In news good for no one anywhere, it seems the North Korean army of cybercriminals has decided to reorganize itself to prioritize greater specialization. According to WSJ reports out this morning — the cyber dark army has splintered into smaller groups and is increasingly focused on stealing from the rest of the world to give back to its home country.
The search for lucre — as opposed to data, destablization, or intimidation — is a change of tactics for Pyongyang. Some speculate that evolving a nuclear program is not easy work when a nation is under extreme sanctions — and the money has to come from somewhere.
Prior cyberattacks that can be connected to North Korea’s military force include the 2014 hack of Sony Pictures Entertainment and a cyberheist at Bangladesh’s central bank. North Korean cyberattackers are also thought to be behind this year’s WannaCry global ransomware attack. Kaspersky Lab AO made that connection by identifying an offshoot of Lazarus, used by a hacking group called BlueNoroff, which specializes in heists of foreign financial institutions.
The Korea Financial Security Institute is now reporting a second group using Lazarus that has been attacking South Korea since 2013. Those hacking efforts include attempts to spike ATMS with malware to scrape card data — FSI notes that the behaviors are more typical of organized crime than state-sponsored cyberterror.
According to South Korean officials, the attempts — which netted several thousand dollars — were withdrawn before South Korean law enforcement identified the ruse after six days. The data was largely sold to consumers in China and Taiwan.
“North Korea now cares more about making money than causing disruptions or cyberterrorism,” said Joon Kim, owner of Naru Security Inc., who has advised South Korean law enforcement on cyber issues.
Andariel — the hacking group — has been connected to eight similar attacks in the South. Reports indicate the group has joined up with BlueNoroff to target a large South Korean financial institution.
“The problem is that it’s not just simple attacks anymore with North Korea. It’s more orchestrated now, as if it were a military operation,” said Kim Seung-joo, a Korea University professor who sits on a South Korean government cybersecurity advisory team.