People's Republic of Crime



The dark world of North Korean information warfare is filled with many rooms and bureaus. The tiny nation better known for its nuclear threats and ambitions has quietly built an army of crime and profit.

Pyongyang has deployed its leading cyber-warfare unit - Bureau 121 - and attacked unsuspecting targets using a familiar pattern of banking, fraud and social engineering tactics. One such documented attack occurred in 2016 against the Bangladesh banking system, using a combination of social engineering to obtain access to the SWIFT banking network and a Trojan malware to sniff out administrative passwords. The result was $81 million siphoned off via a tangled myriad of front companies leading to North Korea.

It would appear that Bureau 121 has stuck twice again, in late October NIC Asia Bank, based in Kathmandu Nepal, said attackers initiated $4.4 million in fraudulent money transfers from its accounts to accounts in six other countries, including the United States, the United Kingdom, Japan and Singapore.

NIC Asia Bank informed Nepal's central bank, recovering $3.9 million, but $580,000 had already been released to overseas bank accountholders and is now considered lost.

Hackers using the same techniques also attacked the Far Eastern International Bank in Taiwan. Again, using fraudulent SWIFT money-moving messages planted by a Trojan virus they managed to forge transactions that transferred $60 million to foreign banks. The Taiwanese bank reportedly detected the suspicious transactions and was able to recover all but $500,000 of the stolen monies.

SWIFT, formally known as the Society for Worldwide Interbank Financial Telecommunication, is an interbank messaging system comprised of more than 11,000 financial institutions across 200 countries and territories, moving billions of dollars per day. Part of the problem is that Belgian based SWIFT is not ready to share what it knows of the fraud and hacking, instead trying quietly to cover up and patch the system.

The SWIFT network was also the target of U.S. intelligence operations from the National Security Agency. The NSA applied several different tailored attacks against the SWIFT network to track ISIS and Iran through middle-eastern banking systems.

However, malware tools and techniques leaked by several sources inside the NSA have given the Kim regime new weapons to attack the west and profit from it. North Korean hackers, using their standard operating procedure, took advantage of the leaked exploits, attacking mainly 3rd world banks which either lacked the funding or expertise to update their networks.

Far eastern banks are not the only target of the state sponsored crime wave from Pyongyang. North Korea is suspected of trying to raid the accounts of the Irish government. Bureau 121 attempted to steal $6.9 from the Meath County Council in October 2016. The funds were frozen in a bank account in Hong Kong just minutes before they were scheduled to be transferred. The Irish government considered these attacks so threatening to its stability that it has enlisted the aid of the British GCHQ in order to defend itself.

It is now believed the North Korean's utilized a stolen NSA exploit known as ETERNALBLUE to develop and deploy the recent massive WannaCry ransomware attack against the west. The attack did not generate much income for the Bureau 121 gang, yielding only about $140,000, because they inadvertently left a kill-switch inside the malware.

Lesser known criminal enterprises run by the Kim regime also include more conventional forms of crime. Room 38 and Room 39 of the Central Committee Bureau are two such organizations that have played a significant role in the rise of drug cartels from the Far East, South America and Mexico. According to the latest intelligence reports, Chon Il Chun, first vice department director of the party’s Central Committee and a former classmate of Kim Jong Il was leader of the office.

Pyongyang's Room 38 and Room 39 coordinate most of the criminal operations carried out by North Korea. Room 39 is known to maintain contacts with other organized global criminal groups, supplying them with intelligence information, transportation and weapons. Bureau 38 is known to ship heroin all over Asia and vast quantities of methamphetamines to China and the Philippines. Additionally, in February 2017, Bureau 39 shipped encrypted communications systems and man-portable anti-aircraft missiles to unnamed countries in Asia and Africa.

Rooms 38 and 39 also run networks of illegal and legal companies that often change names. Two companies documented as part of Room 39 is the Zokwang Trading and Taesong Bank. North Korean Room 39 ventures produce vast quantities of textile products each year marked with fake MADE IN CHINA" labels. Estimates are that Room 39 earns as much as $2 billion a year illegally for Kim.

The addition of Room 38 and Room 39 to the information security attack structure provides avenues for North Korean insider attacks against international banking, financial, corporate and government systems. The use of sex, drugs and bribery to recruit or blackmail trusted employees and officials by Room 38/39 combined with malware and info sec attacks via Bureau 121 adds an entire new dimension to Kim's arsenal.

The lethal combination of insider and cyber war ops may explain more recent successful attacks against the South Korean Defense ministry where US and South Korean military plans were stolen. The insider attack avenue may have also played significant roles in national security breaches inside South Korean warship products and the Australian sub contractor breach of data on the F-35 Joint Strike Fighter. Insider information may well have also played a major role in North Korean operations against the SWIFT banking network such as knowledge of network hardware weaknesses identified during the Bangladesh bank theft.

While western officials have ramped up efforts to narrow the DPRK cyber warfare operations it appears the assault from Pyongyang continues unabated. The availability of malware tools provided by leaks inside the U.S. NSA combined with poor security updates and patches for known exploits applied by corporate and business partners has given Kim an open field of crime and disruption. Major breaches such as the Equifax strike are clearly something that Bureau 121 could have carried out and Kim having the financial/personal data of over 160 million Americans is not something to be taken lightly.




ALL our products on hard copy CD - LINUX, Android and Windows in one package

ENTERPISE COMBO PACK ALL - Cypher with light sensor, PDA and introducing Choctaw encrypted Email

Contact Us: