APT 38 is Kim Jong-un's highly skilled group of bank hackers. After raising $1 billion for the country from heists, its attention turned to cryptocurrency .
Marine Chain looked like any other ambitious startup. Its website, which first appeared online in April 2018, had a trendy .io domain name and promised potential investors a way into the lucrative international shipping industry.
By throwing their money into a Vessel Token Offering, an alternative cryptocurrency based on the Ethereum blockchain, investors would be able to own parts of ships and then trade with other buyers. Its slickly produced two-page business plan was designed to capture the imagination of potential buyers. In 2022 the company predicted that five per cent of global vessel transactions would take place on its platform.
But this was never going to happen. Marine Chain was a scam backed by North Korea’s cyber warriors in a bid to trick would-be investors. The website was actually a crude copy of rival business Shipowner.io. Jonathan Foong, it’s chief operating officer, has previously been linked to Singaporean companies that help facilitate North Korean activities.
The existence of Marine Chain – which never started selling its cryptocurrency but is believed to have had the technology in place to do so – marks a shift in the hermit nation's embrace of cryptocurrencies as a way of evading economic sanctions. From bans on the imports of coal, wood and minerals to sanctions blocking luxury goods and placing restrictions on fishing rights, the restrictions are designed to force North Korea to abandon its nuclear weapons program by crippling its fragile economy.
North Korea’s response has been to hack and scam its way out of trouble. The country's state-funded hackers have been linked to a number of cyberattacks on cryptocurrency exchanges as well as traditional banks, stealing more than a billion dollars in the process. A recent report by the United Nations Security Council criticised North Korea for dodging sanctions. The UN said Marine Chain's Foong provided it with "contradictory information" when it questioned him about his involvement in the scam and that his answers didn't meet its "evidentiary standards". WIRED contacted Foon about the report’s findings but did not receive a response.
Between January 2017 and September 2018, North Korea's state-sponsored hackers are thought to have stolen $571 million in cryptocurrency from five exchanges in Asia. "Cyberspace is used by the DPRK as an asymmetric means to carry out illicit and undercover operations in the field of cybercrime and sanctions evasion," one country told UN investigators.
But this is just the tip of the iceberg. At the centre of North Korea’s money-spinning cybercrime operation is one elite group of hackers. The group, known as APT 38, believed to number fewer than 20 people, is said to be highly-skilled, well-resourced and directly responsible for bringing in $1 billion for the country’s economy in 2018 alone. The money has been stolen from a combination of cryptocurrency exchanges and by attacking banks with substandard security protocols.
One European security source speaking to WIRED emphasises the prolific nature of the group. "What is not well known is that one team, comprising a handful of individuals known collectively as APT 38, is responsible for the vast majority of these attacks," the source says. "APT 38 is controlled by North Korea's principle intelligence organisation, the Reconnaissance General Bureau."
The source adds that the group has been responsible for "indiscriminate attacks" in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey and twice in both Chile and Vietnam. It is highly likely that the group has also attempted to target banks in western Europe but a higher level of cybersecurity protection has prevented the attacks from being successful.
When North Korean hackers have stolen money, it is almost always funneled back into the country’s military operations, sources say. "Security analysts are unanimous in assessing that the funds stolen by APT 38 – a significant percentage of North Korean GDP – are channelled into the DPRK's missile and nuclear development programs," the source adds.
With an overall increase in the number of attacks against cryptocurrency exchanges, it’s become clear that North Korea is using the likes of bitcoin as a way of propping up its economy. “Cybersecurity is no longer just about stopping criminals or protecting your technology,” a separate senior western security source says. “It is about preventing regimes like North Korea from obtaining the means to wage nuclear war.”
"We need to ask ourselves – when North Korea tests their next missile, is it really ok that they paid for it with bitcoin?"
Park Jin Hyok is a wanted man. On September 6, 2018, the United States Department of Justice charged him, through a 176-page indictment, with working on behalf of the North Korean government from within North Korea and China. Park, the indictment states, helped to launch the WannaCry ransomware attack and also assisted with targeted attacks on Sony and Lockheed Martin.
