1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

North Korean cyber robbery

Wesley Rahn
April 12, 2017

A cybersecurity firm has uncovered a link between a global hacking syndicate and N. Korea. The US is investigating the country's involvement in a 2016 heist of $81 million. But finding a smoking gun will not be easy.

Russland Moskau Eingang zum Internet Konzern Kaspersky
Image: Getty Images/AFP/K. Kudryavtsev

It was one of the largest bank heists in history — and the thieves didn't even need a getaway car.

In February 2016, $81 million (72 million euros) was stolen from the account of the Bangladesh central bank at the Federal Reserve Bank of New York. Over the course of a day, more than 30 transfer orders from Bangladesh Bank requested transactions totaling nearly $1 billion (940 million euros). Most of them were rejected, four got through.

A sophisticated cyberattack was behind the heist, with hackers electronically infiltrating the Bangladesh Bank in Dhaka, obtaining the SWIFT codes and issuing the transfer orders. More than a year after the incident, investigators and cybersecurity companies are still tracking down the thieves. One of the prime suspects is an international hacking group known to investigators as Lazarus.

Bangladesch Gebäude der Bangladesh Central Bank
The Bangladesh central bank has recovered around $18 million of the stolen fundsImage: Reuters/A. Rahman

Kaspersky Lab, a leading international cybersecurity firm, last week released the results of a year-long investigation into Lazarus. During the investigation, an IP address directly linking Lazarus hackers to North Korea was uncovered. According to the report, Lazarus has left its fingerprints on financial attacks in 18 countries.

Vitaly Kamluk, head of Kaspersky Lab's Global Research & Analysis Team, told DW that even though Lazarus attackers are careful in hiding their tracks, at least one server they breached in January 2017 contained a serious mistake. 

The server, which was located in Europe, was being configured as a command and control center for malware. Hackers typically route their attacks through proxy servers that hide their location, but in this instance, a direct location was left behind.

"The first connection made on the day of configuration came from a few proxy servers, indicating a testing period. However, there was one short connection on that day that came from a very rare IP address range in North Korea," Kamluk said.

A statement by Kaspersky Lab issued last week stated "as researchers, we prefer to provide facts rather than speculation. Still, seeing the IP in the C2 log does make North Korea a key part of the Lazarus/Bluenoroff equation." Bluenoroff is a name given by Kaspersky to a subunit of Lazarus that attacks banks and financial institutions.

Kaspersky Lab 2017
Image: Kaspersky

Pyongyang's digital arms

If North Korea was involved in the Bangladeshi cyber heist, it wouldn't be the first time that the rogue state has been implicated in a major hacking attack.

The type of malware used by Lazarus was linked to the 2014 Sony hack, which erased the entertainment company's servers and cost it at least $15 million. The US Federal Bureau of Investigation (FBI) blamed the attack on North Korea and in 2015, the US issued sanctions on North Korean businesses and officials. North Korea denied the accusations. 

And the South Korean government blamed a 2013 cyberattack on the North. The attack temporarily crippled three major South Korean financial institutions and two national broadcasters. The malware used in the attack is known as "Dark Seoul." The South Korean government said they had evidence linking the tactics and traces of IP addresses to North Korea.

And although finding a definitive "smoking gun" is a difficult task in investigating cyber crimes, there is consensus among experts that the regime in Pyongyang is using cyberwarfare as a key element of its survival strategy.

"North Korea has used crime to support the Kim family's expensive tastes and the DPRK's WMD program for decades. The DPRK has merely turned state-run criminal enterprises to cybercrime," James Lewis, an international cybersecurity expert at the Center for Strategic and International Studies (CSIS), told DW.

"There is no doubt that North Korea was responsible for the Bangladeshi hack," said Lewis. "They are not going to stop since this is an important new source of hard currency for the regime." 

US federal investigation

Symbolbild Cyberterror Internet
North Korea has repeatedly targeted the South with cyberattacksImage: AP

The US government is also investigating if North Korea had a hand in the Bangladesh heist. In March, the Wall Street Journal reported that US federal prosecutors were building a case that would "accuse North Korea" of directing the cyber robbery. According the report, prosecutors would target Chinese middlemen whom allegedly assisted North Korea in pulling off the heist.

Rick Ledgett, the deputy director of the US National Security Agency, told reporters on March 15 that private research tying North Korea to the Bangladesh bank theft was "strong."

"If that's true, then that says to me that the North Koreans are robbing banks," Ledgett said. "That's a big deal."

"We can’t definitely say that Lazarus is funded by the North Korean government," said Kaspersky's Kamluk. "We can only analyze the technical details of the Lazarus group's operations."

Targets of opportunity

During the investigation into Lazarus, in August 2016, Kaspersky Lab narrowly prevented a Southeast Asian bank from being attacked. According to Kaspersky, the malicious software had been undetected in the bank's systems for eight months. The attackers also used a very similar code base for the malware that was used in the Bangladesh heist.

"The attackers had a foothold in the company for over seven months," read a statement by Kaspersky. "The Southeast Asian bank was breached at the time when the Bangladesh heist happened."

"During our research, we prevented at least two bank heist attempts by the Lazarus group," said Kamluk. "We identified new malware samples in the wild regularly during 2016 and up until March 2017. At the moment, the attackers seem to be quiet, but we believe they will come back soon." 

Skip next section DW's Top Story

DW's Top Story

Two women speak to a crowd holding EU and Moldovan flags
Skip next section More stories from DW
Go to homepage