activities – including cybercrime – to generate revenue for its weapons of mass destruction and ballistic missile programs. In particular, the United States is deeply concerned about North Korea’s malicious cyber activities, which the U.S. government refers to as HIDDEN COBRA. The DPRK has the capability to conduct disruptive or destructive cyber activities affecting U.S. critical infrastructure. The DPRK also uses cyber capabilities to steal from financial institutions, and has demonstrated a pattern of disruptive and harmful cyber activity that is wholly inconsistent with the growing international consensus on what constitutes responsible State behavior in cyberspace.

The United States works closely with like-minded countries to focus attention on and condemn the DPRK’s disruptive, destructive, or otherwise destabilizing behavior in cyberspace. For example, in December 2017, Australia, Canada, New Zealand, the United States, and the United Kingdom publicly attributed the WannaCry 2.0 ransomware attack to the DPRK and denounced the DPRK’s harmful and irresponsible cyber activity. Denmark and Japan issued supporting statements for the joint denunciation of the destructive WannaCry 2.0 ransomware attack, which affected hundreds of thousands of computers around the world in May 2017.

It is vital for the international community, network defenders, and the public to stay vigilant and to work together to mitigate the cyber threat posed by North Korea.

Click here for a PDF version of this report.

Technical Details

DPRK’s Malicious Cyber Activities Targeting the Financial Sector

Many DPRK cyber actors are subordinate to UN- and U.S.-designated entities, such as the Reconnaissance General Bureau. DPRK state-sponsored cyber actors primarily consist of hackers, cryptologists, and software developers who conduct espionage, cyber-enabled theft targeting financial institutions and digital currency exchanges, and politically-motivated operations against foreign media companies. They develop and deploy a wide range of malware tools around the world to enable these activities and have grown increasingly sophisticated. Common tactics to raise revenue illicitly by DPRK state-sponsored cyber actors include, but are not limited to:

Cyber-Enabled Financial Theft and Money Laundering. The UN Security Council 1718 Committee Panel of Experts’ 2019 mid-term report (2019 POE mid-term report) states that the DPRK is increasingly able to generate revenue notwithstanding UN Security Council sanctions by using malicious cyber activities to steal from financial institutions through increasingly sophisticated tools and tactics. The 2019 POE mid-term report notes that, in some cases, these malicious cyber activities have also extended to laundering funds through multiple jurisdictions. The 2019 POE mid-term report mentions that it was investigating dozens of suspected DPRK cyber-enabled heists and that, as of late 2019, the DPRK has attempted to steal as much as $2 billion through these illicit cyber activities. Allegations in a March 2020 Department of Justice forfeiture complaint are consistent with portions of the POE’s findings. Specifically, the forfeiture complaint alleged how North Korean cyber actors used North Korean infrastructure in furtherance of their conspiracy to hack digital currency exchanges, steal hundreds of millions of dollars in digital currency, and launder the funds.

Extortion Campaigns. DPRK cyber actors have also conducted extortion campaigns against third-country entities by compromising an entity’s network and threatening to shut it down unless the entity pays a ransom. In some instances, DPRK cyber actors have demanded payment from victims under the guise of long-term paid consulting arrangements in order to ensure that no such future malicious cyber activity takes place. DPRK cyber actors have also been paid to hack websites and extort targets for third-party clients.

Cryptojacking. The 2019 POE mid-term report states that the POE is also investigating the DPRK’s use of “cryptojacking,” a scheme to compromise a victim machine and steal its computing resources to mine digital currency. The POE has identified several incidents in which computers infected with cryptojacking malware sent the mined assets – much of it anonymity-enhanced digital currency (sometimes also referred to as “privacy coins”) – to servers located in the DPRK, including at Kim Il Sung University in Pyongyang.

These activities highlight the DPRK’s use of cyber-enabled means to generate revenue while mitigating the impact of sanctions and show that any country can be exposed to and exploited by the DPRK. According to the 2019 POE mid-term report, the POE is also investigating such activities as attempted violations of UN Security Council sanctions on the DPRK.

