The activities of North Korean hacker groups like Lazarus, responsible for the 2017 WannaCry ransomware attack, have been widely reported on for some time. Recent news however has demonstrated the continuing adaptability and development of North Korea’s cybercrime groups. Ordinary individuals and private sector entities are also increasingly under threat from a rapidly expanding arsenal of digital tools that enable cybercrime.
On 14 February, South Korea’s National Intelligence Service (NIS) for the first time released definite evidence of North Korean involvement in illegal online gambling. According to the NIS release, North Korean IT workers were employed by Kyonghung Information Technology Exchange Company, a China-based firm, to develop and maintain illegal gambling websites which were sold to South Korean criminal groups. These operations were overseen by Room 39, the North Korean party organisation responsible for securing foreign currency for the Kim regime.
The Kyonghung operation was not just a source of revenue, but also an opportunity for cyberattacks. The North Korean-made gambling sites contained malicious software that harvested and attempted to sell the personal data of their South Korean users. Additionally, the North Korean workers were able to steal data from a South Korean company that had sold the servers used to host the gambling websites.
Kyonghung illustrates two important facets of North Korean cybercrime capabilities. First, despite UN sanctions, North Korean workers using false identities continue to be sent outside of the country to generate revenue that is subsequently transferred back to the DPRK. In the case of Kyonghung, South Korean authorities found evidence of elaborate false identities, counterfeit documents and qualifications, and impersonations of skilled foreign nationals. The sophistication of this operation is undeniable, and may hint at a wider, extensive network of North Korean IT workers employed abroad running similar activities.
Second, it is likely that ordinary citizens and businesses in South Korea will be increasingly threatened by North Korean cyberattacks. Though South Korean government entities and officials have been a target for some time, Kyonghung shows that improved cybersecurity and data protection is required not just for these high-profile public-sector targets, but also in South Korea’s private sector. South Korean companies will need to invest in greater data protection and cybersecurity to defend against operations of this nature, especially as North Korean cybercrime capabilities continue to improve. South Korea’s recently announced cybersecurity strategy acknowledges this need, and also focuses on developing pre-emptive and offensive cyber capabilities.
Though South Korea is the most obvious target of North Korean cyberattacks, other countries are certainly not safe. North Korean cyber groups have recently begun making use of AI to extend their reach and pull off sophisticated scams. Microsoft and OpenAI published a report on 14 February detailing their investigation of the use of AI by threat actors. One such case was of the North Korean hacker group THALLIUM, which made extensive use of Large Language Models (LLM) like ChatGPT to target and obtain intelligence from foreign experts on North Korea. To accomplish this, the North Korean group used LLMs to impersonate academic institutions and NGOs, communicating with aforementioned experts extensively.
Microsoft also stated that they observed THALLIUM using LLMs more generally, such as to troubleshoot technical issues and identify potential targets for social engineering operations. It is worth noting that Microsoft’s report also included similar observations on groups from Russia, China and Iran.
In another example described by Chainalysis, a North Korean group targeted a senior employee at a Japanese cryptocurrency exchange and infected their device with spyware, using generative AI to pose as Singaporean recruiters. Generative AI and LLMs allow North Korean cyber groups to circumvent difficulties they had previously faced, such as their poor grasp of colloquialisms and casual language that often made their targets suspicious of scam attempts. By making use of these tools, these groups are able to appear more legitimate and build convincing relationships over long periods of time with their targets.
An analysis by Chainalysis of money laundering activity confirms the sophistication and adaptability of North Korean cyber groups. One notable example in 2023 was Lazarus Group, who were able adjust their money laundering strategy to evade or bypass law enforcement action with minimal disruption to their activities. One common method of cryptocurrency money laundering is the use of bitcoin mixers, services that take cryptocurrency from a variety of users and ‘mixes’ them together before sending out the same amounts back, obfuscating their origins. 2023 saw significant law enforcement and regulatory action targeting these services, including the shutdown of North Korea’s preferred mixer, SinBad, in November. However, Lazarus has been able to adapt to this with ease by jumping ship to YoMix, another mixer service which has seen a rapid increase in popularity. According to Chainalysis, one third of YoMix’s crypto inflows originates from wallets linked to crypto hacks.
Furthermore, groups like Lazarus make use of cross-chain bridges software to move cryptocurrency from one blockchain to another. Blockchains allow for a secure and decentralised crypto transaction system, but are relatively small networks. Cross-chain bridges allows North Korean cybercrime groups to access a much broader crypto ecosystem with no centralised authority or oversight. Cross-chain bridges experienced a dramatic increase in use in 2023, with Chainalysis estimating that the total illicit value moving through them more than doubled in a single year, jumping from $312m in 2022 to $748m in 2023.
These developments demonstrate that there is a continual evolution and change in the methods and tools used by sophisticated North Korean cyber groups, and they appear especially willing to embrace new forms of emerging technology. One state media article emphasised the importance of AI in growing the new digital economy, and also noted its potential for application to many other areas of the economy. North Korean research is similarly eager to keep abreast of developments in AI, and efforts to do so began as early as 2013, when the Artificial Intelligence Research Institute (인공지능연구소) was established. It is clear that the North Korean approach to developing its cyber capabilities, especially through AI research, is surprisingly comprehensive.
North Korean cybercrime operations so far appear mostly unimpeded by recent law enforcement action, suggesting that greater responses will be required. The use of AI in sophisticated scams exemplifies North Korea’s eagerness to incorporate new tools to add to their increasingly threatening suite of cyberwarfare tools, as well as the growing likelihood of ordinary individuals being targeted by these groups. This could pose a major threat to those targeted, and there is little doubt that governments and businesses will have to work quickly to improve their own capabilities and counteract North Korean cybercrime activity.
By Harold Purbrick.