On The Radar: North Korean Cyber Activities A Threat To U.S. Interests?
Last week, several United States governmental department’s issued a joint advisory warning Americans and their international counterparts of the increasing threats posed by North Korea (DPRK) with renewed emphasis on the cyber realm. Together, the U.S. Departments of State, Homeland Security, the Treasury, and the Federal Bureau of Investigation (FBI) aimed to call attention to the Republic’s calculated and sophisticated cyber activities that they believe pose a significant threat to the health of the international financial system. In particular, the advisory highlighted the growing threat that hacking attacks originating in North Korea have become and potential avenues for both individuals and organizations operating within the financial sector to take to mitigate these risks.
Much like Iran, Venezuela and several other countries acting in defiance of many of the standards upheld by the international community, North Korea has too felt the sting of United States and United Nations sanctions limiting their access to precious finances and various resources. Given the potential repercussions in play for those choosing to do business with North Korea, the East Asian country’s trade opportunities have understandably dwindled. As a result, the DPRK has struggled to generate revenue to support its ballistic missile and nuclear weapons programs in recent years, all but forcing them to resort to illicit activities to generate these funds – with their latest strategy appearing to be doubling down on their commitment to cybercrime. The frightening truth however remains that the U.S. government believes North Korea has the capability to conduct disruptive or destructive cyber activities affecting critical U.S. infrastructure , with analysts speculating that the current threat level is high enough to affect the “integrity and stability of the international finance system.”1 The announcement comes at a time where the vast majority of the world is primarily focused on the COVID-19 pandemic, with North Korea likely using this period of uncertainty as a distraction that could work to their ultimate benefit. Further complicating counter-efforts against North Korean cyber actors is the fact that the strategies being utilized by these individuals/groups are becoming increasingly advanced. This was evidenced in a report issued by the United Nations Security Council’s Panel of Experts (POE) in 2019 which stated that the “DPRK is increasingly able to generate revenue notwithstanding UN Security Council sanctions by using malicious cyber activities to steal from financial institutions through increasingly sophisticated tools and tactics.”1
In detailing the starting point of these operations, the guidance notes that North Korea’s cyber-actors consist of a mixture of “hackers, cryptologists, and software developers who conduct espionage, cyber-enabled theft targeting financial institutions and digital currency exchanges, and politically-motivated operations against foreign media companies”, often using potent malware tools to facilitate their lucrative crimes.
The aforementioned targets of the hacking attacks are often chosen secondary to the amount of funds that can be pilfered in a single strike, which has placed the entire financial industry on high alert. The 2019 POE midterm report also noted that these activities have remained successful because the criminals/organizations involved have laundered these ill-gotten funds across a multitude of jurisdictions, decreasing their risk of detection/apprehension exponentially by using a variety channels to accrue funds and valuable information. These hackers have however resorted to more traditional means of digital crime as well, including the creation of fake websites that to the untrained eye appear as legitimate portals for cryptocurrency trade, where fraudsters are able to obtain valuable personal information from clients.
However, arguably the most frightening development by the DPRK involves what has been termed as “cryptojacking.” This form of malware essentially renders the device(s) used by the targeted individual to operate their cryptocurrency exchanges as means to anonymously mine and transfer digital currency to designated servers. The POE is currently investigating cryptojacking activities that saw anonymity-enhanced digital assets sent to the DPRK in 2019. Many suspect that, based on the talent and experience of these particular hackers, North Korea may be affiliated with a third party coalition that they are paying to carry out these attacks, with these actors employed as “cyber-mercenaries” of sorts. In at least one confirmed case in 2019, the North Koreans used malware developed by an eastern European cybercrime syndicate known as “Trickbot”. This attack is significant because it represents the first known instance where “DPRK- linked cyber groups have partnered with non-state actors,”5 experts explained. Another third party group of hackers known as the ‘Lazarus Group’ are believed to be connected to an attack against Chilean interbank network, Redbank.5
In response to these developments, the United States government adopted an interesting approach to tackle this budding problem, offering a whopping $5 million reward for information leading to the identification of North Korean hackers working against the United States.6 This may wind up as a smart play, considering the high probability that if third party hackers are involved in this growing problem, they are far likely to have strong loyalty to North Korea than the country’s domestically-grown hackers. The U.S. is banking on this hefty sum possibly being enticing enough for one of these individuals (or perhaps a rival organization) to come forward in response. In the meantime however, the U.S. government has urged American citizens and financial enterprises to remain vigilant, issuing a list of relevant actions for international government agencies, businesses and individuals to take to better protect themselves from these significant threats. The complete list of mitigation actions can be found via the following link: https://www.us-cert.gov/ncas/alerts/aa20-106a
Weekly Roundup
South Korean Bank Fined for Iran-Centered AML Failures
On April 20th, one of the largest bank’s in South Korea agreed to settle long-standing United States federal and New York state criminal charges that its significant anti-money laundering (AML) deficiencies allowed for the illicit transfer of over $1 billion to heavily-sanctioned Iran. Industrial Bank of Korea (IBK) will reportedly pay a total of $86 million to put behind them a scheme dating back to the early 2010’s that violated U.S. sanctions on Iran and failing to have an adequate transaction-monitoring system in place. The Wall Street Journal writes that from 2011 to 2014, U.S. citizen Kenneth Zong conducted more than $1 billion of illegal transactions on behalf of Tehran using his accounts with IBK. Zong is said to have convinced IBK officials that the Iranian government “owed him cash for construction materials he had sold to it”, all the while, prosecutors discovered Zong to have “fabricated invoices, contracts, and bills of lading to deceive bankers.”2 At the time, the IBK was designated as a financial institution permitted to conduct trade with Iran while complying with U.S. sanctions.