Cyber Operations Publicly Attributed to DPRK by U.S. Government

The DPRK has repeatedly targeted U.S. and other government and military networks, as well as networks related to private entities and critical infrastructure, to steal data and conduct disruptive and destructive cyber activities. To date, the U.S. government has publicly attributed the following cyber incidents to DPRK state-sponsored cyber actors and co-conspirators:

  • Sony Pictures. In November 2014, DPRK state-sponsored cyber actors allegedly launched a cyber attack on Sony Pictures Entertainment (SPE) in retaliation for the 2014 film “The Interview.” DPRK cyber actors hacked into SPE’s network to steal confidential data, threatened SPE executives and employees, and damaged thousands of computers.
  • Bangladesh Bank Heist. In February 2016, DPRK state-sponsored cyber actors allegedly attempted to steal at least $1 billion from financial institutions across the world and allegedly stole $81 million from the Bangladesh Bank through unauthorized transactions on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. According to the complaint, DPRK cyber actors accessed the Bangladesh Bank’s computer terminals that interfaced with the SWIFT network after compromising the bank’s computer network via spear phishing emails targeting bank employees. DPRK cyber actors then sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of New York to transfer funds out of the Bangladesh Bank’s Federal Reserve account to accounts controlled by the conspirators.
  • WannaCry 2.0. DPRK state-sponsored cyber actors developed the ransomware known as WannaCry 2.0, as well as two prior versions of the ransomware. In May 2017, WannaCry 2.0 ransomware infected hundreds of thousands of computers in hospitals, schools, businesses, and homes in over 150 countries.  WannaCry 2.0 ransomware encrypts an infected computer’s data and allows the cyber actors to demand ransom payments in the Bitcoin digital currency. The Department of the Treasury designated one North Korean computer programmer for his part in the WannaCry 2.0 conspiracy, as well as his role in the Sony Pictures cyber attack and Bangladesh Bank heist, and additionally designated the organization he worked for.
  • FASTCash Campaign. Since late 2016, DPRK state-sponsored cyber actors have employed a fraudulent ATM cash withdrawal scheme known as “FASTCash” to steal tens of millions of dollars from ATMs in Asia and Africa.  FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. In one incident in 2017, DPRK cyber actors enabled the withdrawal of cash simultaneously from ATMs located in more than 30 different countries. In another incident in 2018, DPRK cyber actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries.
  • Digital Currency Exchange Hack. As detailed in allegations set forth in a Department of Justice complaint for forfeiture in rem, in April 2018, DPRK state-sponsored cyber actors hacked into a digital currency exchange and stole nearly $250 million worth of digital currency. The complaint further described how the stolen assets were laundered through hundreds of automated digital currency transactions, to obfuscate the origins of the funds, in an attempt to prevent law enforcement from tracing the assets. Two Chinese nationals are alleged in the complaint to have subsequently laundered the assets on behalf of the North Korean group, receiving approximately $91 million from DPRK-controlled accounts, as well as an additional $9.5 million from a hack of another exchange. In March 2020, the Department of the Treasury designated the two individuals under cyber and DPRK sanctions authorities, concurrent with a Department of Justice announcement that the individuals had been previously indicted on money laundering and unlicensed money transmitting charges and that 113 digital currency accounts were subject to forfeiture.


Measures to Counter the DPRK Cyber Threat

North Korea targets cyber-enabled infrastructure globally to generate revenue for its regime priorities, including its weapons of mass destruction programs. We strongly urge governments, industry, civil society, and individuals to take all relevant actions below to protect themselves from and counter the DPRK cyber threat:

