Think Ocean’s 11—only the robbers are cash-starved, nuke-thirsty North Koreans and their weapons are keyboards, not explosives and guns.
In the latest efforts to fund Kim Jong-Un’s nuclear ambitions, hackers suspected of working for the North Korean government appear to have slithered their way into the computer networks of an Indonesian bank in an apparent attempt to pull off a megaheist to fund regime goals, The Daily Beast has learned.
It was around February of 2020 when the hackers, suspected of working for North Korea’s military intelligence agency—the Reconnaissance General Bureau (RGB)—are believed to have targeted the networks of Bank Rakyat Indonesia, cybersecurity researchers that have studied the malware culprit told The Daily Beast.
The hackers appear to have gone after the bank’s networks with custom-made North Korean malware, according to a technical report on the apparent breach obtained by The Daily Beast. It remains unclear whether the North Korean hackers were successful in stealing any money—the report doesn’t confirm with 100 percent certainty that the hackers were successful in hitting the bank and making off with the cash—but the report indicates the hackers were likely successful in running the final parts of their hacking campaign against the bank, said Adrian Nish, the head of threat intelligence at BAE Systems.
Nish added that the particular malware believed to have hit Bank Rakyat Indonesia was a “late-stage tool,” typically used after hackers have already gained access to the network and done reconnaissance on its systems.
That malware, known as “BEEFEATER,” also links the campaign to the same malware that the North Korean hackers used in another heist, in which they successfully stole millions of dollars from Bangladesh Bank, Nish told The Daily Beast.
In 2016, North Korean hackers broke into Bangladesh Bank, stealing $81 million by sending fraudulent payment orders through the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a messaging system that makes bank transfers.
A person familiar with the work of the United Nations’ Panel of Experts on North Korea—which is tasked with investigating North Korean efforts to evade sanctions, including cyber-operations—told The Daily Beast that Kim’s regime would be smart to try building on the success of that attack.
”If you can hack a ‘Bangladesh Bank’ and make millions… that’s an awful lot of barges filled with coal and the cash actually is much more readily exploitable,” this person said, referencing one of North Korea’s other favorite ways to fund the government: exporting coal. This sort of hacking, the person added, “is much lower-risk than other forms of sanction evasion and it’s much higher-reward, so why wouldn’t you do it?”
Vitaly Kamluk, the head of the Asia-Pacific Research and Analysis Team at Kaspersky, told The Daily Beast the North Korean hackers that work for the Reconnaissance General Bureau, also known as Lazarus Group or APT38, are believed to produce multiple versions of their malware so that if one version is burned—as it was in Bangladesh—they can rely on variants to run the same hacks again but without being detected.
The malware in the Indonesian campaign appears to be similar—like the latest update—to the malware used in the Bangladesh robbery.
It’s quite common for North Korean hackers to go after banks. North Korean cyber-operations teams have searched high and low for money, going after financial institutions around the world, including in Brazil, Ecuador, Japan, Peru, Singapore, South Korea, and several other countries, according to U.S. intelligence community alerts.
But the apparent bank heist attempt in Indonesia stands out from the way North Korea has been hacking over the past year or so. North Korean government hackers have increasingly favored popping cryptocurrency entities over banks, likely because the cryptocurrency hacks are prone to yield more money, North Korea analysts say.
But ever since the hacking gang hit the Bangladesh Bank by exploiting SWIFT protocol, the banking sector has been beefing up protections against SWIFT heists—actions that might be preventing robberies from going off without a hitch, says Priscilla Moriuchi, the former head of the National Security Agency’s East Asia and Pacific cyberthreats office.
”SWIFT hardened their systems and did a lot of work with member organizations and DPRK expertise really was in the SWIFT system itself,” Moriuchi said. ”Their techniques and the element of surprise was useful for a few years, but that has essentially evaporated now.”
