WASHINGTON — The United States accused North Korea on Wednesday of employing an array of old and new forms of cyberattacks to steal and launder money, extort companies and use digital currencies to gain cash for its nuclear weapons program.
The report — issued jointly by the State Department, the Department of Homeland Security, the Treasury Department and the F.B.I. — says the purpose of the accelerated program is for North Korea “to generate revenue for its weapons of mass destruction and ballistic missile programs.”
But the decision to publicly focus on North Korea’s actions is quiet acknowledgment that President Trump’s two-year diplomatic effort, backed by continued economic sanctions, has failed to slow the North’s nuclear production or prevent it from using new avenues of attack.
While Mr. Trump keeps declaring that he has “a great relationship” with the country’s leader, Kim Jong-un, and regularly cites their fawning correspondence, the administration’s report makes clear that the cyberthreat has accelerated despite three meetings between the two leaders.
“The D.P.R.K.’s malicious cyberactivities threaten the United States and the broader international community and, in particular, pose a significant threat to the integrity and stability of the international financial system,” an accompanying alert by the Cyber and Infrastructure Security Agency, part of the Department of Homeland Security said, using the abbreviation of the North’s official name, the Democratic People’s Republic of Korea. The State Department also announced an award of up to $5 million for “information about illicit D.P.R.K. activities in cyberspace, including past or ongoing operations.”
The United Nations is expected to echo American findings in a coming report that concludes that North Korea is skirting sanctions through cybercrime, in addition to illegal exports of goods such as coal and petroleum, and imports of luxury goods like armored sedans and alcohol.
The interagency report was assembled before the spread of the novel coronavirus, which has prompted a global deluge of disinformation and internet scams, from Russia to China to Eastern Europe.
The report does not accuse the North of using its growing army of hackers to profit from the crisis, even as the nation tries to wall itself off from the virus by bringing home cargo ships that until recently were the centerpiece of its sanctions-busting efforts.
But it details actions by a state-sponsored North Korean group that the U.S. government calls Hidden Cobra, which it said had “demonstrated a pattern of disruptive and harmful cyberactivity that is wholly inconsistent with the growing international consensus on what constitutes responsible state behavior in cyberspace.”
In fact the picture is more complex.
North Korea is engaged in a daily cyberconflict with the United States and South Korea, which included an effort by the Obama administration to sabotage the North’s missile launches. And as sanctions have tightened and Pyongyang’s efforts to counterfeit $100 bills proved less successful, the North has turned to its hackers as a revenue source — often with considerable success.
Many of the activities cited in the joint report were familiar: the 2014 attack on Sony Pictures Entertainment in retaliation for the release of the comedy “The Interview,” which brought down 70 percent of Sony’s computer systems, and WannaCry 2.0, ransomware that wiped out the British health service’s computer networks in 2017. It recited the story of the North Korean-engineered effort to steal $1 billion from the Bangladesh central bank, an attack that yielded only $81 million after an alert official at the New York Federal Reserve stopped the transfers.
It also cited the “FASTCash campaign,” which has successfully taken control of A.T.M.s in Asia and Africa to get them to spew out money, in one case in 30 nations simultaneously. And it examined several efforts to hack into digital currency exchanges, which was part of a study published this year by Recorded Future. The study concluded that North Korea’s use of the internet has surged 300 percent, partly because of a new connection to the global internet through Russia. Until recently, the North had a single pipeline, via China.
While many of the details were old news to cybersecurity researchers and security engineers, there was one important new detail in the report: North Korea’s hackers are now offering their services to other cybercriminals and nation-state hackers for a fee.
“They’ve become hackers for hire,” said John Hultquist, the senior director of intelligence analysis at FireEye, a cybersecurity company. “We never knew that, and what it shows is the level to which North Korean hackers are maximizing their cybercapabilities.”
The report makes clear that North Korea’s hackers are squeezing all possible revenue from cyberattacks. Ever since the attack on Sony Pictures in 2014, when Americans got their first glimpse into the country’s hacking prowess, the North’s army of more than 6,000 hackers has been on a rampage, penetrating banks, extorting hospitals with ransomware and hitting up the exchanges that trade in digital currencies like Bitcoin and Monero for cash.
Yet their record of success is mixed. When North Korean hackers hijacked hundreds of thousands of computers all over the globe with ransomware in 2017, they neglected to give their victims a way to send the Bitcoins they demanded to unlock their data. Since then, the hackers have popped up repeatedly in attacks on cryptocurrency exchanges. In April 2018, they stole nearly $250 million worth of digital currency and laundered it through other automated currency exchanges. Last month, the Justice Department indicted and the Treasury Department imposed sanctions on two Chinese nationals it accused of laundering $100 million in cryptocurrency on behalf of North Korea’s hackers.
American officials have long accused China of enabling the North’s hacking operations. For years, North Korean officials have dispatched the nation’s most promising computer programmers to China’s top computer science programs for training, and several high-profile North Korean cyberattacks have been traced back to Shenyang, a city in northeast China that has long been cited as an operating ground for North Korean hackers.
More recently, American security researchers say it is Moscow that has enabled North Korea’s operations, by offering a new digital pipeline for the attacks. Other countries, predominantly Iran, are now stealing a page from North Korea and pursuing cryptocurrency hacks of their own, according to Recorded Future.
The joint announcement is the latest in a multiyear push by American officials to share more threat information with the private sector. “Over the last 18 months, we have seen an increase in the coordinated release of threat information by government agencies,” Adam Meyers, the vice president for intelligence at CrowdStrike, a security firm, said on Wednesday.
Mr. Meyers applauded the agencies for giving the public greater visibility into what private researchers have known for years: Diplomacy and sanctions have done little to keep North Korea from pursuing its nuclear weapons ambitions, particularly when profitable cyberattacks have generated hundreds of millions of dollars in revenue.