The Internet has become a “critical tool” for the North Korean regime in its efforts to evade sanctions and generate income through cybercrime and fraud, according to researchers.
A study into the web use of the leaders and ruling elite – rather than the public – was conducted by Insikt Group, a division of intelligence outfit Recorded Future, between January and November last year, Newsweek reported. The team found a 300% spike in network activity compared to 2017.
“The Kim regime has developed a model for using and exploiting the internet that is unique – it is a nation run like a criminal syndicate,” the report said.
Intended as a way of getting around tough global restrictions, the nation’s top brass are using a model that generates revenue via covert bank robberies and fraud, combined with some non-criminal actions like cryptocurrency mining and IT work.
The UN Security Council has a broad range of economic and financial sanctions designed to curb the regime’s attempts to create nuclear weapons and limit trade. The US imposes its own set of sanctions via the Treasury Department.
The fingerprints of North Korea-aligned hackers have previously been found on ransomware outbreaks and cyber-intrusions on crypto exchanges, casinos and banks. Security experts have done extensive probes of one state-hacking unit known as “Hidden Cobra.”
According to Insikt Group, the regime relies on the digital currency Monero to launder or move the proceeds of criminal activities. It is believed officials are involved in cryptocurrency mining and a suite of “low-level” fraud involving counterfeit video games and software hacks. A major source of financing comes via its exploitation of the SWIFT global banking infrastructure.
“For the North Korean political and military elite, the internet has become a critical tool,” the researchers wrote in their report, published on February 9.
They added: “This includes not only using the Internet as a mechanism for revenue generation but as an instrument for acquiring prohibited knowledge and skills, such as those enabling the development of North Korea’s ballistic missile programs, and cyber operations.
“North Korea has developed an Internet-based model for circumventing international financial controls and sanctions regimes imposed on it by multinational organizations and the West.”
Researchers said their analysis, building on statements from defectors, found North Koreans involved in cybercrime are often sent abroad to “obtain advanced training.”
The team said North Koreans linked to nefarious activity during last year were traced to India, China, Nepal, Kenya, Mozambique, Indonesia, Thailand and Bangladesh.
They wrote: “North Korea is not only exploiting third-party nations to train cyber operators, but also possibly even to acquire nuclear-related knowledge banned by UN. sanctions.”
The report covers the period of negotiation between the regime’s leader Kim Jong-un and US President Donald Trump, which included unprecedented meetings but ended in stalemate.
It seems most web use now takes place on weekdays, unlike previous analysis in 2017 when use appeared to spike during Saturday and Sunday, researchers noted.
In 2018, the US Charged North Korean citizen Park Jin Hyok for his alleged role in “multiple destructive cyberattacks,” including the massive WannaCry outbreak in 2017, the theft of $81 million from Bangladesh Bank in 2016 and the 2014 cyberattack on Sony Pictures.
The team warned other reclusive countries are likely taking note.
“North Korea has developed a model that leverages the Internet as a mechanism for sanctions circumvention that is distinctive but not exceptional,” the report said.
“This model is unique but repeatable, and most concerningly, can serve as an example for other financially isolated nations in how to use the Internet for sanctions circumvention. We believe we will begin to see other isolated nations use some of the same criminal and non-criminal techniques leveraged by North Korea to generate revenue and evade their own sanctions.”
It could “serve as an example for other financially isolated nations, such as Venezuela, Iran, or Syria, for how to use the Internet to circumvent sanctions,” the team warned.
Mining activity
In July of 2017, Recorded Future published one of the first reports suggesting that North Korea’s government was mining bitcoin, MIT Technology Review reported. A year later the company noted that North Korea’s interest in and use of cryptocurrencies had “exploded.” Besides pulling off a number of successful robberies of South Korean cryptocurrency exchanges, the regime had begun mining a privacy-oriented currency called Monero. Unlike Bitcoin, whose public transaction record makes it possible to track money flows, Monero uses cryptography to hide transaction information from public view and make the flow of money very difficult to trace. The authors of the new report say that North Korea’s Monero mining efforts appear to have increased tenfold since 2018.
“In October 2018, North Korean Monero mining activity was similar in both traffic volume and rate of communication with peers to the bitcoin mining mentioned above,” Insikt Group was quoted as saying in The Daily Hold.
“By our assessment, as of November 2019, we have observed at least a tenfold increase in Monero mining activity. We are unable to determine the hash rate because all of the activity is proxied through one IP address, which we believe hosts at least several unknown machines behind it.”