The North Korean hackers began turning more attention to cryptocurrencies right after the Bangladesh incident, at times targeting both mainstream financial entities and cryptocurrency organizations side-by-side, according to Kaspersky.
Since then, however, with their eyes on getting more bang for their buck, they have switched almost 100 percent of their operations to cryptocurrency-related hacks, which would make the apparent attempt in Indonesia stand out, Vikram Thakur, a technical director at Symantec, tells The Daily Beast.
“The North Koreans are [realizing] it’s so much more lucrative to go after the cryptocurrency exchanges,” Thakur said. “They get so much more out of it. It’s pure business.”
Other hacking teams are catching on as well; globally cryptocurrency hacking is on the rise and so far this past year criminals have been stealing more assets than the year prior, Kim Grauer, director of research at Chainalysis, a crypto-forensics firm, told The Daily Beast in an interview.
Whatever their funding, there’s some evidence—namely shows of North Korean military might in recent days—that cyber-enabled heists in recent months might be paying off. As Moriuchi said, “There’s clearly revenue coming into DPRK from cyber-operations.”
From 2019 to November 2020, the time that encompasses the Indonesia incident, Kim’s regime hacked into financial institutions and cryptocurrency exchanges both to bolster the regime’s weapons of mass destruction and ballistic missile programs, according to a report published this year from the UN’s North Korea Panel of Experts. They stole approximately $316.4 million worth of virtual assets, the report states.
While it’s unclear whether Bank Rakyat Indonesia yielded any money for North Korea, the malware indicates the regime’s hacking team was far along in their campaign, according to Nish.
“The attackers don’t want to give up their most precious tools at the first stage,” Nish said, noting that this particular malware is a rare find, in part because the North Koreans “only choose to put them into the networks they’re very interested in.”
The trail the hackers left behind is minuscule—the North Koreans typically clean up their tracks to avoid setting off alarm bells—making it difficult to trace exactly what they did, security researchers that have examined this case tell The Daily Beast.
“Tracking this group—it’s like shadows in the dark,” Nish said, noting those kinds of whispers of evidence of North Korean hacking are typical of Lazarus Group. “They just delete the evidence.”
It wouldn’t be the first time North Korea has turned its attention to Indonesia. Just last year, the U.S. intelligence community called out a group of North Korean government hackers for their operations targeting banks, including likely victims in Indonesia.
Bank Rakyat Indonesia acknowledged The Daily Beast’s request for comment, but did not offer a response. Indonesian police, the U.S. Secret Service, the FBI, the Department of Justice, the IRS, and U.S. Cyber Command did not return requests for comment. The Treasury Department declined to comment. The Department of Homeland Security’s cybersecurity agency, CISA, deferred comment to the FBI.
While it’s difficult for these agencies to nail down the bank hacks and their culprits—one hacker behind the Bangladesh Bank heist was charged years after the fact—analysts who reviewed technical details of the campaign seem rather satisfied by the evidence.
“You can be confident it was them,” said Nish, the head of threat intelligence at BAE Systems.
The director of cyber-espionage at FireEye’s Mandiant, Ben Read, also told The Daily Beast that the tools in question suggest the hackers involved are almost certainly part of the military intelligence hacking gang APT38.
“It’s definitely North Korea. The malware they used we’ve seen primarily used by APT38,” Read said, though he added that, “without doing the [incident response] ourselves, we can’t say with 100% confidence.”
The UN reports published this year on the hundreds of millions of dollars worth of North Korea’s revenue-generating hacks don’t mention any victims in Indonesia.
But the report doesn’t include all of the hacking that took place in those months, a person familiar with the investigations of the United Nations’ Panel of Experts on North Korea told The Daily Beast.
“Our current report has a couple of paragraphs on cyber and there’s nothing very specific in it—but that doesn’t mean that the processes have stopped,” the person said, declining to comment specifically on the attempted heists in Indonesia.
“They’re still very interested in hacking for financial gain,” this person added.