Malicious Life, episode 12: The Soldiers of North Korea

Guerrilla warfare has been around for as long as conventional warfare has. The idea that a small force, through cunning and brazen action, could overtake a larger force is an old one. From pirates who would take merchant ships by surprise, to lengthy military campaigns against an enemy that is hiding in plain sight. The cyber-army of North Korea is a guerilla force- it steals, cripples, and destroys the assets of powerful nations and remains in the shadows throughout.

With special guests- Graham Cluley, Ido Naor, and Sam Curry.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 10 million downloads as of Aug. 2017.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon’s. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Sam Curry

Sam Curry, Chief Security Officer, is an IT security visionary with over 20 years of IT security industry experience. Sam served as Chief Technology and Security Officer at Arbor Networks, where he was responsible for the development and implementation of Arbor’s technology, security and innovation roadmap. Previously, he spent more than seven years at RSA (the Security Division of EMC) in a variety of senior management positions, including Chief Strategy Officer and Chief Technologist and Senior Vice President of Product Management and Product Marketing. Sam has also held senior roles at Microstrategy, Computer Associates, and McAfee.

Ido Naor

Ido is a senior security researcher at Kaspersky Lab, GReAT team. Prior to joining Kaspersky, Ido was a researcher at McAfee Labs and Cisco, where he mainly focused on vulnerability research. Ido is credited for his responsible disclosure by the largest enterprises globally, such as eBay, Google, Facebook, Linkedin and more.
Ido is a devoting father and a martial arts expert, with extensive knowledge in special intelligence operations he acquired during his military service.

Episode transcript:

Hello and welcome to Malicious Life. I’m Ran Levi.

November 24, 2014, was a very bad day for the IT staff of Sony Pictures, the movie production and distribution giant. Sony Pictures’ computer network was hacked, and the hackers who infiltrated it – a group that called itself The Guardians Of Peace – stole Terabytes of important and sensitive information: movies that had not yet been released, personal details and salaries of thousands of employees, and embarrassing internal emails between senior officials that contained juicy gossip on Hollywood stars, sexist comments, and other sorts of things people say when they think nobody is watching. The hackers not only stole this information, but also wiped information stored on many of Sony’s servers.

The Sony Pictures hack caused tremendous economic damage to the company, greatly embarrassed it and even brought about a complete shutdown of the company’s network for several days. Still, it was just hack–Sony was neither the first nor the last organization to suffer such an break-in–though it did make some security researchers raise an eyebrow. There was something familiar about the malware tools used by the hackers. This familiarity prompted a number of Information Security companies to launch a deeper and more thorough investigation into the Sony breach – and the fish the researchers caught were much bigger than anyone had imagined. The investigation into the Sony Pictures hack led to the discovery of a much larger and more serious affair, and the exposure of one of the most dangerous hacker groups in the history of information security.

Ten Days of Rain

In 2009, a number of South Korean and American Websites were hit by DDoS attacks. DDoS attacks were already old news back then, and the malware used by the attackers to carry out these attacks were also quite outdated: it was the MyDoom worm, already five years old at the time.

Two years later, in July 2011, several government websites in South Korea fell victim to another DDoS attack – but this one more sophisticated than the last. The source of the DDoS attack were computers in South Korea that the hackers had taken over, but this time the command and control system used by the hackers was more sophisticated and robust than before. This attack had two unusual characteristics: the first was its length: exactly 10 days, by which it got its name – “Ten Days of Rain”. The second was that at the end of those ten days, the attackers erased and completely disabled the operating systems from the computers in their bot-net. It is rare to find predetermined DDoS attacks that last for an extended period of time – and even rarer to see attackers actually destroy computers under their control. Such vandalism has no economic logic to it: a compromised computer is worth a lot of money to its operators, but a no-longer-functioning computer is no longer worth anything–therefore, such an act is equivalent to throwing money into the trash.

Two years later – a third attack, named “DarkSeoul”, showed the same irrational vandalism: the attackers broke into the computers of several South Korean financial institutions and media companies, and erased important information from the servers. This third attack reinforced what many South Koreans had already suspected: that North Korea, South Korea’s bitter enemy, must be behind these attacks.

A Tradition of Sabotage

Why did the South Koreans suspect their neighbor from the north? Because the DPRK has a rich tradition of random sabotage operations. In fact, such terrorist activity has been one of the main building blocks of North Korean military strategy since the end of the Korean War. Despite aggressive and threatening rhetoric from the Kim family, even they are probably aware that militarily, North Korea is far weaker than South Korea and the United States and has no real chance of winning a classical head-to-head war. As such, the North Koreans have adopted a strategy that combines lightning-fast warfare meant to overwhelm the enemy before they can organize themselves, with commando strikes that take advantage of the element of surprise to sow destruction and confusion on the other side. This strategy also explains the North Korean pursuit of nuclear weapons, which gives them a significant advantage at a relatively low cost, compared to the budget needed to maintain a powerful army.

