The Democratic People’s Republic of Korea or DPRK is already well known to the US public. The DPRK's leader, Kim Jon un, has developed a missile capable of striking U.S. cities. Kim has pushed the small nation to the edge of space and nuclear warfare with an ever increasing arsenal of missiles and atomic bomb tests.

Yet, silently operating behind the scenes are the North Korean cyberwarfare units, attacking, probing, and stealing their way into the top ranks of hackers. The dark agencies in the DPRK leading the battle against America are Bureau 121 and No. 91 Office, both of the Reconnaissance General Bureau of North Korea's military. According to South Korean officials, the ranks of Bureau 121 and No. 91 Office have swollen to over 6,000 hackers, some of which are no longer based inside the North. One of the suspected locations of a Bureau 121 cell is the Chilbosan Hotel in Shenyang, China.

DPRK Bureau 121 is also known on the street as the Lazarus Group, according to researchers at several anti-hacking companies, including Kaspersky Labs. The link between Lazarus Group and North Korea has been not only valuable but lucrative. In January 2016, a division of Lazarus dubbed Bluenoroff hacked into the SWIFT banking network attached to the central bank of Bangladesh. The hack was enabled through extensive surveillance of the poorly secured Bangladesh systems, including used wireless routers stored in closets that linked the banking transfer terminals to the central computers.

Lazarus Group members installed the Dridex malware tool on the Bangladesh system and waited. Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word. The targets of this malware are Windows users who open an email attachment in Word or Excel, causing macros to activate and download Dridex, infecting the computer and opening the victim to banking theft.

By February 2016, the Lazarus Group was able to gain full access to the bank's credentials for payment transfers by using the stolen information gained through the Dridex malware. They then used these credentials to place three dozen requests to the Federal Reserve Bank of New York to transfer $951 million in funds from the Bangladesh Bank to accounts in Sri Lanka and the Philippines.

Transactions worth $851 million were flagged by the banking system for staff review but several slipped through the security resulting in the transfer of $20 million to Sri Lanka and $81 million to the Philippines. The $20 million transferred to Sir Lanka was eventually recovered but the $81 million sent to the Philippines wormed its way into the banking system on February 5, 2016. The $81 million was eventually cycled through casinos and later transferred to Hong Kong. Of the $81 million, only $18 million was recovered and the stolen funds have been traced to North Korea.

Based on information on the Lazarus Group built by Kaspersky Labs, Fire eye, Symantec Corp. and BAE Systems Plc, the FBI is reportedly at work building a case that North Korea directed the theft of $81 million from Bangladesh Bank's account at the Federal Reserve Bank of New York.

Yet, the Lazarus Group has not been idle since the Bangladesh bank heist. According to Kaspersky Labs, Bureau 191 and the Lazarus Group are behind the latest ransomware attack that left companies such as Merck, DHL, FedEx and the British health care system in disarray. The WannaCry virus attack was based on stolen software obtained by another dark hacker group called the "Shadow Brokers".

While little is known about the origin of the Shadow Brokers, the hacking tools that they obtained and later released have been identified as belonging to the U.S. National Security Agency (NSA). The tools released by the Shadow Brokers in April 2017 included a Windows hack named "EternalBlue". The EternalBlue exploited flaws in the Microsoft Windows Server Message Block (SMB) protocol first uncovered and held secret by the NSA.

By May 2017, the hackers at Lazarus had developed a ransomware attack program based on the EternalBlue exploit. Even though Microsoft had issued patches to fix the exploit in March 2017 the attack began on Friday, 12 May 2017, and within a day it infected more than 230,000 computers in over 150 countries. The fact that Microsoft was able to anticipate the attack has been the source of a great deal of speculation of connections between the NSA and the US corporation. The aftermath of the WannaCry attack brought a number of members in the political, intelligence and commercial community into direct conflict over the NSA program to hold hacks for national security reasons.

The WannaCry attack showed the dangerous exposure of vulnerabilities inside the Microsoft operating systems. The attack forced Microsoft to release new security updates for older versions of Windows that are no longer supported, including for Windows XP, Windows Server 2003, Windows XP Embedded and Windows 7 Embedded.

Yet, buried inside the WannaCry virus was code that has been used by the Lazarus Group. Kaspersky Labs, which has been monitoring the group for years, says that the links between the hacking collective and North Korea are undeniable. According to a leaked memo, the NSA shares the Kaspersky Labs view that Lazarus and North Korea Bureau 121 were behind the WannaCry and follow on PetYa attacks. The recently updated estimates are that PetYa and WannaCry cost the west over $4 billion in damages. Losses from the WannaCry attacks have impacted earnings and production at companies such as Nissan, Merck, FedEx, and Mondelez.

Bureau 121 also engages in far more traditional cyber-warfare efforts directed at military assets. South Korea has also repeatedly blamed Bureau 121 for conducting GPS jamming aimed at South Korea. The most recent case of jamming occurred on 1 April 2016.

More recently, Bureau 121 has worked closely with its Chinese counter-parts in trying to hack US made THAAD missile defense systems deployed to South Korea. US based FireEye claims to have found evidence that the attacks were staged by two groups connected to the Chinese military. However, one of these attacking Chinese Army groups, named "Tonto Team", operates from the same hotel in China as the North Korean Bureau 121, showing the close working collaboration between Beijing and Pyongyang.

"We have evidence that they targeted at least one party that has been associated with the missile placements," stated John Hultquist, the director of cyber espionage analysis at FireEye.

There is no question that North Korean missiles pose a danger to the United States. However, the ongoing cyber-attacks by North Korea through the Bureau 121 and it's close association with the Chinese Army intelligence units shows that massive damages can be inflicted without the need for a blinding flash, followed by a loud explosion. Indeed, the doomsday scenario played by Kim may start with the click of a mouse.







Contact Us: