Sanctions the U.S. government imposed on North Korea’s intelligence services Friday pull back the curtain on a rogue regime that allegedly uses its hacking skills for criminal theft as often as it does for traditional spying and sabotage.
The Treasury Department accused the regime of more than $1 billion in hacking thefts committed by a division of the North Korean intelligence service dubbed Lazarus Group — much of it stolen from financial institutions in South Korea, India, Mexico, the Philippines and elsewhere. The Lazarus Group also stole about $571 million from cryptocurrency exchanges, the Treasury Department said.
Most of that stolen revenue goes to funding operations for the cash-starved regime, including its nuclear weapons and ballistic missiles programs, Treasury said.
The sanctions come about one month after a United Nations report found North Korean hackers had raised as much as $2 billion for the nation's weapons of mass destruction programs.
“Security experts believe the Lazarus Group stepped up its activity after U.N. sanctions were imposed on North Korea over its nuclear program, effectively starving the government of revenue,” as my colleagues Carol Morello and Ellen Nakashima reported.
A Lazarus division has even been accused of hacking automatic teller machines to steal cash and customer data it can sell on the black market, Carol and Ellen reported. Most brazenly, the group tried to steal more than $800 million via an interbank messaging system called SWIFT but succeeded only in looting about $81 million from Bangladesh’s central bank.
Pyongyang’s alleged reliance on hacking to fund its operations distinguishes it from other major U.S. cyber adversaries, such as Russia and Iran, which hack to gather intelligence and damage adversaries rather than to line their own coffers.
Even Chinese intelligence services, which are renowned for stealing other nations’ intellectual property, typically pass that IP to Chinese companies rather than profiting from it themselves.
North Korea’s believed reliance on hacking to fund its operations also means the United States has even less leverage as it tries to force the regime to change its ways, as John Hultquist, director of intelligence analysis for the cybersecurity company FireEye, pointed out to my colleagues.
“Do I think North Korea will change their ways? I think that’s a hard road. I think that’s fairly unlikely,” Hultquist said. “It’s not really about them projecting power. It’s about them funding themselves to survive.”
But the fact that Pyongyang often appears to be hacking for money -- rather than to gather intelligence or make an ideological point -- does make U.S. sanctions a particularly effective counterstrike, said Chris Painter, the former State Department cyber coordinator during the Obama administration and the early months of the Trump administration. That's because U.S. sanctions can make it extemely difficult for the North Korean hackers to do anything with the money once they've stolen it.
"For North Korea in particular, where the goal of a lot of these things is to bring in hard currency, it might have more of an effect than it otherwise would," Painter told me.
He acknowledged, however, that these particular sanctions may not add many financial penalties because North Korean intelligence agencies already face a raft of U.S. sanctions.
There's also a symbolic value to the sanctions, as Rep. Jim Langevin (D-R.I.) co-founder of the Congressional Cybersecurity Caucus, pointed out in a statement.
“Responsible nations do not engage in this kind of destabilizing behavior, and we must take action to hold irresponsible states accountable,” Langevin said. “Malicious cyber actors around the world need to know that they cannot act with impunity.”
The sanctions also describe North Korean hacking operations that weren’t aimed at earning revenue, including the 2014 attack against Sony Pictures Entertainment, which destroyed some of the film company’s data and leaked embarrassing emails in retaliation for Sony producing a gross-out comedy featuring the fictionalized assassination of North Korean ruler Kim Jong Un.
Government officials in the United States and other nations have also blamed North Korea for the 2017 WannaCry attack — the largest ransomware attack in history — which locked up 300,0000 computers in more than 150 countries.
PINGED: Russian intelligence agencies compromised FBI communication systems soon after 2010 and launched a brazen and multi-year effort to undermine the bureau’s investigations and ability to track Russian spies, Yahoo News’s Zach Dorfman, Jenna McLaughlin and Sean D. Naylor report.
As a result of the operation, which the U.S. intelligence community became concerned about in 2012, the Russians “dramatically improved their ability to decrypt certain types of secure communications and had successfully tracked devices used by elite FBI surveillance teams,” Yahoo reported. U.S. officials even “feared that the Russians may have devised other ways to monitor U.S. intelligence communications, including hacking into computers not connected to the internet,” they reported.
The operation also “gave Russian spies in American cities including Washington, New York and San Francisco key insights into the location of undercover FBI surveillance teams, and likely the actual substance of FBI communications,” Yahoo reports.
PATCHED: Australian cyberintelligence officials have determined that China was responsible for a cyberattack on the Australian parliament and its three largest political parties just months before its general election in May, Colin Packham at Reuters reports. In an effort to protect trade ties with China, however, the government kept the perpetrator of the attacks quiet, sources say.
Australia first revealed the hack in February and advised lawmakers to change their passwords. While the hackers gained access to “policy papers on topics such as tax and foreign policy, and private email correspondence between lawmakers, their staff and other citizens” sources tell Reuters, it's unclear whether the information was used to influence the election. Australia shared its investigation's findings with allies including the United Kingdom and United States, Reuters reported. The U.S. State Department and the Australian prime minister's office did not respond to Reuters' requests for comment.
China’s Foreign Ministry denied involvement in the attacks.
PWNED: A recent meeting between Silicon Valley tech companies and U.S. national security officials turned heated when Shelby Pierson, leader of the intelligence community's new election threats group, criticized the companies for not sharing enough user data to combat disinformation campaigns, the Wall Street Journal's Dustin Volz and Deepa Seetharaman report.
One Twitter executive retorted that it was the Trump administration holding back on sharing information with industry, Dustin and Deepa reported. Some companies also expressed concerns that intelligence agencies' requests could violate consumer privacy laws, highlighting a growing division between the two groups most responsible for protecting the 2020 U.S. elections from disinformation operations.
“This is such a complicated space,” April Doss, a former intelligence lawyer at the National Security Agency, told the Journal. “Our traditional models of public-private interaction really don’t have a template for how to handle this.” While both social media companies and government agencies have increased their efforts to police election disinformation since 2016, tech companies still remain wary about cooperating with security agencies more than six years after former intelligence contractor Edward Snowden revealed the extent of the technology industry’s partnerships with government surveillance, Dustin and Deepa report.
Meanwhile, the Senate Intelligence Committee plans to release a report on how to prepare for disinformation in the 2020 election in the coming weeks, they report.
More than six years after Edward Snowden leaked top-secret documents detailing the National Security Agency's surveillance practices, the whistleblower now tells the Guardian's Ewen MacAskill that the use of artificial intelligence has only increased the risks of mass surveillance.
“The greatest danger still lies ahead, with the refinement of artificial intelligence capabilities, such as facial and pattern recognition,” Snowden said in a wide-ranging interview tied to his new memoir. He warned that big Internet companies are aiding the process of “creating a permanent record of everyone on earth, recording the whole of their daily lives.”
Reviled by some as a traitor and lauded by others as a hero, Snowden's memoir has also inspired members of the cybersecurity community to revisit his controversial legacy:
Jake Williams, founder of Rendition InfoSecurity and a former Defense Department analyst, had this to say about the circumstances of Snowden's decision:
It's worth noting that I don't endorse Snowden's actions, but I DO have a better understanding than most what his options really were. So let's talk about that a little.— Jake Williams @IANS Chicago (@MalwareJake) September 15, 2019
First, it's easy to say "but whistleblower protections!" That is the WORST POSSIBLE argument to use here. 2/
The there's the question of "why did he go to Russian then"? But that just demonstrates you don't know history (or refuse to Google). Russia was not the first country to offer Snowden asylum. Each country that offered before Russia withdrew the asylum offer. 5/— Jake Williams @IANS Chicago (@MalwareJake) September 15, 2019
Dragos founder and CEO Robert M. Lee said that Snowden is “historically relevant regardless of anyone's emotions on him,” but raised doubts about elements of Snowden's story.
He was essentially a SharePoint administrator. That’s not to belittle him, it’s a great job. But he has consistently made claims of being involved in operations, doing attribution, being asked to do intelligence analysis on high profile cases, etc. that are utterly false— Robert M. Lee (@RobertMLee) September 15, 2019
— Cybersecurity news from the public sector:
The danger of Internet-connected devices getting hacked is greater than ever, researchers warn in two recent reports. If connected device companies fail to address known security risks in their devices, it could leave millions of homes and businesses open to cyberattacks, the researchers warn.
Researchers at Independent Security Evaluators found that the number of hackable vulnerabilities in 13 popular Internet-connected routers and other devices more than doubled between 2013 and 2019. And some of the same vulnerabilities were still there six years later, they found.
ISE founder Stephen Bonos said that even a “rudimentary vulnerability assessment” would have found many of the vulnerabilities, which included those that allowed for full device access. “This indicates that these manufacturers likely undergo no such assessment whatsoever,” he said.
Meanwhile, security researchers at F-Secure found more than three times the number of attempted attacks on IoT devices in early 2019 from the same time last year. Researchers say the findings demonstrate a growing interest from hackers in the IoT industry, which has sometimes struggled to meet even basic security protocols.
— More cybersecurity news from the private sector:
— Cybersecurity news from abroad:
- The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency will host its second annual National Cybersecurity Summit September 18-20 in National Harbor, Maryland.