• World
  • cybersecurity

Why We Shouldn’t Be Surprised If North Korea Launched the WannaCry Ransomware Cyberattack

16 minute read

The thought of a mushroom cloud disturbs sleep. The prospect of radiation poisoning — of hazmat suits, open sores and paper cranes by empty hospital beds — sickens the soul. That rogue state North Korea is poised for a sixth nuclear test this year, and is moving ever closer to building a nuclear-armed transcontinental ballistic missile, is one of the greatest perils facing the world today — and a foreign policy priority for U.S. President Donald Trump.

But the U.S. and its allies are already under attack — one administered not from missile silos but via fiber optic cables. Everyday, Pyongyang unleashes volley after volley of cyber warfare aimed at extorting and undermining individuals, businesses and governments across the globe. The regime of “Supreme Leader” Kim Jong Un remains a penniless Stalinist fossil, but in terms of hacking prowess it’s on an even keel with the U.S., China, Russia and Israel.

The ongoing investigation into possible Russian interference in the U.S. presidential election, and the shock firing of FBI Director James Comey, spotlights how cybercrime threatens to undermine the very fabric of our democracy. But last week’s global WannaCry ransomware attack, which has infected more than 300,000 computers worldwide, show that extortion is the primary motive of hackers. And it came as no surprise when a slew of top online security firms on Tuesday drew links between WannaCry and previous North Korean hacks. “It is similar to North Korea’s backdoor malicious codes,” Simon Choi, a senior researcher with South Korea’s Hauri Labs cybersecurity firm, told the Associated Press.

Today, an elite squad of 6,800 North Korean state hackers are engaged in fraud, blackmail and online gambling that together generate annual revenue of $860 million, according to the Korea Institute of Liberal Democracy in Seoul. And as U.S. state infrastructure and military facilities become ever more controlled via computer systems, the scope for hacking to do real, physical damage — rupturing gas pipelines, crashing crowded commuter trains or sending stock markets reeling — increases day by day.

“Foreign currency earning through cybercrime is their ordinary day to day operation, which can suddenly turn into offensive cyber attacks in times of crisis and war,” says Professor Lim Jong-in, of Korea University’s Department of Cyber Defense, and a former special security advisor to former South Korean President Park Geun-Hye. “The North Korean cyber threat keeps advancing, and attacks on national infrastructure pose a serious national security threat.”

North Korea’s cybercrime operations made world headlines following the 2014 hack of Sony Entertainment Pictures, in revenge for the satirical movie The Interview, which lampooned the Kim clan. In the aftermath, Barack Obama became the first U.S. President to blame a nation state for a cyber attack. “We cannot have a society in which some dictator someplace can start imposing censorship in the United States,” fumed Obama. However, despite the Sony attack’s infamy, North Korean cybercrime has been brewing for a long time.

‘War will be [waged as] information warfare’

North Korea embarked on sustained IT and telecommunications development in 1979, when Pyongyang first sought to establish a microchip plant through a U.N.-sponsored project. In 1983, North Korea had its first computer assembly plant, with a computer technology college following two years later. In 1986, North Korea reportedly received 25 Soviet instructors to train “cyberwarriors.”

Fast-forward to 1995 and Kim Jong Il, father of Kim Jong Un and son of North Korea’s founding father Kim Il Sung, was openly exulting cyber warfare. “In the 20th century, war is with bullets over oil,” the middle Kim said. “But in the 21st century, war will be [waged as] information warfare.” A year later North Korea gained its first Internet link to the outside world via the Pyongyang office of the U.N. Development Program.

According to Kim Hung Gwang, a former computer science professor in Pyongyang who defected to the South, the first North Korean cyber attack occurred in 2004. Following the collapse of the six-party denuclearization talks in 2008, North Korea responded with threats of a “hi-tech” war. On July 4 the next year, Distributed Denial of Service (DDoS) attacks — flooding a network with data to trigger a crash — targeted South Korean and U.S. government departments, media outlets, and financial websites via disk-wiping malware. In March 2011, to coincide with the annual joint U.S.-South Korea military exercises, South Korean media, financial and critical infrastructure again fell victim to a malware attack. Dubbed “10 Days of Rain” by the McAfee antivirus firm, the breach also targeted U.S. and South Korean military targets and jammed the GPS systems of hundreds of civilian aircraft and ships. In May 2013, several South Korean financial institutions and the government’s website Domain Name System registry were hacked.

