When North Korean hackers tried to steal $1 billion from the New York Federal Reserve last year, only a spelling error stopped them. They were digitally looting an account of the Bangladesh Central Bank, when bankers grew suspicious about a withdrawal request that had misspelled “foundation” as “fandation.”
Even so, Kim Jong-un’s minions still got away with $81 million in that heist.
Then only sheer luck enabled a 22-year-old British hacker to defuse the biggest North Korean cyberattack to date, a ransomware attack last Maythat failed to generate much cash but brought down hundreds of thousands of computers across dozens of countries — and briefly crippled Britain’s National Health Service.
Their track record is mixed, but North Korea’s army of more than 6,000 hackers is undeniably persistent, and undeniably improving, according to American and British security officials who have traced these attacks and others back to the North.
Amid all the attention on Pyongyang’s progress in developing a nuclear weapon capable of striking the continental United States, the North Koreans have also quietly developed a cyberprogram that is stealing hundreds of millions of dollars and proving capable of unleashing global havoc.
Unlike its weapons tests, which have led to international sanctions, the North’s cyberstrikes have faced almost no pushback or punishment, even as the regime is already using its hacking capabilities for actual attacks against its adversaries in the West.
And just as Western analysts once scoffed at the potential of the North’s nuclear program, so did experts dismiss its cyberpotential — only to now acknowledge that hacking is an almost perfect weapon for a Pyongyang that is isolated and has little to lose.
The country’s primitive infrastructure is far less vulnerable to cyberretaliation, and North Korean hackers operate outside the country, anyway. Sanctions offer no useful response, since a raft of sanctions are already imposed. And Mr. Kim’s advisers are betting that no one will respond to a cyberattack with a military attack, for fear of a catastrophic escalation between North and South Korea.
“Cyber is a tailor-made instrument of power for them,” said Chris Inglis, a former deputy director of the National Security Agency, who now directs cyberstudies at the United States Naval Academy. “There’s a low cost of entry, it’s largely asymmetrical, there’s some degree of anonymity and stealth in its use. It can hold large swaths of nation state infrastructure and private-sector infrastructure at risk. It’s a source of income.”
Mr. Inglis, speaking at the Cambridge Cyber Summit this month, added: “You could argue that they have one of the most successful cyberprograms on the planet, not because it’s technically sophisticated, but because it has achieved all of their aims at very low cost.”
It is hardly a one-way conflict: By some measures the United States and North Korea have been engaged in an active cyberconflict for years.
Both the United States and South Korea have also placed digital “implants” in the Reconnaissance General Bureau, the North Korean equivalent of the Central Intelligence Agency, according to documents that Edward J. Snowden released several years ago. American-created cyber- and electronic warfare weapons were deployed to disable North Korean missiles, an attack that was, at best, only partially successful.
Indeed, both sides see cyber as the way to gain tactical advantage in their nuclear and missile standoff.
A South Korean lawmaker last week revealed that the North had successfully broken into the South’s military networks to steal war plans, including for the “decapitation” of the North Korean leadership in the opening hours of a new Korean war.
There is evidence Pyongyang has planted so-called digital sleeper cells in the South’s critical infrastructure, and its Defense Ministry, that could be activated to paralyze power supplies and military command and control networks.
But the North is not motivated solely by politics: Its most famous cyberattack came in 2014, against Sony Pictures Entertainment, in a largely successful effort to block the release of a movie that satirized Mr. Kim.
What has not been disclosed, until now, is that North Korea had also hacked into a British television network a few weeks earlier to stop it from broadcasting a drama about a nuclear scientist kidnapped in Pyongyang.
Once North Korea counterfeited crude $100 bills to try to generate hard cash. Now intelligence officials estimate that North Korea reaps hundreds of millions a dollars a year from ransomware, digital bank heists, online video game cracking, and more recently, hacks of South Korean Bitcoin exchanges.
One former British intelligence chief estimates the take from its cyberheists may bring the North as much as $1 billion a year, or a third of the value of the nation’s exports.
The North Korean cyberthreat “crept up on us,” said Robert Hannigan, the former director of Britain’s Government Communications Headquarters, which handles electronic surveillance and cybersecurity.