Destructive Cyber-attacks, such as the Ten Days of Rain and DarkSeoul attacks, do not seem to be the works of economically motivated hackers, but they are very much in line with the traditional North Korean strategy: fast, surprising, and destructive. But suspicion is only suspicion, and researchers were unable to find a smoking gun that would point to the bad boy from the north.

But then the Sony Pictures hack occurred. At first, a group that called itself The Guardians Of Peace took responsibility for the attack. It seemed to be economically motivated, when the attackers left a blackmail message on Sony’s computers. The attackers also broke into the personal Twitter account of Michael Lynton, CEO of Sony Entertainment, and posted an offensive image there – the sort of thing one might expect of teenagers.

But the malware used by the attackers to break into Sony’s network, a Trojan named Destover, aroused investigators’ suspicion: the same malware was previously seen in the attacks against South Korea. It was the first hint of a possible connection between the Guardians of Peace and North Korea. The DarkSeoul attackers also hid behind two fictitious hacker groups: The New Romantic Cyber ​​Army and The WhoIs Team.

Operation BlockBuster

These clues prompted four Information Security companies – Novetta, Kaspersky, Symantec and AlienValut – to cooperate in investigating the incident. They set up a joint workgroup called “Operation BlockBuster” to analyze the Sony hack and the tools used in it. The purpose of this analysis was to try to find clues in the malware code that could then be compared to findings from previous incidents. Ido Noar, Sr. Researcher at Kaspersky Labs, tells us about the goals and the mindset of researchers when investigating such cases.

[Ido] Well, my name is Ido. I’m a part of the GReAT team, the Global Research and Analysis Team in Kaspersky. And we’re responsible to help our clients and non-clients preserve their security of the internal networks I guess.

So, actually to get into that type of answer – we can go even to a higher level. When you have a crime scene, what type of clues are you looking for when you have a body, or in the body’s surrounding? It might be a bullet laying around, or knife or some other weapon? What we are looking for initially would be fingerprints. So when you collect those fingerprints, you put them in some sort of a database because criminals tend to follow the same pattern, especially if they are individuals. So they tend to repeat the same act that they did in the past, and once you find a match with those fingerprints in a different place – you might have a shot at understanding who is behind the specific crime.

And the same thing happens in cyber security. We keep different type of databases where we have samples or we have type of message and type of functions which are responsible for different calls. But you know zooming out from all the technical details, our work is the same as police work. We are looking for clues, we are looking for fingerprints and we’re trying to match one incident to another.

Graham Cluley, the British security researcher whom we have met in previous episodes of Malicious Life, also spoke with us on this matter, giving examples of the kinds of clues that attackers may leave behind.

[Cluley] The most obvious piece of fingerprint would be really the malware itself, which may have ended up on your computers. So might look at that malware and look for similar pieces of code within the malware, which contain similarities to previous attacks.

So when you compile a piece of code for instance, sometimes what will happen is the compiler will also store information related to the computer, which the malicious code was compiled on. So it may contain language preferences. So if you receive a piece of malicious code which has a language preference of Brazilian Portuguese, you can be pretty sure that the person who coded it either lives in Brazil or has some connection to Brazil and similarly Russian, similarly Cantonese and so forth. Those sort of clues begin to come together and if you also see that it has been written in the same program and language and dozens of other clues, that may begin to point to a particular country.

Using automated tools, Operation BlockBuster’s investigators scanned about two million pieces of malicious code detected over the years, and isolated from them about two thousand chunks with characteristics similar to what was found in Sony’s hack. What were these similar characteristics? Well, for one, Destover had a hard coded string that defined a set of six user-agents–which is code used by a browser to identify itself to any website it accesses. This hard coded string was identical to ones found in several other malware families used in attacks on South Korea, including a uniquely random misspelling: one of the user agents was written as “Mozillar” instead of “Mozilla”. The probability that the same string and misspelling would appear in two very different pieces of code by pure chance is very low. Another example of similar characteristics is a very recognizable script used by the Sony attackers to delete certain files from the targeted computers.

The security researchers identified a connection from one of the hacked command and control servers to an IP address in North Korea, and have shown that the hacker’s operating hours correspond to daylight hours in Southeast Asia. The clues and evidence uncovered in the investigation convinced almost everyone that North Korea was indeed behind the attack on Sony. Moreover, the evidence indicates that a single group of hackers has been responsible for a huge number of hacks and attacks over the years. The name given to this group is Lazarus.

