Posted May 21, 2017 13:51:44

Photo: Defectors say Pyongyang's cyberattacks aimed at raising cash are likely organised by the special cell — Unit 180. (Reuters: Damir Sagolj, file)

North Korea's main spy agency has a special cell called Unit 180 that is likely to have launched some of its most daring and successful cyberattacks, according to defectors, officials and internet security experts.

North Korea has been blamed in recent years for a series of online attacks, mostly on financial networks, in the United States, South Korea and over a dozen other countries.

Cyber security researchers have also said they found technical evidence that could link North Korea with the global WannaCry "ransomware" cyberattack that infected more than 300,000 computers in 150 countries this month.

Pyongyang has called the allegation "ridiculous".

You don't need to be sitting in front of a computer to come face-to-face with the WannaCry worm — you might simply be paying for parking or walking into your apartment building.

The crux of the allegations against North Korea is its connection to a hacking group called Lazarus that is linked to last year's $US81 million cyber heist at the Bangladesh central bank and the 2014 attack on Sony's Hollywood studio.

The US Government has blamed North Korea for the Sony hack and some US officials have said prosecutors are building a case against Pyongyang in the Bangladesh Bank theft.

No conclusive proof has been provided and no criminal charges have yet been filed. North Korea has also denied being behind the Sony and banking attacks.

North Korea is one of the most closed countries in the world and any details of its clandestine operations are difficult to obtain.

But experts who study the reclusive country and defectors who have ended up in South Korea or the West have provided some clues.

Hackers likely under cover as employees

Kim Heung-kwang, a former computer science professor in North Korea who defected to the South in 2004 and still has sources inside North Korea, said Pyongyang's cyberattacks aimed at raising cash are likely organised by Unit 180, a part of the Reconnaissance General Bureau (RGB), its main overseas intelligence agency.

"Unit 180 is engaged in hacking financial institutions (by) breaching and withdrawing money out of bank accounts," Mr Kim said.

All individuals and organisations connected to the internet are vulnerable to cyber attack – and the threat is growing.

He has previously said that some of his former students have joined join North Korea's Strategic Cyber Command, its cyber-army.

"The hackers go overseas to find somewhere with better internet services than North Korea so as not to leave a trace," Mr Kim added.

He said it was likely they went under the cover of being employees of trading firms, overseas branches of North Korean companies, or joint ventures in China or South-East Asia.

James Lewis, a North Korea expert at the Washington-based Centre for Strategic and International Studies, said Pyongyang first used hacking as a tool for espionage and then political harassment against South Korean and US targets.

"They changed after Sony by using hacking to support criminal activities to generate hard currency for the regime," he said.

"So far, it's worked as well or better as drugs, counterfeiting, smuggling — all their usual tricks."

South Korea purports to have 'considerable evidence'

The US Department of Defence said in a report submitted to Congress last year that North Korea likely "views cyber as a cost-effective, asymmetric, deniable tool that it can employ with little risk from reprisal attacks, in part because its networks are largely separated from the internet".

"It is likely to use internet infrastructure from third-party nations," the report said.

South Korean officials said they had considerable evidence of North Korea's cyber warfare operations.

Most Australians were not caught up in the WannaCry ransomware attack. But there's no guarantee you'll avoid the next one. Here's what to do if you've been hacked (and how to avoid getting hit next time).

"North Korea is carrying out cyberattacks through third countries to cover up the origin of the attacks and using their information and communication technology infrastructure," Ahn Chong-ghee, South Korea's Vice-Foreign Minister, told Reuters in written comments.

Besides the Bangladesh Bank heist, he said Pyongyang was also suspected in attacks on banks in the Philippines, Vietnam and Poland.

In June last year, police said the North hacked into more than 140,000 computers at 160 South Korean companies and government agencies, planting malicious code as part of a long-term plan to lay the groundwork for a massive cyberattack on its rival.

North Korea was also suspected of staging cyberattacks against the South Korean nuclear reactor operator in 2014, although it denied any involvement.

That attack was conducted from a base in China, according to Simon Choi, a senior security researcher at Seoul-based anti-virus company Hauri Inc.

"They operate there so that regardless of what kind of project they do, they have Chinese IP addresses," said Mr Choi, who has conducted extensive research into North Korea's hacking capabilities.

Reuters

Topics: hacking, defence-and-national-security, computers-and-technology, korea-democratic-people-s-republic-of, korea-republic-of