Read More: The World Can Expect More Cybercrime From North Korea

North Korea’s cyber operations are not random, sporadic attacks, but form part of an ongoing, carefully orchestrated national campaign. It’s modern peacetime strategy — although, due to the signing of an armistice rather than peace deal, the two Korea’s technically remain at war — is to launch low-intensity operations to disrupt the status quo in enemy states without spiraling into a battle the Kim regime cannot win. “North Korea has hackers for targeting Europe, the U.S. and Asia all waiting ready to be activated,” says the defector Kim.

Owing to decades of impoverished isolation, North Korea’s bloated military remains technically ossified, and Kim Jong Un is cognizant of the unfavorable conventional military balance. This explains his determined quest for nuclear weapons — the ultimate equalizer — toward which an estimated $1.1 billion to $3.2 billion has been funneled so far. Cyber capabilities are also attractive given their low development costs, attribution difficulties, and opportunities for acquiring intelligence. Plus the asymmetric balance is, for once, in North Korea’s favor; the world’s most cloistered nation, with Internet penetration of less than 1%, can inflict exponentially more harm against the tech-reliant West than it could ever suffer itself. Moreover, cyber warfare is not only cheap compared to conventional warfare but can in fact be turned into a considerable cash cow.

Following February’s fourth nuclear test, the U.N. imposed unprecedented sanctions that have further weakened North Korea’s conventional military capabilities — restricting access to imported jet fuel, for example — thus augmenting the importance of unconventional warfare. The sanctions also hinder the regime’s traditional modes of generating revenue, generally exporting coal and minerals. Because the closer Pyongyang gets to a bomb, the harder the international community squeezes, the more cash must be earned through illicit means — like cybercrime. Attacks are ramping up in scale, frequency and audacity.

North Korea is chief suspect in the attempted heist of $1 billion dollars from Bangladesh Central Bank in February last year (they made off with $81 million). This is on top of raids on a bank in the Philippines the previous October, and Tien Phong Bank in Vietnam that December. According to analysts at Internet security firm Symantec, all three raids used code identical to the Sony hack. “We’ve never seen an attack where a nation-state has gone in and stolen money,” Eric Chien, a security researcher at Symantec, told the New York Times. “This is a first.”

North Korea is now suspected of hacks on banks in 18 countries. However, as one might expect, South Korean businesses are primary targets, largely to undermine popular confidence in the Seoul government and institutions. Last May, North Korean agents stole the personal details of 10.3 million users of the Interpark e-commerce firm.

Click and extort

A sudden ping made the Interpark employee look up from his cluttered cubicle in Seoul’s well-heeled Gangnam neighborhood. The email came from an address matching his brother’s name and used a familiar salutation. Attached was a screen-wallpaper photo file, named “OurFamily.abcd.scr,” including an image probably gleaned from social media. The employee didn’t think twice about clicking on the innocuous sounding file, unwittingly unleashing hidden malware into his company computer. The virus then sought out Interpark’s file-sharing server. The server’s password was obtained though a Brute Force Attack — an unsophisticated but formidable code-breaking technique equivalent to a safecracker whirring through all possible combinations until he stumbles across the correct one. The virus was then free to blanket the entire company until it reached the administrator’s computer. From there, 26,658,753 pieces of private company and customer information were retrieved, split into 16 separate files, and snuck out via the original compromised employee’s computer.

