North Korea’s hacking operations are growing and getting more bold – and increasingly targeting financial institutions worldwide.
North Korea is now being linked to attacks on banks in 18 countries, according to a new report from Russian cybersecurity firm Kaspersky.
And the stolen money is likely being spent advancing North Korea’s development of nuclear weapons, according to two international security experts.
Banks and security researchers have previously identified four similar cyber-heists attempted on financial institutions in Bangladesh, Ecuador, the Philippines and Vietnam.
But researchers at Kaspersky now say the same hacking operation – known as “Lazarus” – also attacked financial institutions in Costa Rica, Ethiopia, Gabon, India, Indonesia, Iraq, Kenya, Malaysia, Nigeria, Poland, Taiwan, Thailand, and Uruguay.
The hackers can be traced back to North Korea, according to Kaspersky researchers.
To hide their location, hackers typically launch cyberattacks from computer servers far from home. According to Kaspersky, the Lazarus hackers carefully routed their signal through France, South Korea and Taiwan to setup that attack server. But there was apparently one mistake spotted by Kaspersky: A connection that briefly came from North Korea.
“North Korea is a very important part of this equation,” said Vitaly Kamluk, who leads Kaspersky’s Asia-Pacific research team.
Researchers disclosed their findings publicly on Monday at Kaspersky’s Security Analyst Summit, a cybersecurity conference on the Caribbean island of St. Maarten.
Kaspersky is one of the world’s top cybersecurity firms, providing popular anti-malware protection to computers at homes and companies worldwide. Its researchers are known for exposing some of the most complex global hacking operations. US law enforcement remains suspicious of the firm’s ties to the Russian government, but Kaspersky strongly denies Kremlin influence on the company’s business.
North Korea’s targets have been shifting in recent years.
In 2013, when South Korea’s banks and broadcasters were attacked, that government blamed its neighbor to the north. In 2014, the US government blamed North Korea for the the hack on Sony Pictures. Clues in both cases pointed to Lazarus.
By late 2015, the Lazarus hackers shifted their attention to the global financial system, according to researchers at BAE Systems, FireEye and Symantec.
The earliest known victim was a Vietnamese commercial bank. The latest attacks, observed by Kaspersky in March, included operations attacking financial institutions in Gabon and Nigeria in Africa.
Though most of the attacks were not successful in stealing money, several were, according to Symantec.
And researchers said these hackers intend to attack major Western banks using increasingly sophisticated methods.
One recent example is a trap set at the website of Poland’s financial regulator. Hackers embedded malicious code onto that Polish website, according to BAE Systems. And they limited the infections to visitors from particular internet addresses – employees at banks.
The code showed that Lazarus hackers created a list of 150 internet addresses that served as “a hit list,” said Eric Chien, a researcher at Symantec, which issued its own warning about North Korea hacking earlier this year.
CNN ran those addresses through internet records kept by Domain Tools, a cybersecurity firm. Those IP addresses belong to the World Bank, as well as the central banks of Brazil, Chile, Estonia, Mexico and Venezuela, as well as a wide range of well known global banks.
Kaspersky said its defense software has blocked more than a dozen infections from Lazarus. It’s unclear which banks were ultimately infected.
Researchers at several cybersecurity firms theorize that North Korea is attempting to build a network of infected banks to move around stolen money.
For example, millions of dollars were taken from Bangladesh’s account at the New York Federal Reserve last year and moved to Sri Lanka and a casino in the Philippines, according to investigators.
North Korea tried to funnel some of that money through one infected bank in Southeast Asia, according to a researcher at FireEye. But an emergency team at FireEye managed to block it in time.
American prosecutors in Los Angeles are now investigating the Bangladesh bank hack, a federal law enforcement source told CNN.
And the money may be going to help develop North Korea’s nuclear program.
“This is all for their nuclear weapons and missile programs. They need this money for building and researching more ballistic missiles,” said Anthony Ruggiero, a senior fellow for Foundation for Defense of Democracies who tracks North Korea’s illegal behavior.
North Korea’s secret banking
This aggressive hacking operation coincides with a global effort to block North Korea from the financial system as punishment for its nuclear program. United Nations sanctions block countries from allowing banks to do business with the tightly-controlled regime of Kim Jong Un.
But in February, a UN investigation revealed that North Korea is using a network of front companies and secret agents to access global banks. For example, North Korea used electronics and shipping companies to move millions of dollars, essentially making them financial institutions. The regime also set up several banks as subsidiaries of Chinese and Malaysian firms, masking their true ownership.
Cyber heists play a role in this illicit scheme, because stolen funds can be used to prop up those front companies, according to Sung-Yoon Lee, a Korea expert who teaches at Tufts University.
“We tend to patronize North Korea and mock them. But over the past decade, they have shown the world they are… very capable when it comes to cybercrime,” he said.
CNN’s Scott Glover contributed to this report.