Stealing Millions, yet a Twist of Fate

10081515890?profile=RESIZE_400xIt is estimated that North Korea (KP) is continuing to steal hundreds of millions of dollars from financial institutions and cryptocurrency firms and exchanges.  This stolen currency is an important source of funding for its nuclear and missile programs, UN experts said in a report quoting cyber specialists.  The panel of experts said that according to an unnamed government, North Korean “cyber-actors stole more than $50 million between 2020 and mid-2021 from at least three cryptocurrency exchanges in North America, Europe and Asia, probably reflecting a shift to diversify its cybercrime operations.”

Investigators are saying that in 2021 the North Korean “cyber-actors stole a total of $400 million worth of cryptocurrency through seven intrusions into cryptocurrency exchanges and investment firms.”  These cyberattacks “made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected ‘hot’ wallets into DPRK (KP)-controlled addresses,” the panel said, using the initials of the country’s official name, the Democratic People’s Republic of Korea.  The cryptocurrency funds stolen by the DPRK cyber actors “go through a careful money laundering process in order to be cashed out,”″ the panel of experts monitoring sanctions on North Korea said in the report to the UN Security Council.[1]

In 2021, the panel quoted an unidentified country saying North Korea’s “total theft of virtual assets from 2019 to November 2020 is valued at approximately $316.4 million.”  In the executive summary of the new report, the experts said North Korea has continued to develop its nuclear and ballistic missile programs.  “Although no nuclear tests or launches of ICBMs were reported, KP continued to develop its capability for production of nuclear fissile materials,” the panel said.  Those reactive materials, uranium or plutonium, are crucial for a nuclear reaction.

The experts noted “a marked acceleration” of North Korean missile launches through January that used a variety of technology and weapons.  The experts said North Korea “continued to seek material, technology and know-how for these programs overseas, including through cyber means and joint scientific research.”

A year ago, the same investigative panel said North Korea had modernized its nuclear weapons and ballistic missiles by ignoring UN sanctions, using cyber-attacks to help finance its programs and continuing to seek material and technology overseas for its arsenal including in Iran.  “Cyber-attacks, particularly on cryptocurrency assets, remain an important revenue source” for Kim Jong Un’s government.  In addition to its recent launches, North Korea has threatened to lift its four-year moratorium on more serious weapons tests such as nuclear explosions and launches of intercontinental ballistic missiles.  The UN Security Council initially imposed sanctions on North Korea after its first nuclear test explosion in 2006 and toughened them in response to further nuclear tests and the country’s increasingly sophisticated nuclear and ballistic missile programs.

North Korea’s blockade aimed at preventing COVID-19 resulted in “historically low levels” of people and goods entering and leaving the country.  Legal and illegal trade including in luxury goods “has largely ceased” though cross-border rail traffic resumed in early January, the panel said.  The panel has previously made clear that North Korea remains able to evade sanctions and to illicitly import refined petroleum, access international banking channels and carry out “malicious cyber activities.”  UN sanctions ban North Korean coal exports and the experts said in the new report that although coal exports by sea increased in the second half of 2021, “they were still at relatively low levels.  The quantity of illicit imports of refined petroleum increased sharply in the same period, but at a much lower level than in previous years,” the panel said, adding that direct deliveries by non-North Korea tankers has ceased and only tankers from the North delivered oil, “a marked change of methodology” probably in response to COVID-19 measures.  The experts said North Korea also continues to evade maritime sanctions “by deliberately obfuscated financial and ownership networks.”

While the humanitarian situation in the country continues to worsen, the panel said the almost complete lack of information from the country makes it difficult to determine the “unintended humanitarian consequences of UN sanctions affecting the civilian population.”

In a twist of fate, North Korea loses Internet again.  North Korea has experienced an Internet outage that may have been caused by a cyber-attack.  The country lost internet access for approximately six hours last week.  The incident was the second outage to hit North Korea in the past two weeks.  Perhaps the APT hacking in the KP are poking the wrong countries.

A cybersecurity researcher who monitors various North Korean web and email servers from a location in Britain said the latest outage could have resulted from distributed denial-of-service (DDoS) attack.  Describing the recent incident, the source said: “When someone would try to connect to an IP address in North Korea, the internet would literally be unable to route their data into the country.”

Within a few hours of the suspected DDoS attack, servers supporting email were back up and running.  Additional disruption and downtime continued to impact individual web servers of institutions, including North Korea’s ministry of foreign affairs, the Air Koryo airline, and Naenara the official portal for the North Korean government.

Seoul-based news site NK Pro, which monitors events in North Korea, reported that log files and network records indicated that websites ending in .kp and hosted on North Korean web domains were mostly unreachable. The reason given for this was that North Korea’s Domain Name System (DNS) had ceased to communicate the routes that data packets are meant to take.[2]

A similar incident occurred in North Korea on 14 January 2022.  The server outage was “the result of some form of network stress rather than something like a power cut.”   The result was that no traffic was being sent to or from North Korea at the apex of the recent attack.  “It’s common for one server to go offline for some periods of time, but these incidents have seen all web properties go offline concurrently. It is not common to see their entire internet dropped offline,” said a trusted reporter.  “During the incidents, operational degradation would build up first with network timeouts, then individual servers going offline and then their key routers dropping off the Internet.”  The US has been blamed by North Korea for the continued service outages.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com    

 

Weekly Cyber Intelligence Briefings:

 

 

Weekly Cyber Intelligence Briefings:

 

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

 

[1] https://www.securityweek.com/un-experts-north-korea-stealing-millions-cyber-attacks

[2] https://www.oodaloop.com/briefs/2022/01/27/north-korea-loses-internet-in-suspected-cyber-attack/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!