That hack led to the attempted blackmail of Interpark bosses for 3 billion won ($2.6 million) of untraceable bitcoin. But North Korean cybercrime has consequences much graver than falling shares and undermined public confidence. Military facilities are also favorite targets. In 2008, defense contractor Aegis’s cruiser and guided missile designs were hacked. In 2013, Russia’s Kaspersky Lab antivirus firm revealed a widespread breach of the South Korean defense industry. Then came hacks of aerospace firm LIG Nex1 in 2015 and shipbuilder Hanjin Heavy Industries in 2016.

The U.S. government knows this game all too well. Between 2009-10, what’s believed to be a joint-mission between American and Israeli security services struck Iran’s uranium enrichment facilities. Dubbed “Stuxnet” by antivirus analysts, the worm was administered to Iran’s nuclear plants by first infecting the systems of five contractor firms, demonstrating that even “air-gapped” networks — those completely separated from the Internet — can easily be penetrated. As a result, an estimated 984 uranium enriching centrifuges — or one third of capacity — were destroyed, putting Iran’s nuclear program back by a year. There are also reports that North Korea’s recent spate of failed missile launches is due to a similar U.S.-led cyber operation.

North Korea itself has used similar methods to breach “air-gapped” networks. In December 2014, a South Korean nuclear power plant operator was hacked, though no physical damage was caused. Myriad examples demonstrate American systems are similarly vulnerable: The U.S. Federal Deposit Insurance Corporation breaches from 2010 until 2013; the Democratic National Committee hack before November’s presidential election; hacks of private firms like Anthem, Chase, Target and J.P. Morgan, losing millions of customer records and valuable financial data. “While there’s no evidence that North Korea has developed infrastructure-attacking malware, there is probably no way to know unless it is activated,” says Daniel Pinkston, a North Korea expert at Seoul’s Troy University, and author of a report on North Korean cybercrime.

Raised for cybercrime

It would be arrogant to assume North Korea doesn’t have the ability. Today, the nation’s brightest youngsters are groomed from age seven or eight to be hackers. First they are drilled in the standard sciences at some of the 290 elite middle schools dotting the country. Then, the top 50 of each year are picked to attend the prestigious Kumsong [High] School, where 60% of the curriculum concerns computers. The most accomplished continue their studies at top colleges.

Kim Il Sung University, North Korea’s most prestigious academic institution that’s stocked with the nation’s brainiest progeny, has one of its seven colleges dedicated to computer science. The Kim Il Military Academy, established in 1986, has a five-year program to train students in software programming, technical reconnaissance and electronic warfare. Around a quarter of graduates are assigned to cyber hacking offices belonging to the Reconnaissance General Bureau (RGB).

The RBG is North Korea’s principle intelligence and clandestine operations organ responsible for raids, infiltrations, disruptions and other espionage. It is believed responsible for the March 2010 torpedo attack that sank South Korea’s Cheonan naval vessel with the loss of 46 lives. The RGB has a cyber attack unit known as Bureau 91, which conducts email phishing operations against citizens of the South. But the bulk of DPRK cyber capabilities are controlled via the RGB’s Bureau 121, which is thought responsible for the Sony attack, and boasts around 3,000 staff. Bureau 121 has become one of Kim Jong Un’s most prestigious military organizations. One high-level defector even told TIME of a young hacker whose success earned a reprieve for his banished — “disloyal” — parents to return to the more comfortable capital.

Read More: Researchers See Similarities Between Global Ransomware Attack and North Korean Hacks

Due to capacity restrictions on North Korea’s own Internet, and the need to muddle the attribution of attacks, hundreds of top North Korean cyber operatives are sent overseas. Jang Se-yul, a North Korean who trained at Mirim University, the country’s top engineering college, before defecting to the South in 2008, says he keeps in touch with some of his former classmates who now work for Bureau 121. They include members of a six-strong team who were sent to China’s northeastern city of Shenyang, near the North Korean border.

Everyday, they write software in a ramshackle industrial robot development plant at a business park outside the city. But at night, the cell’s real mission is launching cyber attacks against South Korean financial institutions. Similar to a terrorist cell, they have no knowledge of their fellow hackers inside China, only reporting to bosses in their homeland. “The last contact I had was last year,” says Jang. “They said the Chinese authorities were cracking down and so they would set up in Thailand or Laos instead.”