Not Just Another APT Actor

Operation BlockBuster revealed that the Lazarus Group began operating in 2009, possibly even in 2007. Its first DDOS attacks against American and South Korean targets were simple and unsophisticated – but since 2011, the group’s activity became increasingly more complex, as demonstrated by DarkSeoul and Sony Pictures. It is difficult to say for certain whether it is a regular North Korean force or semi-civilian hackers: for one thing, most of the attacks seem to originate outside North Korea itself, although this fact proves little. It’s possible that North Korea sends its hackers to other countries disguised as employees in civilian companies. The Sony investigation has shown that Lazarus members are among the most diligent and hard-working hackers: they are active almost every day, all day long – and get only about six or seven hours of sleep a night, which is more or less the sleep time I got when I was a soldier …

The report published by the Operation BlockBuster coalition paints a picture of a well trained and well-equipped unit. The scope of its global activity is impressive by any measure. Kaspersky Lab summarizes its report on the Lazarus Group in the following:

“This level of sophistication is something that is not generally found in the cybercriminal world. It’s something that requires strict organization and control at all stages of operation. That’s why we think that Lazarus is not just another APT actor.”

But that’s not all. It turns out that, at the time Operation Blockbuster was underway, Lazarus was out plotting another fantastically ambitious hack – so ambitious, in fact, that in comparison the Sony Pictures affair would seem no more than child’s play. This scheme was revealed in 2016, only because a bank manager noticed his printer wasn’t working. Nate Nelson, our producer, brings the story.

The Bangladesh Bank Heist

Friday, February 5th, 2016.  It’s around 10 A.M in Dhaka, the capital city of Bangladesh.  Zubair Bin Huda, Joint Director of Bangladesh Bank, comes into work and notices an empty printer tray.  Generally, transaction records are automatically printed overnight by the bank’s SWIFT software, so Zubair opens a computer monitor to print the files manually, but can’t.  At 11:15 A.M Zubair leaves the office, asking coworkers to help.

The employees of Bangladesh Bank went on to spend over 24 hours trying to fix the problem.  Eventually, though, everything got up and running again, they restarted the printer and all those backlogged transactions came through.

The end.


Actually, the employees got their printer running and what it gave them back were pages of unrecognized transaction requests sent from their bank to recipients in the Philippines and Sri Lanka, to the order of 951 million dollars.  This, it turned out, was no ordinary little computer error–it was evidence to an attempt at, bar none, the largest bank robbery in world history.

To give you a sense of the scale of this operation: the most successful bank robbery ever, according to the Guinness Book of World Records, was a 2005 heist of Banco Central in Fortaleza, Brazil, for the equivalent of about 70 million U.S. dollars.  The unauthorized withdrawal out of Bangladesh Bank was for 950 million USD.

As one would expect in a situation where you happen to lose track of a billion or so dollars, the workers at Bangladesh Bank started freaking the *BLEEP* out.  They checked to see if any of the orders went through, but their account history didn’t show any signs.  They frantically called up the New York Federal Reserve Bank to halt everything.  Unfortunately, no one answered on the other line–it was Saturday, and the Fed was closed.  The hackers had timed their assault perfectly.

It turns out the Fed had sent queries regarding these many unusual transaction requests, but heard nothing back on the matter until the following Monday, since Fridays are weekends in Bangladesh.  At that point, they were able to block 30 of the 35 orders placed–amounting to 850 million dollars-worth of the stolen money–but 101 million had already been processed.

Only later would the world discover this to be, in collaboration with other international groups, the work of the infamous hacker collective, Lazarus.

To understand how anyone could even approach stealing a billion dollars, you first have to understand SWIFT, or the Society for Worldwide Interbank Financial Telecommunication.  It’s the software whose malfunction caused the printing error at Bangladesh Bank, and the most widespread means for banks to communicate transactions to one another, connecting over 11,000 banks in over 200 countries and territories, while averaging some 25 million messages a day in between.

Basically, SWIFT is to banking what Facebook events are to birthday parties.  Just as Facebook allows you to create an event and invite all your friends in a process that takes only a couple of minutes, SWIFT connects banks by centralizing the communications process, so that each one doesn’t have to build unique paths of communication to every other one it has to interact with.  SWIFT is of great value for what it does, but just as networks generally provide both huge benefit and huge vulnerability, the banking industry learned the hard way during the last couple of years that it also introduces whole new problems.

