Cyber warfare: How North Korea created an army of dangerously good hackers

The nation's fingerprints have appeared recently in surprisingly sophisticated attacks; 'The whole world needs to take notice'

North Korea’s cyber army, long considered a midlevel security threat, is quietly morphing into one of the world’s most sophisticated and dangerous hacking machines.

Over the past 18 months, the nation’s fingerprints have appeared in an increasing number of cyberattacks, the skill level of its hackers has rapidly improved and their targets have become more worrisome, a Wall Street Journal examination of the program reveals. As recently as March, suspected North Korean hackers appear to have infiltrated Turkish banks and invaded computer systems in the run-up to the Winter Olympics, cybersecurity researchers say.

For years, cybersecurity experts viewed North Korea as a second-rate hacking force whose attacks were disruptive but reasonably easy to decode. Researchers rated its operational skills well behind countries such as Russia, Israel and the U.S.

Those days appear to be over, with Pyongyang flashing levels of originality in its coding and techniques that have surprised researchers. It also has shown a willingness to go after targets such as central banks and point-of-sale systems. As North Korea prepares for possible negotiations with Washington aimed at freezing its nuclear program, its hacking capabilities could help it generate money to compensate for economic sanctions or to threaten foreign financial institutions.

North Korea is cultivating elite hackers much like other countries train Olympic athletes, according to defectors and South Korean cyber and intelligence experts. Promising students are identified as young as 11 years old and funneled into special schools, where they are taught hacking and how to develop computer viruses.

“Once you have been selected to get into the cyber unit, you receive a title that makes you a special citizen, and you don’t have to worry about food and the basic necessities,” says Kim Ji-hong, who studied software programming and hacking for six years at North Korea’s top technical university before defecting to South Korea three years ago.

To assess North Korea’s cyber program, the Journal interviewed dozens of North Korean defectors, foreign cybersecurity researchers, South Korean government advisers and military experts. The researchers emphasize that catching hackers is difficult, and that they can’t be 100% certain that every attack attributed to North Korea was orchestrated by its cyberwarriors.

These experts point to numerous signs that the hackers have become better. North Koreans are acting on security glitches in widely used software only days after the vulnerabilities first appear, and crafting malicious code so advanced it isn’t detected by antivirus programs, they say. When software or security firms plug holes, the hackers are adapting within days or weeks, fine-tuning their malware much as Apple Inc. would release an update to the iPhone’s operating system.

Many North Korean hackers are using perfect English or embedding other languages into coding to make it appear hacks came from other countries, the researchers have concluded. And they are earning a reputation as innovators at breaking into smartphones, hiding malware in Bible apps or using Facebook Inc. to help infect targets.

“The whole world needs to take notice,” says John Hultquist, director of intelligence analysis at U.S. cybersecurity firm FireEye Inc., who now ranks North Korea among the world’s mature hacking operations.

North Korea has denied involvement in hacking attacks, including last year’s WannaCry ransomware, which locked digital files and demanded bitcoin payment for their release, or the 2016 cybertheft of $81 million from Bangladesh’s central bank. Calls for comment to the North Korean consulate in Hong Kong weren’t answered.

Researchers say telltale signs are buried deep inside the malware and coding: Korean words only used in the North, the use of data servers commonly associated with Pyongyang hacks and files created by usernames linked with the country’s hackers.

The U.S. and other governments have publicly blamed North Korea for an array of infiltrations in recent months, including WannaCry, citing patterns in coding and techniques they say lead to Pyongyang. South Korean officials estimate their country is now targeted by an estimated 1.5 million North Korean hacking attempts daily, or 17 every second.

Late last year, North Korean hackers were the first to unearth a vulnerability in the popular Adobe Flash multimedia player that allowed an unchallenged attack to go undetected for months, according to cybersecurity researchers. After Adobe released a security patch in February, the suspected Pyongyang cyberwarriors modified the malware to target European financial institutions, giving them the ability to steal sensitive information about their networks, according to cybersecurity firm McAfee LLC.

North Korea’s cyber advances parallel its breakthroughs in missile technology since Kim Jong Un assumed power in 2011.

Many suspected North Korean attacks occur without a clear objective. Some researchers have described it as akin to an organized-crime ring seeking any weaknesses to learn about enemies or generate cash. Researchers generally agree the program is becoming more focused on obtaining military intelligence or earning income as sanctions tighten and negotiations with the U.S. approach.

“Hacking abilities give them a much stronger hand at the negotiating table,” says Ross Rustici, a director at cybersecurity firm Cybereason Inc. and a former Defense Department analyst.

In October, South Korean lawmakers said North Koreans had stolen 235 gigabytes of data and military secrets, including a joint U.S.-South Korean plan to eliminate Pyongyang leadership in the event of war. North Korean hackers are believed to have stolen hundreds of millions of dollars, ranging from stealing credit-card information from ATMs to a $530 million raid of a Japanese cryptocurrency exchange in January.

Cryptocurrencies appear to be a particular interest. Last year, suspected North Korean hackers began creating fictitious Facebook profiles, posing as attractive young women interested in bitcoin or working in the industry, according to people familiar with a South Korean investigation into the matter. They sought friendships with men at cryptocurrency exchanges and banks.