In the early days, North Koreans learned hacking skills from China and Soviet Russia. China continued schooling North Korean hackers until 2010, when its leadership became wary of the flourishing hacking skills of its erstwhile subordinates and nixed the training programs. But, given the nature of cybercrime, competent computer programmers can essentially self-teach via open source tools on darkweb forums — the Internet beyond the search engines. Last year, the China government even sent a memorandum to companies employing North Korean IT staff to warn against potential cyber terrorism.

Code in every smartphone?

It’s not just China that should be worried. Northeastern Chinese cities such as Shenyang and Dandong boast more than 100 IT firms that subcontract work from large companies including Huawei, Xiaomi and Samsung. Highly-skilled North Koreans are hired by those subcontractors, owing to their below market wages, giving them the means to reach a significant proportion of households on Earth. “North Koreans are planting malicious Zero-Day [completely hidden] codes in the software that these subcontractors develop for launching future attacks,” says Professor Lim.

Even if Beijing is wary of North Korean cybercrime, it still abets the Kim regime. When in 2014 South Korean investigators traced a hack on Korea Hydro & Nuclear Power to a server in Shenyang, the Chinese government refused to permit access or cooperate in any way. And experts agree that should relations between Beijing and Washington sour, the Chinese military may utilize North Korean hackers or, at the very least, purchase any intelligence they gather independently. “That is a likely scenario,” says the defector Jang.

Potential targets are legion. The U.S. and South Korea are among most advanced countries in terms of communications infrastructure — traffic management, power grids, banking — making them correspondingly susceptible to cyber attacks. The U.S. is arguably the most vulnerable, owing to aging infrastructure, which was either never originally intended to be computerized, or simply has severely outdated security protocols.

In the event of all-out inter-Korean war, North Korea could launch blistering cyber attacks against U.S. infrastructure and its financial systems to hamper the swift dispatch of troops and arms. Pyongyang strategists posit that a delay of a week may be enough to occupy Seoul with a lightning attack and negotiate favorable peace terms with Washington.

Read More: North Korea’s Nuclear Weapons Are Not Reason Enough to Start a War

Ominously, should North Korea develop a nuclear missile capable of hitting the U.S. mainland, a prospect experts say could take three to five years, cyber attacks may spike. The presence of countervailing nuclear deterrents, which lessen the prospect of full-scale war, can in fact incentivize lower-level acts of aggression.

U.S. policymakers do not have a pre-established menu of proportional response options for cyber attacks, and the international legal framework regarding state responsibility is weak. In a public talk in February 2015, NSA Director Admiral Michael Rogers said of cybercrime, “we’ve got to publicly acknowledge it, we’ve got to publicly attribute it, and then we’ve got to talk about what we’re going to do to impose cost.”

But the greatest danger of North Korean cybercrime may stem from personality politics. The brazen Sony hack, accompanied by threats against company employees and cinema patrons, was predicated by an insult to North Korean leader Kim Jong Un. In North Korea’s stifling autocracy, the Kim clan is nigh deified, and slights against the leadership treated with the utmost gravity. The scheduled release of The Interview also coincided with a U.N. vote on the Commission of Inquiry report on human rights abuses in North Korea, which directly implicated Kim. This likely contributed to the scale of the response, and any future affronts may likewise spark a sudden escalation.

President Trump is not a man to mince words. During his presidential campaign, he called Kim a “maniac” and a “madman.” Following recent missile tests, he dispatched a U.S. Naval Strike Group to the Korean Peninsula and warned of a “major, major” conflict with North Korea if Kim refused to denuclearize. Invective and perceived provocations from the Oval Office, perhaps owing to more nuclear tests or some other escalation, could see cyber warfare unleashed to settle scores once again. For today we are all at the mercy of hotheads wielding ice-cold technology.

With reporting by Stephen Kim / Seoul

More Must-Reads From TIME

Write to Charlie Campbell / Beijing at charlie.campbell@time.com