The charges were comprehensive. Using evidence from 100 search warrants, 1,000 email and social media accounts, and 85 requests from foreign governments, the FBI was able to track Park's online activity. It identified him as being tied directly to four email addresses (business20081t@gmail.com, ttyk1m1018@gmail.com, pkj0615710@hotmaiI.com, sungaemind@hotmail.com) and these in turn were linked to email accounts and social media profiles of what is said to be Park's alias – Kim Hyon Woo.
The FBI also says Park used a range of IP addresses linked to North Korea. The first grouping (175.45.176.0 – 175.45.179.255) is registered to one North Korean company in Pyongyang. Whereas the second block (210.52.109.0 – 210.52.109.255) is registered in China but has been leased by North Korea for some time, the indictment says. Many of these identifiers are linked back to attempts to target US defence workers, academics, energy companies and cryptocurrency exchanges.
But Park is just one small cog in a much larger cybercrime machine. North Korea has a number of state-sponsored hacking groups. The most infamous? Lazarus (known as Hidden Cobra in the US), which has been blamed for both the Sony hack and WannaCry ransomware.
In October 2018, security firm FireEye singled out one part of Lazarus and declared it as a group with a separate mission. The group was dubbed APT 38, a covert cybercrime cell that specialised in hacking financial organisations to prop up North Korea’s economy. FireEye believes Park, and there may be others like him, "had a malware and/or operational development role" and his work was shared across different North Korean hacking groups when deemed relevant. Some of the code from WannaCry, for instance, has also been used in attacks conducted by APT 38.
FireEye says APT 38 has been active since at least 2014 and it has seen more than 16 organisations, in 13 countries, targeted by its hackers. The vast majority of the group's attacks have been against traditional banks and financial institutions. It targets internal IT systems, makes fraudulent payments, and then attempts to channel the money back to North Korea. Within North Korea, APT 38 is, according to FireEye, "associated with Lab 110, an organisation subordinate to or synonymous with the 6th Technical Bureau in North Korea's Reconnaissance General Bureau (RGB)." One unnamed country told the UN that it believed the RGB has "cyber-focused military units [that] are directly tasked to generate income for the regime".
"I think it is probably the most advanced of the North Korean groups," says Ben Read, a senior manager of cyber-espionage analysis at FireEye. "They've been able to compromise a lot of banks and move a lot of money outside their walls," Read says. "If they do it well, it just sort of disappears.”
Not a huge amount is known about the makeup of APT 38. Estimations put its size at around 20 operatives. It is highly organised and plans its operations carefully. According to the website Pyongyang Papers, it is located in the north-western city of Sinuiju – which borders with the country's most important trade partner, China. One of APT 38’s favourite methods of attack is spear-phishing, which, to avoid detection, requires detailed knowledge of how company employees communicate. To help with this, APT 38’s operatives are believed to be fluent in a number of languages.
In February 2016, When APT 38 stole $81 million from Bangladesh Bank, dozens of phishing emails were sent to employees from accounts linked to Park. In one case the yardgen@gmail.com email account sent a phishing attempt to a bank employee who had been researched a month earlier on Facebook by another account. "The group is careful, calculated, and has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, required permissions, and system technologies to achieve its goals," FireEye says.
To conduct its sophisticated operations, APT 38 has a lot of time, money and access to high-speed internet connections. On average, the hacking group spends 155 days inside the computer networks of its targets before completing an attack. In one instance, FireEye says, the group was inside a network for around two years before it struck.
More recently, North Korea’s hacking efforts have turned towards cryptocurrencies. At this stage it isn't known whether APT 38 has directly hit exchanges, or whether another part of the state's hacking apparatus is responsible. FireEye believes APT 38 compromised a cryptocurrency news website in 2016 to learn more about the technology.
"At the most basic level, North Korea needs the money," explains Priscilla Moriuchi, director of strategic threat development at Recorded Future, a threat intelligence firm. The company was the first to identify Marine Chain as being linked to North Korea and has extensively tracked the country's cryptocurrency efforts.