The Facebook accounts listed links with an “NYU Research Center” and other institutions to make them appear believable. Then the hackers lured men into opening app downloads or word documents, disguised as greeting cards or invites, that flooded their systems with malware, say the people familiar with the investigation.

It isn’t clear what the scheme netted. Facebook shut down fake accounts used by hackers linked to North Korea that “pretended to be other people in order to do things like learning about others and building relationships with potential targets,” the company said in December.

North Korea also has been using a targeting “watering hole” attack, in which a person’s computer becomes infected by accessing a certain website, according to cybersecurity researchers. Research firms say Pyongyang used watering holes to target banks in Mexico, Poland and Asia in 2016, leading to security improvements by those institutions and antivirus software firms.

North Korea re-emerged last June with a watering hole variant that uses different encryptions and commands, according to cybersecurity firm Proofpoint Inc., which named the malware PowerRatankba.

The adaptation “shows that North Korea can recover when a researcher finds their tooling, publishes on it and lets the world know how to stop it,” says Ryan Kalember, a Proofpoint senior vice president. “They are developing their own tools with a software-development life cycle, making products and improving them over time.”

North Korea’s hacking program dates at least to the mid-1990s, when then-leader Kim Jong Il said that “all wars in future years will be computer wars.”

Its hacking made headlines in 2014 by knocking Sony Corp.’s Sony Pictures Entertainment’s computer systems offline, erasing company data and pilfering troves of emails that eventually became public. The attack itself, cyber researchers now say, deployed an uncomplicated, widely available “wiper” tool.

Defectors and South Korea cyber experts say hacker trainees recruited by North Korea’s government get roomy Pyongyang apartments and exemptions from mandatory military service.

Mr. Kim, the defector who says he received such training, describes intense preparation for annual “hackathon” competitions in Pyongyang, in which teams of students holed up learning to solve puzzles and hacking problems under severe time pressure.

“For six months, day and night, we prepared only for this contest,” he says. He recalls going home for a meal after an all-night prep session only to wake up with his head resting in his bowl of soup. “It was everyone’s dream to be a part of it.”

Top performers, he says, get jobs foraging for money via websites of overseas banks or targeting computer networks for intelligence in countries such as the U.S.

“To maintain the nuclear program and build more weapons and maintain the North Korean regime, a lot of hard currency is needed, so naturally attacking banks is of first importance,” he says.

Some trainees are sent overseas to master foreign languages or to participate in international hackathons in places such as India or China, where they compete against coders from around the world. At a 2015 global competition called CodeChef, run by an Indian software company, North Korean teams ranked first, second and third out of more than 7,600 world-wide. Three of the top 15 coders in CodeChef’s network of about 100,000 participants are North Korean.

The defectors and South Korean researchers say North Korea’s cyber army has about 7,000 hackers and support staffers, loosely divided into three teams. The A team, often called “Lazarus” by foreign researchers, attacks foreign entities and is associated with North Korea’s most headline-grabbing campaigns, such as the WannaCry and Sony attacks.

The B team traditionally focused on South Korea and swept for military or infrastructure secrets, though it has begun mining for intelligence elsewhere recently, the cyber researchers say. The C team does lower-skilled work, such as targeted email attacks called spear phishing.

While its earlier attacks used well-known tools and familiar coding, Pyongyang tried to learn from better hackers abroad, says Simon Choi, a cybersecurity consultant to South Korea’s government who tracks online behavior. North Korean-linked accounts on Facebook and Twitter began following famous Chinese hackers and marked “like” on pages of how-to books outlining how to make malicious code for mobile devices, he says. Some North Koreans registered for online courses offered in South Korea teaching people how to hack smartphones, he says.

North Korea has planted programmers abroad where they can more easily connect online with the global financial system, security firms say. Recorded Future Inc., an intelligence firm, says it has tracked cyber activities with North Korean fingerprints to places such as China, India, New Zealand and Mozambique.

McAfee said it took suspected North Korean cyberwarriors just seven days in December to discover and use Invoke-PSImage, a new open-source hacking tool, to target groups involved in the Winter Olympics. McAfee said hackers used the tool to custom-build a malware download that was invisible to most antivirus software and hid malicious files in an image attached to a Microsoft Word document.

Researchers say they were particularly impressed with the recent attack that capitalized on previously unknown vulnerabilities with Adobe Flash. According to South Korean and U.S. cyber researchers, the malware popped up in November targeting South Koreans, attaching itself to Microsoft Office files distributed by email. Victims infected their computers by viewing embedded Adobe Flash content in Word documents or spreadsheets. Hackers were then able to gain remote access to those PCs and steal files.

Adobe put out a security advisory on Feb. 1 and released a software patch five days later. FireEye said it suspected the malware came from North Korean hackers.

Within weeks, suspected Pyongyang hackers had adapted the original malware, which then appeared in attacks on financial institutions in Turkey in early March, according to McAfee. Although no money was taken, the attacks likely obtained intelligence, possibly including details of how the banks’ internal systems work, McAfee said.

“This malware was not written by some average Joe,” says Christiaan Beek, McAfee’s senior principal engineer.

Mr. Choi, the South Korean cyber consultant, digitally pursued the author of the malware, piecing together details from the attack to gather biographical details. He eventually found what he believes is the male hacker’s Facebook page. The listed hometown and current city was Pyongyang.