North Korean cybercrime and cybersecrecy
Technology has become one of the North Korea’s most important tools for survival. The so-called Lazarus group has used elaborate phishing schemes and cutting-edge money-laundering tools to steal money for Kim Jong-un’s regime, in a way to circumvent sanctions. The United Nations estimates that North Korean operators have stolen over $2 billion over the last four years, a relatively enormous percentage of the country’s estimated $28 billion gross domestic product.
And this applies to a tenfold increase observed in North Korea’s mining of Monero, the privacy-driven cryptocurrency designed to make tracking somewhere between difficult and impossible. Analysts can see internet traffic so detailed that it reveals Pyongyang’s investment in new higher-end, higher-capacity machines to mine the cryptocurrency, according to a recent report from the American cybersecurity firm Recorded Future*.
North Korea’s unparalleled restrictiveness and secrecy around internet usage actually make it easier for intelligence analysts to track and understand how the country uses the internet. “What we see is internet use by the very privileged, the 0.1%, the North Korean military leadership and their families, who are actually given access to the internet,” says Priscilla Moriuchi, an analyst with Recorded Future who focused on China and North Korea during 13 years at the National Security Agency. “We wouldn’t be able to do this type of analysis if they didn’t have such restrictive parameters around the internet.”
There are only three primary ways North Korea connects to the global internet: first, through the allocated .kp IP range; second, through a connection to neighboring China’s telecommunications giant Unicom; and finally, through an increasingly important connection via a Russian satellite company that ultimately resolves to SatGate in Lebanon. But a number of North Koreans live and hack abroad in countries like China. This gives them better access to the internet as they take the opportunity to blend in, while affording plausible deniability for the regime.
“They’re outside usual boundaries technologically and geographically,” Moriuchi says. “… North Korea sends a lot of their cyber operators overseas … these are super highly trained people that the regime has invested lots of money, time, and trust in. … The revenue generation is state directed and state mandated,” Moriuchi adds, “These people have to earn a specific amount of money per year in order to support themselves and stay overseas, and so their families aren’t endangered at home. It’s a criminal state up-and-down exploiting the openness of the internet to earn money.”
*Recorded Future, an intelligence firm launched in 2009 with the backing of Google and In-Q-Tel, the CIA’s venture capital arm, has grown to 650 customers and 475 employees and has just signed a $50 million threat intelligence deal with the US Cyber Command.
[MIT Technology Review]