“Because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn’t take it seriously,” he said. “How can such an isolated, backward country have this capability? Well, how can such an isolated backward country have this nuclear ability?”
From Minor Leaguers to Serious Hackers
Kim Jong-il, the father of the current dictator and the initiator of North Korea’s cyberoperations, was a movie lover who became an internet enthusiast, a luxury reserved for the country’s elite. When Mr. Kim died in 2011, the country was estimated to have 1,024 IP addresses, fewer than on most New York City blocks.
Mr. Kim, like the Chinese, initially saw the internet as a threat to his regime’s ironclad control over information. But his attitude began to change in the early 1990s, after a group of North Korean computer scientists returned from travel abroad proposing to use the web to spy on and attack enemies like the United States and South Korea, according to defectors.
North Korea began identifying promising students at an early age for special training, sending many to China’s top computer science programs. In the late 1990s, the Federal Bureau of Investigation’s counterintelligence division noticed that North Koreans assigned to work at the United Nations were also quietly enrolling in university computer programming courses in New York.
“The F.B.I. called me and said, ‘What should we do?’ ” recalled James A. Lewis, at the time in charge of cybersecurity at the Commerce Department. “I told them, ‘Don’t do anything. Follow them and see what they are up to.’”
The North’s cyberwarfare unit gained priority after the 2003 invasion of Iraq by the United States. After watching the American “shock and awe” campaign on CNN, Kim Jong-il issued a warning to his military: “If warfare was about bullets and oil until now,” he told top commanders, according to a prominent defector, Kim Heung-kwang, “warfare in the 21st century is about information.”
The unit was marked initially by mishaps and bluster.
“There was an enormous growth in capability from 2009 or so, when they were a joke,” said Ben Buchanan, the author of “The Cybersecurity Dilemma” and a fellow at the Cyber Security Project at Harvard. “They would execute a very basic attack against a minor web page put up by the White House or an American intelligence agency, and then their sympathizers would claim they’d hacked the U.S. government. But since then, their hackers have gotten a lot better.”
A National Intelligence Estimate in 2009 wrote off the North’s hacking prowess, much as it underestimated its long-range missile program. It would be years before it could mount a meaningful threat, it claimed.
But the regime was building that threat.
When Kim Jong-un succeeded his father, in 2011, he expanded the cybermission beyond serving as just a weapon of war, focusing also on theft, harassment and political-score settling.
“Cyberwarfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly,” Kim Jong-un reportedly declared, according to the testimony of a South Korean intelligence chief.
And the array of United Nations sanctions against Pyongyang only incentivized Mr. Kim’s embrace.
“We’re already sanctioning anything and everything we can,” said Robert P. Silvers, the former assistant secretary for cyberpolicy at the Department of Homeland Security during the Obama administration. “They’re already the most isolated nation in the world.”
By 2012, government officials and private researchers say North Korea had dispersed its hacking teams abroad, relying principally on China’s internet infrastructure. This allowed the North to exploit largely nonsecure internet connections and maintain a degree of plausible deniability.
A recent analysis by the cybersecurity firm Recorded Future found heavy North Korean internet activity in India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. In some cases, like that of New Zealand, North Korean hackers were simply routing their attacks through the country’s computers from abroad. In others, researchers believe they are now physically stationed in countries like India, where nearly one-fifth of Pyongyang’s cyberattacks now originate.
Intelligence agencies are now trying to track the North Korean hackers in these countries the way they have previously tracked terrorist sleeper cells or nuclear proliferators: looking for their favorite hotels, lurking in online forums they may inhabit, attempting to feed them bad computer code and counterattacking their own servers.
Learning From Iran, Growing Bolder
For decades Iran and North Korea have shared missile technology, and American intelligence agencies have long sought evidence of secret cooperation in the nuclear arena. In cyber, the Iranians taught the North Koreans something important: When confronting an enemy that has internet-connected banks, trading systems, oil and water pipelines, dams, hospitals, and entire cities, the opportunities to wreak havoc are endless.
By midsummer 2012, Iran’s hackers, still recovering from an American and Israeli-led cyberattack on Iran’s nuclear enrichment operations, found an easy target in Saudi Aramco, Saudi Arabia’s state-owned oil company and the world’s most valuable company.
