In past posts, we have reported both on the Asian bank heists and Wannacry ransomware, which spread to hundreds of thousands of computers world-wide exploiting a Windows operating system vulnerability known now as Eternal Blue. A clandestine internet based group known as The Shadow Brokers released Eternal Blue as well as other NSA zero-day exploits into the wild, allowing anyone with the necessary tech savvy to turn it against any system of their choosing. Previous reporting from cybersecurity firms Kaspersky Labs, Symantec, and Fireye used patterns and clues within Wannacry’s code to conclude that The Lazarus Group, a hacking group known to be connected to the North Korean government, was indeed responsible. Subsequently, the NSA itself corroborated this story by issuing a statement pointing the finger at the Kim Jung-Un regime.
At the time, the malware exploit only made off with about $140,000 in Bitcoin from those willing to pay, although actually putting lives at risk by affecting medical services in the UK. Since then, the three bitcoin wallets reported to be the depositories saw no activity. But on August 2nd, after over 300 unique payments, the perpetrators finally began to reap their ill-gotten loot. In a rapid succession of seven withdrawals, the three wallets were quickly emptied. You have to give the North Koreans credit: market timing might have been a motive for cashing in. In recent months, Bitcoin has enjoyed a meteoric appreciation, and will now even split into two separate cryptocurrencies. An excellent NextGov account here estimates the return on waiting at about 20%. Who says the North Koreans don’t understand markets?
While the NSA predictably has not revealed their intelligence sources, internet security research groups Recorded Future and Team Cymru have recently published new findings on the pattern of North Korean cyber activity (the full report can be found here). The first finding of interest has to do with private—or more accurately elite—activity—and it is striking. As on the economic front, North Korea is not anywhere near as closed as it once was. From the report:
“Our analysis demonstrates that the limited number of North Korean leaders and ruling elite with access to the internet are actively engaged in Western and popular social media, regularly read international news, use many of the same services such as video streaming and online gaming, and above all, are not disconnected from the world at large or the impact North Korea’s actions have on the community of nations.”
The second major finding is that the DPRK routes substantial traffic through internet nodes abroad. Of course, China is in this mix. But the surprise of the report is that Chinese networks only account for about 10% of traffic, with India being a more significant player and Indonesia, Mozambique, New Zealand, Kenya, and Nepal all playing a role as well. These patterns underscore the need for greater coordination on cyber issues as well as sanctions enforcement.
In that regard, the Department of State’s loss of its cyber coordinator, Christopher Painter, is not only a step in the wrong direction. It would seem to run counter to the President’s own May 11 Executive Order calling for a review to strengthen cybersecurity. For a good overview of the issues, see the recent Brookings Brief by Cameron Terry on the costs of such downsizing at State. It is part of a much, much larger pattern: see the review of developments at Foggy Bottom by the Foreign Policy team consisting of Robbie Gramer, Dan de Luce and Colum Lynch. Sadly, cyber is not the only area to see devastating cuts.