SEOUL, South Korea — North Korea’s state-sponsored hackers are increasingly going after money rather than secrets, according to a report published on Thursday by a South Korean government-backed institute.
Cybersecurity experts have noticed a shift in the hacking attacks they suspected were mounted by North Korea. Formerly, most such attacks appeared intended to cause social disruption or purloin secret data, and the targets were generally the computer networks of government agencies or media companies in countries it considered hostile. The best-known example was a 2014 attack on computers at Sony Pictures Entertainment.
That kind of attack is still occurring, but in the last few years, North Korean hackers seem to have become more interested in stealing cash, the Financial Security Institute said in its report on Thursday.
The report said North Korean-linked hackers were behind the recent digital theft of $81 million from Bangladesh’s central bank. The North Koreans also tried to breach Polish banks, leaving traces that led anti-hacking experts to believe the hacking group also planned to steal money from more than 100 other organizations around the world.
North Korea is isolated, impoverished and desperately short of foreign currency to pay for imports. Even so, it has trained a large army of hackers, originally as an inexpensive means of espionage, sabotage and propaganda, but now also as a moneymaker.
The Russian cybersecurity firm Kaspersky Lab has identified a hacking group called Bluenoroff that it says is to blame for attacks on foreign financial institutions, like those in Poland and Bangladesh. Bluenoroff is said to be an offshoot of Lazarus, the North Korea-linked hacking group implicated in earlier attacks.
The new report identified another Lazarus spinoff, which it named Andariel, and said that group was responsible for at least seven hacking attacks on banks, defense contractors and other businesses in South Korea over the last two years. (The names Lazarus and Andariel apparently refer to characters in a video game called Diablo.)
”Bluenoroff and Andariel share their common root,” the report said. “If Bluenoroff has attacked financial firms around the world, Andariel focuses on businesses and government agencies in South Korea using methods tailored for the country.”
The report said the Andariel group had increasingly shifted from destructive attacks on computer networks to crimes like stealing bank-card data and using it to draw cash from bank customers’ accounts or selling the data on the black market. The group also used malware to cheat at online poker and on other gambling websites.
“Andariel is believed to focus on earning hard currency,” the report said.
The Financial Security Institute, which is financed by the South Korean government, cautioned that the report was partly conjectural and did not represent an official view.
North Korea, a country that is cut off from much of the global economy and allows only a tiny portion of its population to have access to the internet, has been building up its cyberattack capabilities since the early 1990s, selecting teenagers and teaching them to be hackers, according to South Korean officials and defectors from the North. South Korean cybersecurity officials began detecting attacks attributed to North Korean hackers around 2009.
North Korea is now believed to have 1,700 state-sponsored hackers, aided by more than 5,000 supervisors, trainers and other support staff, South Korean officials estimate. The hackers typically do their work abroad, taking legitimate software programming or other jobs in China, Southeast Asia or Europe and waiting for instructions from Pyongyang to mount an assault, they said.
Going abroad is a rare privilege for North Koreans, and those who are allowed to work outside the country are required to send the government a quota of foreign currency every year, according to North Korean defectors.
North Korea has been accused of illicit moneymaking schemes to pay for its huge military, its nuclear weapons program and its leaders’ luxurious lifestyle, including gunrunning, drug trafficking and counterfeiting. As the United Nations has tightened sanctions and made those avenues more difficult, cyberattacks have loomed larger as a source of cash. Some hacking experts suspect North Korean involvement in the recent wave of global ransomware attacks.
North Korea has denied any involvement in hacking attacks, accusing South Korea and the United States of slander.