That August, Iranian hackers flipped a kill switch at precisely 11:08 a.m., unleashing a simple wiper virus onto 30,000 Aramco computers and 10,000 servers that would destroy data, and replace it with a partial image of a burning American flag. The damage was tremendous.
Seven months later, during joint military exercises between American and South Korean forces, North Korean hackers, operating from computers inside China, deployed a very similar cyberweapon against computer networks at three major South Korean banks and South Korea’s two largest broadcasters. Like Iran’s Aramco attacks, the North Korean attacks on South Korean targets used wiping malware to eradicate data and paralyze their business operations.
It may have been a copycat operation, but Mr. Hannigan, the former British official, said recently: “We have to assume they are getting help from the Iranians.”
And inside the National Security Agency, just a few years after analysts had written off Pyongyang as a low grade threat, there was suddenly a new appreciation that the country was figuring out cyber just as it had figured out nuclear weapons: test by test.
“North Korea showed that to achieve its political objectives, it will take down any company — period,” Mr. Silvers said.
Protecting Kim’s Image
A chief political objective of the cyberprogram is to preserve the image of the North’s 33-year-old leader, Kim Jong-un. In August 2014, North Korean hackers went after a British broadcaster, Channel Four, which had announced plans for a television series about a British nuclear scientist kidnapped in Pyongyang.
First, the North Koreans protested to the British government. “A scandalous farce,” North Korea called the series. When that was ignored, British authorities found that the North had hacked into the television network’s computer system. The attack was stopped before inflicting any damage, and David Abraham, the chief executive of Channel Four, initially vowed to continue the production.
That attack, however, was just a prelude. When Sony Pictures Entertainment released a trailer for “The Interview,” a comedy about two journalists dispatched to Pyongyang to assassinate North Korea’s young new dictator, Pyongyang wrote a letter of complaint to the secretary general of the United Nations to stop the production. Then came threats to Sony.
Michael Lynton, then Sony’s chief executive, said when Sony officials called the State Department, they were told it was just more “bluster,” he said.
“At that point in time, Kim Jong-un was relatively new in the job, and I don’t think it was clear yet how he was different from his father,” Mr. Lynton said in an interview. “Nobody ever mentioned anything about their cyber capabilities.”
In September 2014, while still attempting to crack Channel 4, North Korean hackers buried deep into Sony’s networks, lurking patiently for the next three months, as both Sony and American intelligence completely missed their presence.
The director of national intelligence, James Clapper, was even in Pyongyang at the time, trying to win the release of a detained American, and had dinner with the then-chief of the Reconnaissance General Bureau.
On Nov. 24, the attack on Sony began: Employees arriving at work that day found their computer screens take over by picture of a red skeleton with a message signed “GOP,” for “Guardians of Peace.”
“We’ve obtained all your internal data including your secrets and top secrets,” the message said. “If you don’t obey us, we’ll release data shown below to the world.”
That was actually a diversion: The code destroyed 70 percent of Sony Pictures’ laptops and computers. Sony employees were reduced to communicating via pen, paper and phone.
Mr. Lynton said the F.B.I. told him that nothing could have been done to prevent the attack, since it was waged by a sovereign state. “We learned that you really have no way of protecting yourself in any meaningful way,” he said of such nation-state attacks.
Sony struggled to distribute the film as theaters were intimidated. (Ultimately it was distributed for download, and may have done better than it would have.) In London, outside investors in Channel Four’s North Korea project suddenly dried up, and the project effectively died.
The Obama White House responded to the Sony hack with sanctions that the North barely noticed, but with no other retaliation. “A cyberbattle would be a lot more risky for the United States and its allies than for North Korea,” said Mr. Silvers.
Robbing Banks, Pyongyang Style
Beyond respect, and retribution, the North wanted hard currency from its cyberprogram.
So soon the digital bank heists began — an attack in the Philippines in October 2015; then the Tien Phong Bank in Vietnam at the end of the same year; and then the Bangladesh Central Bank. Researchers at Symantec said it was the first time a state had used a cyberattack not for espionage or war, but to finance the country’s operations.