  • Raise Awareness of the DPRK Cyber Threat. Highlighting the gravity, scope, and variety of malicious cyber activities carried out by the DPRK will raise general awareness across the public and private sectors of the threat and promote adoption and implementation of appropriate preventive and risk mitigation measures.
  • Share Technical Information of the DPRK Cyber Threat. Information sharing at both the national and international levels to detect and defend against the DPRK cyber threat will enable enhanced cybersecurity of networks and systems.  Best practices should be shared with governments and the private sector.  Under the provisions of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. §§ 1501–1510), non-federal entities may share cyber threat indicators and defensive measures related to HIDDEN COBRA with federal and non-federal entities.
  • Implement and Promote Cybersecurity Best Practices. Adopting measures – both technical and behavioral – to enhance cybersecurity will make U.S. and global cyber infrastructure more secure and resilient. Financial institutions, including money services businesses, should take independent steps to protect against malicious DPRK cyber activities. Such steps may include, but are not limited to, sharing threat information through government and/or industry channels, segmenting networks to minimize risks, maintaining regular backup copies of data, undertaking awareness training on common social engineering tactics, implementing policies governing information sharing and network access, and developing cyber incident response plans. The Department of Energy’s Cybersecurity Capability Maturity Model and the National Institute of Standards and Technology’s Cybersecurity Framework provide guidance on developing and implementing robust cybersecurity practices. As shown in Annex I, the Cybersecurity and Infrastructure Security Agency (CISA) provides extensive resources, including technical alerts and malware analysis reports, to enable network defenders to identify and reduce exposure to malicious cyber activities.
  • Notify Law Enforcement. If an organization suspects that it has been the victim of malicious cyber activity, emanating from the DPRK or otherwise, it is critical to notify law enforcement in a timely fashion.  This not only can expedite the investigation, but also, in the event of a financial crime, can increase the chances of recovering any stolen assets.
    U.S. law enforcement has seized millions of dollars’ worth of digital currency stolen by North Korean cyber actors.  All types of financial institutions, including money services businesses, are encouraged to cooperate on the front end by complying with U.S. law enforcement requests for information regarding these cyber threats, and on the back end by identifying forfeitable assets upon receipt of a request from U.S. law enforcement or U.S. court orders, and by cooperating with U.S. law enforcement to support the seizure of such assets.
  • Strengthen Anti-Money Laundering (AML) / Countering the Financing of Terrorism (CFT) / Counter-Proliferation Financing (CPF) Compliance.  Countries should swiftly and effectively implement the Financial Action Task Force (FATF) standards on AML/CFT/CPF.  This includes ensuring financial institutions and other covered entities employ risk mitigation measures in line with the FATF standards and FATF public statements and guidance.  Specifically, the FATF has called for all countries to apply countermeasures to protect the international financial system from the ongoing money laundering, terrorist financing, and proliferation financing risks emanating from the DPRK.[1]  This includes advising all financial institutions and other covered entities to give special attention to business relationships and transactions with the DPRK, including DPRK companies, financial institutions, and those acting on their behalf.  In line with UN Security Council Resolution 2270 Operative Paragraph 33, Member States should close existing branches, subsidiaries, and representative offices of DPRK banks within their territories and terminate correspondent relationships with DPRK banks.
    Further, in June 2019, FATF amended its standards to require all countries regulate and supervise digital asset service providers, including digital currency exchanges, and mitigate against risks when engaging in digital currency transactions. Digital asset service providers should remain alert to changes in customers’ activities, as their business may be used to facilitate money laundering, terrorist financing, and proliferation financing. The United States is particularly concerned about platforms that provide anonymous payment and account service functionality without transaction monitoring, suspicious activity reporting, and customer due diligence, among other obligations.
    U.S. financial institutions, including foreign-located digital asset service providers doing business in whole or substantial part in the United States, and other covered businesses and persons should ensure that they comply with their regulatory obligations under the Bank Secrecy Act (as implemented through the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) regulations in 31 CFR Chapter X).  For financial institutions, these obligations include  developing and maintaining effective anti-money laundering programs that are reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities, as well as identifying and reporting suspicious transactions, including those conducted, affected, or facilitated by cyber events or illicit finance involving digital assets, in suspicious activity reporting to FinCEN.

International Cooperation

To counter the DPRK’s malicious cyber activities, the United States regularly engages with countries around the world to raise awareness of the DPRK cyber threat by sharing information and evidence via diplomatic, military, law enforcement and judicial, network defense, and other channels.  To hamper the DPRK’s efforts to steal funds through cyber means and to defend against the DPRK’s malicious cyber activities, the United States strongly urges countries to strengthen network defense, shutter DPRK joint ventures in third countries, and expel foreign-located North Korean information technology (IT) workers in a manner consistent with applicable international law.  A 2017 UN Security Council resolution required all Member States to repatriate DPRK nationals earning income abroad, including IT workers, by December 22, 2019.  The United States also seeks to enhance the capacity of foreign governments and the private sector to understand, identify, defend against, investigate, prosecute, and respond to DPRK cyber threats and participate in international efforts to help ensure the stability of cyberspace.

Read more at CISA

Homeland Security Todayhttp://www.hstoday.us
The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles


- Advertisement -

Latest Articles