After being converted to U.S. dollars, the funds were released to Zong who ultimately wired the vast majority of the money to Iranian officials around the world, himself receiving a hefty sum of cash for his “services.” Mr. Zong has since been indicted on 47 counts of violating U.S. sanctions on Iran, though he has remained in South Korean prison since 2018 for violations of national tax laws. Despite the bank’s extreme efforts to right their AML ship of late, the publicly traded institution’s lengthy run of compliance shortcomings and violations of the Bank Secrecy Act (BSA) was too severe for authorities to simply overlook. As part of the settlement, IBK has entered a two –year deferred prosecution agreement with the United States Justice Department and a non-prosecution agreement with the Attorney General of New York.
Branch of Chinese Banking Conglomerate Fined for Regulatory Breaches
The Securities and Futures Commission (SFC), Hong Kong’s financial watchdog, recently issued a fine to the securities branch of one of the largest banks in China for breaching regulatory requirements. According to reports, Bank of Communications (BOCOM) International Securities Limited is said to have broken anti-money laundering rules by failing to identify deposits made by third parties on numerous occasions, with the SFC also discovering that the firm had significant deficiencies in its “margin lending and margin call policy between December 2012 and November 2016, and that it breached other rules including those concerning authorization of transactions and client complaints.”3 While BOCOM has continued to take steps to address its shortcomings to comply with current AML regulations, the group could not avoid the HK$19.6 million ($2.53 million) levied by the SFC for the above-mentioned regulatory breaches.
Pakistan Makes Mass Cuts To Terror Watch List
With a new assessment by the Financial Action Task Force (FATF) looming, Pakistan recently made substantial alterations to its primary terrorism watchlist as part of the country’s continued efforts to improve its AML/counter-terrorism financing safeguards. Coined the “proscribed persons list”, the grouping created and operated by Pakistan’s National Counter Terrorism Authority (NACTA) has been cut down significantly of late with approximately 1,800 names being removed from the grouping since March and nearly 4,000 in total since 2018. Historically speaking, it is a common practice for countries taking de-listing actions to notify the greater financial sector when such measures are taken. However, no explanation for the mass removals has been officially issued by national leaders, nor
Pakistan has faced increasing pressure from the FATF, one of the world’s most prominent financial watchdog’s which sets global standards/policies for AML/CFT, for the greater part of the last 2 years. It is widely believed that if Pakistan fails to establish a viable plan to correct their longstanding shortcomings in this regard (including apprehending prominent terrorists operating within their jurisdiction), FATF member states may vote to impose additional restrictions on the Republic’s access to the international financial system. Earlier this year, the FATF noted that “Pakistan had largely addressed about half of the action items it had agreed to implement to prevent additional sanctions”4 up to that point.
Citations
- “Guidance on the North Korean Cyber Threat: Alert (AA20-106A).” Cyber Infrastructure | CISA, U.S. Department of Homeland Security, 15 Apr. 2020.
- Jeong, Andrew. “Federal, New York Authorities Fine South Korean Bank Used for Iran Payments.”The Wall Street Journal, Dow Jones & Company, 20 Apr. 2020.
- John, Alun. “BoCom Securities Arm Fined $2.5 Million in Hong Kong for Regulatory Failings.” Reuters, Thomson Reuters, 20 Apr. 2020.
- Tokar, Dylan. “Pakistan Removes Thousands of Names From Terrorist Watch List.” The Wall Street Journal, Dow Jones & Company, 20 Apr. 2020.
- Weisensee, Nils. “North Korean Cyber Attacks ‘Increasingly Sophisticated,” Report Warns: NK News.” NK News – North Korea News, 20 Apr. 2020.
- Winder, Davey. “U.S. Government Offers $5 Million Reward To Identify North Korean Hackers.” Forbes, Forbes Magazine, 16 Apr. 2020.