WannaCry: Lazarus, the Cybercriminals Who Steal and Extort for North Korea’s Beloved Leader | Technology

Last month saw the biggest cyber heist on record. Someone stole cryptocurrencies (etherum, the second most used after bitcoin) worth 625 million dollars (around 600 million euros) from a website related to the video game Axie Infinity. The United States was quick to link the attack to the Lazarus group, North Korean cybercriminals well known to cybersecurity experts. The consultancy specializing in blockchain Chainalysis estimates that these hackers North Koreans may have seized another 400 million in digital assets last year through various attacks targeting cryptocurrency platforms.

Many countries, such as China, Iran or the USA, unofficially sponsor football teams. hackers to carry out sabotage or obtain valuable information. The case of Pyongyang is different: it uses its group of computer experts to make money. The Beloved and Respected Leader (that is one of the official ways of referring to Kim Jong Un) sees it as a way to survive the harsh international sanctions to which the regime is subjected.

Calling Lazarus simple digital thieves would be disparaging them. His service record is available to very few. The US and UK, as well as Microsoft, credit them with the 2017 release of WannaCry 2.0, the largest ransomware of history, which has just turned five years old. This type of computer virus hijacks infected computers and releases them after paying a ransom. It is estimated that WannaCry affected some 300,000 computers in 150 countries, including those of the UK health system, which was paralyzed.

A year earlier, in 2016, Lazarus tried to steal $1 billion from the Bangladesh Central Bank with a sophisticated plan that included posing as bank employees and obtaining permits to move the money. The attack was thwarted by a coding error, but not before making 81 million. The FBI then considered it the biggest cyber heist in history. There are also suspicions that in 2018 he stole some 530 million dollars in tokens (digital tokens) from the Japanese cryptocurrency exchange portal Coincheck.

Make money for the Leader

All the money that Lazarus earns has the same recipient: the Kim Jong Un regime. Lazarus is an oddity in the world of advanced persistent threats (APT), a term by which organized groups of hackers with higher capabilities. These teams, run and unofficially sponsored by governments, are at the top of the pyramid of hackers. They are very well structured and hierarchical —they have departments and professionals with well-defined roles— and they have economic resources, which allows them to carry out complex, coordinated and fast attacks. On paper, only the secret services of the great powers (the US, Russia or the UK) have more power than the APTs.

Due to the very nature of the internet, where it is easy to go unnoticed, cyberattacks are very difficult to attribute. “The APTs are basically tracked with clues provided by the intelligence services and particularities of the code, but doing a good forensic analysis to determine the authorship can take months,” explains the hacker and cybersecurity analyst Deepak Daswani. Therefore, governments use APTs to sabotage, spy or carry out intelligence actions without provoking diplomatic incidents.

“Lazarus is a unique case,” said Adam Meyers, chief intelligence officer for CrowdStrike and an APT expert. “Other groups launch ransomware, like Russia in the Ukraine through Voodoo Bear, but as a cover for other purposes, with no interest in being paid. And if they make money it is for their own benefit, like the mafias. Lazarus’ goal is to obtain funds to sustain a regime suffocated by international sanctions,” adds the Texan analyst.

Lazarus is in fact the code word that was given to the hackers operating from North Korea. Meyers’ team distinguishes five different factions within that umbrella, with well-defined objectives and specializations, but which even share a code repository that they use to prepare their attacks. Two of them, Stardust Cholima and Labyrinth Cholima, are exclusively dedicated to monetization. “We believe that Stardust Cholima belongs to Office 121, one of the departments of the General Reconnaissance Office”, the name by which one of the North Korean espionage agencies is known. “They are very focused on financial systems, cryptocurrencies and new technologies.”

The Lazarus network also performs sabotage actions, along the lines of APTs from other countries. groups of hackers North Korea were especially active during the months of 2020 when Big Pharma was frantically working to develop a Covid vaccine. They tried to break into the computers of workers at AstraZeneca, which along with the University of Oxford were in the midst of developing one of the remedies. Later they tried to steal information from Pfizer, another of the laboratories involved in the vaccine. Interestingly, North Korea is one of the few countries in the world where the pandemic was kept at bay (until a few weeks ago), so its intentions could have been simply to torpedo the process or sell industrial secrets.

Another of his most notorious coups was not for economic purposes, but revenge. It was developed in 2014 and was the first notice that the North Koreans were not amateurs in the digital field. The target was Sony Entertainment, the producer of The interview, a film that fantasizes about the assassination of Kim Jong Un. A month before the scheduled release date, a group of hackers infected the computers of Sony workers. They managed to delete sensitive company data, published salary details and revealed emails compromising of some of its directors. They also threatened to attack the movie theaters where the film was shown, which led the big distributors to withdraw it from the billboard.

Kim Jong Un’s big step forward

No one believed that North Korea would be capable of becoming a cyber power. Nor that he could develop the atomic bomb. But he got both. The second was the obsession of three generations of dictators; the first, an express wish of the current one.

Kim Jong Un rules with an iron hand one of the most isolated countries in the world. Since taking over from his father in 2009, he has been able to see the potential of the digital sphere both to spy on and sabotage his enemies (the US and South Korea) and to earn money that he cannot get through trade. “The North Korean regime actively empowers the hackers of elite to incorporate them into Office 121″, writes the Australian Anna Fifield in her book the great successor (Captain Swing, 2021), in which he makes an x-ray of the hermetic life and career of Kim Il Sung’s grandson. “Students who show potential aptitude in this regard, some as young as 11, are sent to special schools and then to the Pyongyang University of Automation,” where “over the course of five years they are taught to to hack systems and to create computer viruses”.

It is striking, says Fifield, that as early as 2018 North Korean students regularly came out on top in competitions, or hackathonsorganized by the company software Indian CodeChef. From what the journalist has been able to find out, a good connoisseur of the country due to her years in Tokyo and Beijing as head of the offices of the Washington Post and in South Korea as a correspondent for the Financial Timesthe hackers North Koreans enjoy a position of respect and a comfortable life in a country where, until the 1990s, people literally starved to death.

According to Fifield to EL PAÍS, he has no data that his status has changed in recent years. Quite the contrary: Kim Jong Un is clear that cybercrime is just another business, a response to international sanctions. “The regime participates in all kinds of sectors that can bring in foreign currency, such as pharmaceutical tests, opium cultivation or human trafficking,” says Meyers. “Cyber ​​espionage and cybercrime are just another vector.” If he can’t make money trading, he will steal it.

You can follow THE COUNTRY TECHNOLOGY in Facebook Y Twitter or sign up here to receive our weekly newsletter.