The Onslow Water and Sewerage Authority in Jacksonville, North Carolina, was still recovering from the devastation of Hurricane Florence when hackers started attacking its computer systems with malware.
At 3 a.m. on Saturday, Oct. 13, the malware launched a sophisticated piece of ransomware known as Ryuk. A member of the utility company’s IT staff reacted quickly, disconnecting the computer system from the internet — but it was already too late.
The malicious code had spread through the network, encrypting files and databases. Soon after, an email with a ransom demand arrived. The FBI is still investigating the attack, but all the evidence points to one suspect: North Korea. It wouldn't be the first time hackers from Pyongyang were caught targeting U.S. infrastructure.
The Ryuk ransomware was coded by a Pyongyang-controlled hacking group known as Lazarus, according to the cybersecurity firm Check Point. The same group has been blamed for the attack on Sony Pictures, the crippling WannaCry ransomware and the theft of $81 million from The Bangladesh Bank.
Kim Jong Un may not be launching rockets as part of his bid to ease relations with the U.S., but such niceties haven’t applied to Pyongyang’s cyber operations, experts say. Instead, in the shadow of nuclear negotiations, Kim’s team of hackers have grown their cyberwarfare capabilities considerably, and shown a greater willingness to target Western entities, including the U.S.
"Despite the quickening pace of diplomatic re-engagement with North Korea, what the country has been doing in cyberspace has been completely overlooked,” Fred Plan, a senior analyst with security firm FireEye, told VICE News.
Current campaigns have been primarily focused on boosting revenue through a combination of daring bank heists and targeted ransomware attacks on victims like municipalities and private companies, researchers said. But these same techniques could soon be directed toward destabilizing U.S. national security, they warned.
Going after the money
North Korea’s hacking empire is disproportionately large. According to a South Korean report in 2014, Pyongyang had 6,000 operatives conducting cyberwarfare, roughly the same number as U.S. Cyber Command’s mission force. One area where its operations are growing fast is in financial crime, and one specific group has been tasked with helping earn money for the regime, according to a report published this month by Plan and his colleagues at FireEye.
“There is definitely an escalation in financially motivated crime,” said Plan.
The financially focused group of North Korean hackers has been labeled APT38 and it has been around since at least 2014, FireEye researchers said. While the group was initially cautious, conducting attacks months apart, its most recent operations have been happening at a faster pace, and they've been more destructive.
Attacks thus far have largely focused on Southeast Asia and Latin America, but there are indications that the group is set to venture even further, targeting higher-profile institutions in Western countries.
“There are other countries that are quite capable in cyberspace, but you don't see them robbing banks, and North Korea has both motivation and capability to do so.”
“We have identified strings in the malware being used by APT38 that demonstrates a clear interest in targeting some of the bigger-name banks,” Plan said.
These hackers aren’t just targeting banks anymore.
Though the officials in Onslow refused to pay the ransom demand, many of Ryuk’s victims have. North Korean hackers have earned at least $640,000 through Ryuk ransomware deployed in the U.S. and elsewhere, according to a recent report from Check Point.
Last year, FireEye disrupted a North Korean campaign sending spear-phishing emails to U.S. electric companies. The WannaCry ransomware that spread in May 2017 and is estimated to have infected about 200,000 computers across 150 countries was also a North Korean creation.
For decades North Korea sought to bolster its economy through narcotics production and distribution, trafficking of endangered species, counterfeiting currency, and manufacturing counterfeit cigarettes. But today many of those operations have been replaced by cyberattacks.
“I think cyber is a way to bypass sanctions, to gain hard currency, in the short term and the long term. I think it is just too lucrative for them to give it up,” said David Maxwell, a senior fellow at the hawkish think tank Foundation for Defense of Democracies, who recently published a new report on North Korea’s hacking operations.
Maxwell suggests that the success of North Korea’s financially-motivated cyber attacks could lead Kim to consider using his hackers for more destructive purposes.
Eyes on U.S. infrastructure
Maxwell and the report’s co-author Matthew Ha believe that the success of the financially-motivated cyber operations will spur Kim to consider more destructive cyber attacks against South Korea, Japan, and the U.S., such as targeting critical national infrastructure, industrial supply chains and major private companies in key industries.
And North Korea’s investment in cyberwarfare will only keep growing, said Ha, who pointed out that investments today in campaigns to infiltrate U.S. networks without being detected could pay off in the future.
“They are learning about our infrastructure systems [which] they can definitely leverage later on if things were to go really sour,” Ha told VICE News.
Cyberoperations are, by their nature, more difficult to detect, and for North Korea, they also offer the cover of plausible deniability.
Denying you launched a missile over Japan is difficult, but denying you planted a piece of malware is much easier, given how easy it is for hackers to plant false flags within the code to send investigators in the wrong direction.
“They are learning about our infrastructure systems [which] they can definitely leverage later on if things were to go really sour.”
North Korea may not be in the same league as the U.S., U.K. China or Russia when it comes to hacking credentials, but it does have one ace up its sleeve: recklessness.
“There are other countries that are quite capable in cyberspace, but you don't see them robbing banks, and North Korea has both motivation and capability to do so,” Plan says.
Both U.S. and U.K. intelligence communities have voiced their concerns over the growing cyber threat from Pyongyang. A report from the U.K.’s Intelligence and Security Committee in 2017 warned that North Korea “is prepared to use its capabilities without any concern for attribution, and for ideological motives which are alien to other countries.”
In July, Director of National Intelligence Dan Coats warned that North Korea was among the main adversaries — together with Russia, China, and Iran — who were launching daily cyberattacks against U.S. targets. Coats warned that the threat of a “crippling cyberattack on our critical infrastructure” by a foreign actor is growing.
But, for all the threat that a sophisticated cyberoperation poses on its own, it’s still no replacement for a nuclear-tipped intercontinental ballistic missile, experts said.
“For Kim Jong Un, what matters is the survival of his regime, and for that, there is no substitute for nuclear weapons. There is no way for a state like North Korea cyberattacks could be any kind of substitute,” Nigel Inkster, the former director of operations and intelligence for MI6, told VICE News.
Cover image: North Korean leader Kim Jong Un, center left, and U.S. Secretary of State Mike Pompeo walk together before their meeting in Pyongyang, North Korea on Oct. 7, 2018. (Korean Central News Agency/Korea News Service via AP)