Lazarus, the cybercriminals who steal and extort for North Korea’s ‘Beloved Leader’

The group of hackers that hijacked computers around the world with the WannaCry virus in 2017 has just stolen $625 million in cryptocurrencies, the largest cyber heist on record

North Korean leader Kim Jong Un presides a meeting
North Korean leader Kim Jong Un presides over a politburo meeting in May.KCNA (via REUTERS)
Manuel G. Pascual

Last month saw the largest cyber heist on record. Someone stole $625 million worth of the cryptocurrency Ethereum – the second most used after Bitcoin – from a website related to the video game Axie Infinity. The United States was quick to link the attack to the Lazarus Group, North Korean cybercriminals well known to cybersecurity experts. Blockchain consultancy Chainalysis estimates that these North Korean hackers could have seized another $400 million in digital assets last year through various attacks targeting cryptocurrency platforms.

Many countries, such as China, Iran and the US, unofficially sponsor hacker teams to carry out sabotage or obtain valuable information. But North Korea is different: it uses its group of computer experts to make money. The Beloved and Respected Leader – one of the many official titles of North Korean leader Kim Jong-un – sees cybercrime as a way to survive the harsh international sanctions placed on the country.

But Lazarus are more than just a group of simple cybercriminals. Their service record is matched by very few. The US and the UK, as well as Microsoft, blame them for the 2017 WannaCry ransomware attack, the largest cyberattack in history. The computer virus hijacked computers, encrypted data and demanded money to restore access. It is estimated that around 300,000 computers in 150 countries were paralyzed in the 2017 attack. The UK’s National Health Service (NHS) was one of the largest agencies to be targeted.

A year earlier, in 2016, Lazarus tried to steal $1 billion from the Bangladesh Central Bank by posing as bank employees to order money transfers. The attack was thwarted by a coding error, but not before Lazarus stole $81 million. At the time, the FBI considered it the biggest cyber heist in history. Authorities also suspect that Lazarus stole around $530 million in digital tokens from the Japanese cryptocurrency exchange service Coincheck in 2018.

Making money for the Leader

All the money that Lazarus goes to the same recipient: the Kim Jong-un regime. Lazarus is a rarity in the world of Advanced Persistent Threats (APTs), a term used for the most sophisticated hacking groups. Unofficially run and sponsored by governments, these teams are at the top of the hacker pyramid. They are very well structured and hierarchical – they have departments and professionals with well-defined roles – and they have economic resources, which allow them to carry out complex, coordinated and fast attacks. On paper, only the secret services of the great powers, such as the US, Russia and the UK, have more power than the APTs.

Due to the very nature of the internet, where it is easy to go undetected, it is difficult to find out who is behind a cyberattack. “APTs are basically tracked with clues provided by intelligence services and particularities of the code, but doing a good forensic analysis to determine authorship can take months,” explains hacker and cybersecurity analyst Deepak Daswani. For this reason, governments use APTs to sabotage, spy and carry out intelligence actions without causing diplomatic spats.

“Lazarus is a unique case,” says Adam Meyers, chief intelligence officer for CrowdStrike and an APT expert. “Other groups release ransomware, like Russia in Ukraine through Voodoo Bear, but as a cover for other purposes: they have no interest in being paid. And if they make money, it is for their own benefit, like the mafias. Lazarus’ goal is to obtain funds to sustain a regime cornered by international sanctions,” adds the analyst from Texas.

North Korean intercontinental ballistic missile
Kim Jong Un directs the launch of an intercontinental ballistic missile.朝鮮通信社 (AP)

Lazarus is in fact the code word given to hackers operating from North Korea. Meyers’ team distinguishes five different factions within that umbrella, each with well-defined objectives and specialties. All factions, however, share a code repository to prepare their attacks. Two of them, Stardust Cholima and Labyrinth Cholima, are exclusively dedicated to monetization. “We believe that Stardust Cholima belongs to Office 121, one of the departments of the General Reconnaissance Bureau,” the name by which one of the North Korean intelligence agencies is known. “They are very focused on financial systems, cryptocurrencies and new technologies.”

The Lazarus network also attacks for sabotage purposes, in the same way as APTs from other countries. North Korean hackers were especially active during the months of 2020 when pharmaceutical companies were frantically working to develop a Covid-19 vaccine. They tried to break into the computers of workers at AstraZeneca, which along with the University of Oxford was developing a vaccine for the disease. Later they attempted to steal information from Pfizer, another one of the laboratories that developed a treatment. Interestingly, North Korea was up until recently one of the few countries in the world that managed to keep the pandemic at bay, so it may have been trying to thwart the development of a vaccine or to sell trade secrets.

Lazarus’ was also responsible for another notorious attack in 2014. In this case, it was not driven by financial motives, but rather revenge. The target was Sony Entertainment, the producer of the movie The Interview, an action-comedy about a plot to assassinate Kim Jong-un. A month before its scheduled release date, hackers targeted the computers of Sony workers. The group erased sensitive data from the company, published details about workers pay and revealed compromising emails between some of its managers. They also threatened to attack cinemas that showed the film, and as a result major theater chains decided not to screen it.

Kim Jong-un’s great step forward

No one believed that North Korea could become a global cyber power. Nor that it could develop nuclear weapons. But it has achieved both goals – the latter through the resolve of three generations of dictators, and the former thanks to Kim Jong-un.

Kim Jong-un rules with an iron fist in the most isolated countries in the world. Since taking over from his father in 2009, he has how the digital sphere can be used to spy on and sabotage his enemies (the US and South Korea) as well as to make money to compensate for the lack of trade. “The North Korean regime is actively cultivating elite hackers to join the RGB’s Bureau 121,” writes journalist Anna Fifield in her book The Great Successor, which delves into the hermetic life and career of Kim Il-sung’s grandson. “Students who show potential – some as young as eleven years old – are sent to special schools and then on to the University of Automation in Pyongyang, North Korea’s military college for computer science. For five years, they are taught how to hack and how to create computer viruses.”

It is striking, says Fifield, that as early as 2018, North Korean students were regularly taking first place in competitions, organized by the Indian software company CodeChef. North Korean hackers are well respected and enjoy a comfortable life in their home country where, until the 1990s, people literally starved to death, says Fifield, who knows the country well due to her years in South Korea as a correspondent for the Financial Times.

Fifield tells EL PAÍS that she has no information on whether this status has changed in recent years. Quite the contrary: Kim Jong-un is clear that cybercrime is just another business, a response to international sanctions.

“The regime is involved in all kinds of sectors that can bring in foreign currency, such as pharmaceutical testing, opium cultivation and human trafficking,” says Meyers. “Cyber espionage and cybercrime are just another stream.” If he can’t make money through trade, he will steal it.

More information

Recomendaciones EL PAÍS
Recomendaciones EL PAÍS