For anyone getting their geopolitical news from the Olympics alone, North Korea might seem practically charismatic. Its combined hockey team with South Korea has become a global symbol of dictator Kim Jong Un's call for improved relations with the South. Kim's sister has led a Pyeongchang charm offensive. And its Stepford cheerleaders—well, some people seem to not be entirely creeped out by them.
But beneath that veneer of hockey diplomacy between the two Koreas, North Korean hackers haven't stopped targeting their Southern neighbors. In fact, just as the Kim regime was making nice with South Korea ahead of the Olympics games last month, it also rekindled a brazen cybercrime campaign that has stolen millions of dollars from South Korean banks and bitcoin firms.
Earlier this week, security firm McAfee published evidence that last month, the North Korean state-sponsored hacker group known as Lazarus resumed its campaign of sending phishing emails to targets around the world, designed to serve as the first step in its serial heists of financial targets. McAfee confirms to WIRED that it has evidence that hacking campaign extended through January 24—and very possibly longer—and targeted South Korean victims as well as Western ones. In other words, McAfee's findings would mean the country continued its attacks weeks after Kim Jong Un reignited inter-Korean diplomacy with a declaration in his New Year's address calling for a "peaceful resolution with our southern border."
"Cyberspace is a distinct security domain. It gives governments a way to hold an olive branch in one hand and a gun in the other," says Kenneth Geers, a senior fellow at the Atlantic Council's Cyber Statecraft Initiative. And why would North Korea want to continue its campaign of outright theft in secret even while trying to improve relations with the South in public? Geers argues the regime has little choice, given its financial woes. "They’re hacking because they need the money, and because there’s no penalty."
'It gives governments a way to hold an olive branch in one hand and a gun in the other.'
Kenneth Geers, Atlantic Council
The financial element of North Korea's hacking campaign has become a growing part of the global threat it represents online. The country has stolen tens of millions of dollars in bank-hacking operations from Bangladesh to Poland. And South Korea has been a frequent target, too: From April to October of last year, for instance, McAfee says it followed a targeted spear-phishing campaign that used fake job recruiter emails in both English and Korean with malicious attachments designed to lure targets in the finance industry and cryptocurrency exchanges, as well as military targets likely intended for espionage. Earlier this month, South Korean government officials said that North Korean hackers had stolen millions of dollars worth of cryptocurrency from the country last year.
Now McAfee has found that same campaign, which they strongly believe Lazarus is behind, resumed in mid-January of this year. As before, those emails used malicious attachments to hack unwitting targets. This time they used booby-trapped Word attachments designed to run a Visual Basic script that then downloads a Trojan they call "Haobao," a name based on one of the commands used to activate it. "I wouldn't call this particularly sophisticated, but it's a very targeted spear-phishing campaign," says Raj Samani, McAfee's chief scientist, noting that the Haobao malware it plants on PCs has never been seen before in the wild.
North Korea may have other hacking operations running parallel to its Olympic diplomacy as well. Earlier this year, McAfee detected a series of phishing emails sent in Korean to more than 300 targets, from Olympic organizations to tourism firms and hotels in Pyeongchang to the local Pyeongchang government. That hacking offensive, which McAfee calls Operation GoldDragon, was designed to plant one of three pieces of spyware on victims' machines, likely aimed at espionage. While McAfee hasn't definitively linked that hacking campaign to Lazarus or North Korea, Samani hints that they're a likely suspect, despite North Korea's recent diplomatic efforts to cozy up to its Southern neighbor. "I would guess it's a 'keep your friends close and your enemies closer' approach," Samani told WIRED late last month.
'Their number one priority is to build a nuclear deterrent that will keep the US away.'
Jim Lewis, Center for Strategic and International Studies
If espionage and diplomacy go hand-in-hand, opportunistic theft and diplomacy don't mix as well. But despite its foreign policy goals, North Korea may have no choice but to continue its no-holds-barred cybercrime schemes, says Jim Lewis, a former State Department official and director of the Center for Strategic and International Studies' Technology and Public Policy Program. He argues that digital theft, like the Kim regime's other, earlier criminal enterprises—from narcotics production to counterfeiting to exotic timber smuggling—have become an indispensable crutch for an economy crippled by sanctions and a near total lack of exportable products.
"It’s desperation," Lewis says. He argues that the Kim regime needs the cash flow that cybercrime provides not only to keep the country's corrupt elite bribed with luxury goods, but to fund its most crucial project: The nuclear weapons systems it believes keep it safe from Western invasion. "Their number one priority is to build a nuclear deterrent that will keep the US away," Lewis says. "So of course they’ll keep stealing."
Lewis believes, though, that South Korea is likely willing to ignore a few underhanded acts online in the service of a broader peace. "It's a bigger game, they need to keep their eye on the strategic prize of more stability on the peninsula," Lewis says. "The South is eager to use the Olympics to tamp down the risk. If that means eating another few weeks of espionage and crime, they're willing to do it."