North Korea now hacking to steal money

This article is more than 12 months old

Report shows Pyongyang has shifted focus from stealing secrets

SEOUL: North Korea is behind an increasingly orchestrated effort at hacking into computers of financial institutions in South Korea and around the world to steal cash for the impoverished country, a South Korean state-backed agency said in a report.

In the past, suspected hacking attempts by North Korea appeared intended to cause social disruption or steal classified data, but the focus seems to have shifted to raising foreign currency, the South's Financial Security Institute (FSI) said.

The isolated regime is suspected to be behind hacking group Lazarus, which global cyber security firms have linked to last year's US$81 million (S$110 million) heist at the Bangladesh central bank and the 2014 attack on Sony's Hollywood studio.

North Korea has routinely denied involvement in cyber attacks against other countries.

In April, Russian cyber security firm Kaspersky Lab identified a hacking group called Bluenoroff, a spin-off of Lazarus, as focused on attacking foreign financial institutions.

The report, which analysed suspected cyber attacks between 2015 and this year on Seoul and commercial institutions, identified another spin-off, Andariel.

"Bluenoroff and Andariel share their root, but they have different targets and motives," the report said. "Andariel focuses on attacking South Korean businesses and government agencies using methods tailored for the country."


Cyber security researchers said they have found technical evidence that could link North Korea with the global WannaCry cyber attack that infected more than 300,000 computers in 150 countries in May.

North Korea has routinely denied involvement in cyber attacks against other countries. The North Korean mission to the United Nations was not immediately available for comment.

The report said Andariel has been spotted attempting to steal bank card information by hacking into automated teller machines (ATM), and using it to withdraw cash or sell the bank information on the black market. It also created malware to hack into online poker and other gambling sites and steal cash.

"South Korea prefers to use local ATM vendors, and these attackers managed to analyse and compromise South Korean ATMs from at least two vendors this year," said Mr Vitaly Kamluk, director of the Asia-Pacific research centre at Kaspersky.

"We believe (Andariel) has been active since at least May last year."

The report lined up eight different hacking instances spotted within the South in the last few years by tracking down the same code patterns within the malware used for the attacks.

One case spotted last September was an attack on the personal computer of Seoul's Defence Minister Song Young Moo and the ministry's intranet to extract military operations intelligence.

The North's hackers used IP addresses in Shenyang, China, to access the ministry's server, the report said.

It added that some of the content has not been proven and that it is not an official view of the government. - REUTERS

North Koreamoneyhacking