According to the UN, North Korea’s shift to cryptocurrencies is a bid to evade sanctions as they are “harder to trace, can be laundered many times and are independent from government regulation”. Since 2016, at least five attacks against cryptocurrency exchanges have been linked to North Korea. Security firm ProofPoint has found North Korean hackers using sophisticated attack techniques including reconnaissance malware and spear-phishing to boost its likelihood of success.
In December 2017, the South Korean intelligence services said the hack of Bithumb – where millions of dollars of cryptocurrency was stolen – was conducted by hackers working for North Korea. A total of seven crypto exchanges in South Korea have been hacked since early 2016, its police agency has said. South Korea has also alleged North Korean hackers attacked Japanese cryptocurrency exchange Coincheck in January 2018, stealing $530 million.
"North Korea has been looking at cryptocurrency for a long time," Moriuchi says. "Their attackers and the North Korean state are pretty invested in utilising and exploiting this technology." She says the country has also been linked to the mining of cryptocurrencies, something that can directly create funds. Moriuchi has only seen this on a small scale from North Korea but a recent report from the University of Madrid and King’s College London has said the global scale of cryptomining fraud is much larger than previously thought.
Over one weekend in August 2018, India's Cosmos Bank was hit by a heist. A sophisticated attack, which is likely to have started with a spear-phishing email, resulted in $13.5m being stolen from its reserves. The attack had all the hallmarks of APT 38 – with some new tricks thrown in for good measure.
ATMs were targeted with 14,000 simultaneous transactions across 28 countries. In total, around $11 million of the money stolen came from physical cashpoints. The complex network of criminal activity drew the attention of the FBI, which along with the Department of Homeland Security and US Treasury, issued a joint alert, blaming the “cash-out scheme” on North Korea. The Cosmos Bank attack also included an additional $2m that was stolen through SWIFT, a global network that lets banks and other financial institutions send one another information about how and where money is moved.
In its report, the UN blamed APT 38 for the Cosmos heist and said North Korea had become "increasingly sophisticated" in its attacks on financial institutions. FireEye's Read says malware known as DYEPACK is used by APT 38 to help it manipulate the data on a bank's local SWIFT servers. The US government, in its indictment of Park, goes further saying it believes North Korea cribbed information from SWIFT developer manuals to help it customise DYEPACK for the network.
Once APT has access to SWIFT, FireEye says, it learns how local banks use it and can then configure an attack to transfer money. "We observed that APT 38 compromised a SWIFT system and waited almost two years before conducting fraudulent transactions," FireEye said in its report. APT 38's bank attacks regularly focus on getting access to SWIFT before transferring money.
SWIFT's head of cybersecurity incident response, Dries Watteyne, says it is aware of multiple attacks on banks but adds that the SWIFT network itself has never been compromised. "In each case the attackers have targeted the bank’s local infrastructure to gain access to their systems, manipulate their controls and processes to execute fraudulent payment messages," Watteyne says.
Once the money has been transferred, APT 38 attempts to cover its tracks. "They have also used disruptive or destructive methods" Read says. "After they have transferred money outside of a bank they'll put ransomware somewhere else to distract a security team." Read believes this approach is used to give North Korea more time to move money around.
Ultimately, this money is funnelled back into North Korea where it helps fund, amongst other things, its nuclear weapons program. The UN’s report concluded its sanctions against the country had been “ineffective” and had failed to stop its nuclear weapons program. Despite international efforts – and denials from North Korea – it appears work on nuclear weapons is continuing. Virginie Grzelczyk a senior lecturer in international relations at Aston University, who specialises in North Korea, worries the country may begin missile testing again over the coming months as diplomatic efforts falter.
At the start of March, The New York Times reported North Korea had started to rebuild the infrastructure it needs to launch ballistic rockets, little over a year since the last test in November 2017. Images from satellites showed work on an engine test stand had restarted, fuelling fears of more nuclear activity. The US has also mobilisied its high-altitude surveillance aircraft in anticipation of future missile launches.