Where hackers are known to spread malware specifically aimed at individual people or companies, in the case of the Bangladesh Bank heist, the hackers went through a sort of middleman.  They used credentials of Bangladesh Bank employees within the SWIFT system to send their money to a number of banks in Asia.  This meant they didn’t even have to worry about wholly compromising SWIFT–aside from the inordinately large transfer amounts they were requesting, the hackers would have appeared totally legitimate within the system.

The way the hackers gained the necessary credentials is yet undetermined.  The FBI, for one, suspected it to be an insider job.  This would mean one or more bank employees aided Lazarus in their breach by, as one Dhaka police investigator claimed, rendering Bangladesh Bank’s connection with SWIFT purposely insecure.  It’s also possible that such tampering wouldn’t have been necessary, since the bank didn’t even have firewalls in place in their networks, and was running on a ten dollar wireless router, which would have made easy sport of hacking for the necessary credentials.  Some blame may also be attributed to SWIFT itself, whose executives deny wrongdoing in such cases of cyber fraud with one hand, but with the other hand push their product to clients in emerging markets who often don’t have the necessary resources to defend against sophisticated attacks.

Of the 101 million dollars that went through the New York Fed from Bangladesh, about 18 of the 81 million sent through the Rizal Commercial Banking Corporation in the Philippines has since been recovered.  The rest of that 63 million got laundered through the country’s notorious casino industry, through a process involving falsified bank accounts and identities, allegedly enacted by a RCBC manager and two casino magnates, and stands as a matter of ongoing federal investigation today.

As for the remaining 20 million?  It happened to get routed through Deutsche Bank, where one official spotted something suspect in the transfer message.  The money was to be sent to a Sri Lankan NGO called the “Shalika Foundation”, and besides the fact that this company doesn’t really exist, the word “foundation” was spelled “fandation”, with an “a”.  Deutsche Bank inquired with Bangladesh Bank, and ultimately that 20 million dollars was saved by a typo.

A Wide Ranging Plot

A year after the bank robbery in Bangladesh, another hack was discovered – this time in Poland. The Financial Supervision Authority (or KNF, in its Polish acronym) is a major financial regulatory body in the country. In January 2017 it was revealed that the KNF’s website had been hacked, and that for three months or so it had been serving malware to its visitors. But not all visitors: the attackers defined a whitelist of 150 IP addresses, and only visitors from these IP addresses would be served the malware. These one hundred and fifty IP addresses belong to 104 banks and financial institutions in 31 different countries all over the world: 19 in Poland, 15 in the United States, nine in Mexico and the rest in Uruguay, Russia, Norway, India, Nigeria, Peru and other small countries. This type of attack is known as a “watering hole attack”: an attacker identifies a site or service visited by a relatively large number of users from an organization he wishes to hack, and compromises the site in question to inject malicious code to its users. This is the same strategy used by crocodiles, for example, to hunt animals who come to drink the river’s water.

An analysis of the malicious code revealed that it belonged to Lazarus, and that the exact same attack occurred in at least two other cases: on the website of a bank in Uruguay, as well as the National Banking and Stock Commission of Mexico, a financial regulatory body equivalent to the Polish KNF. At least twenty different banks fell victim to this attack, and Symantec has found evidence of thefts of millions of dollars from at least two banks in Vietnam and the Philippines.

In other words, what we are seeing here is evidence of a major, wide-ranging plot: an international bank heist of unprecedented scale. The Lazarus Group is working to steal billions of dollars from banks all over the world, and now the Bangladesh Bank Heist – the event that made small game of that big-deal Sony attack – seems like a relative drop in the ocean. It’s the sort of grandiose plot one would expect to find sooner in a James Bond movie than real life.

A Policy of Robbery

The official North Korean body responsible for Lazarus is probably the Reconnaissance General Bureau (RGB). It is one of the three strongest entities in the KPA, Korean People’s Army, and was established in 2009: the same year that Lazarus began to operate in an orderly manner. The RGB is responsible for all of North Korea’s clandestine military activity, and its predecessors have a rich history of sabotage operations, assassinations and kidnappings since the 1950s. But that’s not all: since the 1990s, the RGB has been responsible for international criminal activity aimed at financing the North Korean regime.

Drug smuggling and bills counterfeiting have always been part of North Korea’s diplomatic activity, and its embassies have been a hotbed of profitable criminal activity since the 1970s. But this activity, which was initially the result of private initiatives of North Korean diplomats, became in the 1990s an official government policy dictated from above. The reason for this is North Korea’s desperate economic situation, exacerbated by its isolation and the international sanctions imposed on it, as well as the collapse of the Soviet Union, whose funding was an important source of income for the regime. As a result, North Korea turned counterfeiting of 100-dollar bills and growing and smuggling of opium and heroin into a national enterprise. For this goal, the North Korean intelligence services work closely with Philippine, Japanese and Taiwanese criminal organizations.

