North Korean Hackers Paid Using A Bitcoin Wallet

The alleged North Korean hacking of Sony, Bangladesh Banks and other targets stand as some of the most infamous cyberattacks yet experienced. And the recently unsealed criminal complaint against the accused perpetrator offers some clues about the payments flow related to those felonies.

In a complaint from the U.S. Justice Department, federal authorities say that North Korea’s Park Jin Hyok sponsored  “Lazarus Group,” and worked for a North Korean government front company, Chosun Expo Joint Venture.

Park and those organizations allegedly were behind the malware used in the 2017 WannaCry 2.0 global ransomware attack; the theft of $81 million from Bangladesh Bank in 2016; the 2014 attack on Sony Pictures Entertainment; and numerous other attacks on the entertainment, financial services, defense, technology, and virtual currency industries, as well as academia and electric utilities.

Park faces one count of conspiracy to commit computer fraud and abuse — which carries a maximum sentence of five years in prison — and one count of conspiracy to commit wire fraud, which has a maximum sentence of 20 years in prison.

Bitcoin Role

The 180-page criminal complaint is much heavier on the technical details of how Park and those organizations allegedly conducted the cyberattacks than information about how they collected and distributed payments — that is, it’s better at explaining how the bank was robbed than what happened to the stolen money. But the document does contain some explanations related to payments, providing some idea of how hackers get paid from their activities.

Bitcoin played a role in the alleged North Korea-directed cyberattacks.

For instance, “the bitcoin ransom payments by victims of WannaCry Versions 1 and 2 were both transferred from a bitcoin wallet to a cryptocurrency exchange using a browser with the same user-agent string, and bitcoin from victims of Version 1 and Version 2 were both transferred through some of the same cryptocurrency exchanges and ultimately converted to another cryptocurrency, Monero,” according to the complaint. “At least some of the transactions occurred from five IP addresses that have been identified as exit nodes for the TOR network.”

According to the complaint against Park, “a user-agent string is used to detect specific information about the client system, software and browser making the request, which allows the web server to choose how to optimally provide data back to the client. For example, the website may present a slightly different version for a computer visiting that site when it is using a Mac operating system versus when the computer visiting the site is using a Windows operating system.”

In the case of the Bangladesh Bank cyberattack and theft, the $81 million “was sent to bank accounts that had been created in the Philippines in May 2015 in the names of fictitious persons. The fraudulent SWIFT messages sent from Bangladesh Bank’s computer systems included the (fake) names and (real) account numbers of the specific accounts that had been created in May 2015,” said the U.S. Justice Department complaint.

African Bank

The hackers also attempted to steal $100 million from a financial institution in Africa and tried to send those stolen funds to “multiple accounts in Asia.” That theft failed, however, and the money was returned by the recipient banks. That thwarted attempt provides insight into how the hackers allegedly used SWIFT in pursuit of those funds.

According to information in the complaint supplied by an FBI computer scientist, “on the day of the unauthorized transfers, the subjects modified several files that formed components of the SWIFT Alliance Access software on the African Bank’s SWIFT server. Later forensic analysis recovered an executable program named fpat.exe from the African Bank’s SWIFT server. The program fpat.exe was capable of making targeted modifications to otherwise legitimate Alliance Access files.”

More specifically, in the case of the African bank, “one SWIFT Alliance Access file that had been modified was ‘patched,’ meaning that a very small portion of its binary instructions were overwritten,” the complaint said. “That particular file would ordinarily prevent changes to the database that recorded all SWIFT messages exchanged by the bank, but once it was modified or ‘patched,’ the subjects were able to access and modify the database.”

Cyberattacks will continue, no doubt with even more sophistication. And as this particular North Korean case unfolds, more details will emerge about methods and payments flows.