Now, the attacks are increasingly cunning. Security experts noticed in February that the website of Poland’s financial regulator was unintentionally infecting visitors with malware.
It turned out that visitors to the Polish regulator’s website — employees from Polish banks, from the central banks of Brazil, Chile, Estonia, Mexico, Venezuela, and even from prominent Western banks like Bank of America — had been hit with a so-called watering hole attack, in which North Korean hackers waited for their victims to visit the site, then installed malware in their machines. Forensics showed that the hackers had put together a list of internet addresses from 103 organizations, most of them banks, and designed their malware to specifically infect visitors from those banks, in what researchers said appeared to be an effort to move around stolen currency.
More recently, North Koreans seemed to have changed tack once again. North Korean hackers’ fingerprints showed up in a series of attempted attacks on so-called cryptocurrency exchanges in South Korea, and were successful in at least one case, according to researchers at FireEye.
The attacks on Bitcoin exchanges, which see hundreds of millions of dollars worth of Bitcoin exchanged a day, offered Pyongyang a potentially very lucrative source of new funds. And, researchers say, there is evidence they have been exchanging Bitcoin gathered from their heists for Monero, a highly anonymous version of cryptocurrency that is far harder for global authorities to trace.
The most widespread hack was WannaCry, a global ransomware attack that used a program that cripples a computer and demands a ransom payment in exchange for unlocking the computer, or its data. In a twist the North Koreans surely enjoyed, their hackers based the attack on a secret tool, called “Eternal Blue,” stolen from the National Security Agency.
In the late afternoon of May 12, panicked phone calls flooded in from around Britain and the world. The computer systems of several major British hospital systems were shut down, forcing diversions of ambulances and the deferral of nonemergency surgeries. Banks and transportation systems across dozens of countries were affected.
Britain’s National Cyber Security Center had picked up no warning of the attack, said Paul Chichester, its director of operations. Investigators now think the WannaCry attack may have been an early misfire of a weapon that was still under development — or a test of tactics and vulnerabilities.
“This was part of an evolving effort to find ways to disable key industries,” said Brian Lord, a former deputy director for intelligence and cyber operations at the Government Communications Headquarters in Britain. “All I have to do is create a moderately disabling attack on a key part of the social infrastructure, and then watch the media sensationalize it and panic the public.”
It ended thanks to Marcus Hutchins, a college dropout and self-taught hacker living with his parents in the southwest of England. He spotted a web address somewhere in the software and, on a lark, paid $10.69 to register it as a domain name. The activation of the domain name turned out to act as a kill switch causing the malware to stop spreading.
British officials privately acknowledge that they know North Korea perpetrated the attack, but the government has taken no retaliatory action, uncertain what they can do.
A Cyber Arms Race
While American and South Korean officials often express outrage about North Korea’s cyberactivities, they rarely talk about their own — and whether that helps fuel the cyber arms race.
Yet both Seoul and Washington target the North’s Reconnaissance General Bureau, its nuclear program and its missile program. Hundreds, if not thousands, of American cyberwarriors spend each day mapping the North’s few networks, looking for vulnerabilities that could be activated in time of crisis.
At a recent meeting of American strategists to evaluate North Korea’s capabilities, some participants expressed concerns that the escalating cyberwar could actually tempt the North to use its weapons — both nuclear and cyber — very quickly in any conflict, for fear that the United States has secret ways to shut the country down.
The director of the Central Intelligence Agency, Mike Pompeo, said last week that the United States is trying to compile a better picture of the leadership around Kim Jong-un, for a report to President Trump. Figuring out who oversees cyber and special operations is a central mystery. The Japanese press recently speculated it could be an official named Jang Kil-su. Others are curious about Gen. No Kwang-chol, who was elevated to the Central Committee of the North’s ruling party in May 2016, and is one of the only members whose portfolio is undisclosed.
The big question is whether Mr. Kim, fearful that his nuclear program is becoming too large and obvious a target, is focusing instead on how to shut down the United States without ever lighting off a missile. “Everyone is focused on mushroom clouds,” Mr. Silvers said, “but there is far more potential for another kind of disastrous escalation.”