Lazarus’s international bank robbery scheme is probably continuation of the North Korean government’s criminal activity. Lazarus are preying on financial entities in underdeveloped countries, taking advantage of their inexperience in protecting against cyber crime. In fact, there is a sub-unit within Lazarus devoted to just this type of activity. Here, again, is Kaspersky Labs’ Ido Noar:

[Ido] Just like what happened in Lazarus, you run into some incident where you could see how these groups are being segmented into little groups. Inside those little groups, each one is responsible for a different type of action. So whether it’s completely different groups were being run by different thought leaders, or it’s one big organic group in which each subunit is responsible for a different activity or cybercrime activities – I’d say that in every group we identify different type of activities. For example, in Lazarus, they have their unit who is responsible for their financial gain, who we dubbed Bluenoroff.

It is interesting to note that this North Korean strategy is not the first time a country has chosen a policy of theft and robbery in order to advance its goals. Between the 16th and 19th centuries the Atlantic and Pacific oceans were teeming with Privateers, which were essentially state-licensed pirates: countries such as Britain, France and Spain had officially encouraged seafarers to seize and loot merchant ships of rival powers. This arrangement ended in a multilateral agreement signed in the middle of the 19th century, but by then the privateers had done tremendous damage to maritime trade. Are we seeing the return of Privateering in the age of the internet? It may be.

Sam Curry, Chief Product Officer at Cybereason and former Chief Technology Officer at Arbor Networks and RSA, says that for a country the size of North Korea, the use of civilian hackers for such pseudo-military purposes makes sense.

[Sam Curry] Well, let’s keep in mind that I’m a – no Wikipedia in front of me here, I’m going to – I believe North Korea’s population is about 22 million or so. Economically, they have difficulty feeding the population. And right now they’re faced with – and have been faced for most of recent history with the potential of economic sanctions. This threatens the stability of the regime. And I can also begin to support my espionage efforts, my diplomacy efforts, my trade efforts. If you can generate hard currency and through black market connections and bypass things like embargos, if you can do that, it has a meaningful impact on North Korea’s ability to continue to be a functioning state. I absolutely think that makes sense. Now –

[Ran] This is a viable strategy?

[Sam Curry] That’s right. Now, does it make sense for something the size of the United States to do it? No. I mean, the amount of currency that is, shall we say, liberated from Bangladesh, is not going to make a meaningful impact on the U.S. GDP in any circumstances, but for North Korea, it could.

The new expanse of the Internet opens up new opportunities for various types of piracy to small and poor countries like North Korea. For example, WannaCry, the ransomware that made headlines in early 2017 was probably also the work of Lazarus: although it contains code leaked from the NSA, analysis has shown a clear similarity to previous tools used by the group. Given what we have learned so far about Lazarus’s goals, the use of ransomware is just a logical continuation of their global theft campaign to finance the North Korean regime. However, as Ido Noar explains, WannaCry was not so successful as a ransomware.

[Ido] So we’ve seen for example, if you look at the WannaCry incident. The WannaCry incident started off by being a ransomware from any type of angle that you look, it is a ransomware. But as you get– as you zoom in to the operation itself, you could see that whether you want or not, you cannot return your files. So they raise a lot of questions regarding what was the motivation behind attacking using the WannaCry.

Who knows, maybe WannaCry was just an experiment for Lazarus. They have already shown a remarkable ability to improve.

Will we see more such daring actions from Lazarus in the future? For Ido, whose work is to track the group’s activities, the answer is clear.

[Ido] Of course. Up to the point that we found Lazarus and we were able to fingerprint Lazarus, it wasn’t the first crime scene. So once we did understand how we can fingerprint them, then that was the moment that we understood that we have so many other attacks. So I guess we have seen only one level or only a number of levels of attacks that we were able to fingerprint. But we do not take for granted the fact that what we found is the end of it. We believe that either Lazarus or other groups are operating under the radar. We want to believe that it’s only a matter of time until we will reveal those hacker groups but we are sure that there are groups which are operating without us or without even the world knowing about it.

Can we successfully thwart such schemes, even if they seem to be taken straight from a James Bond plot? I have no idea. If you, dear listener, are one of those people in the financial sector whose job is to protect organizations from attacks like those of Lazarus – well, I hope you like your martini shaken, not stirred…


Bibliography and Resources