On April 15, 2020, the U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation issued an advisory alert providing guidance on the North Korean cyber threat and steps to mitigate that threat (the “Alert”).[1]  The U.S. Government has repeatedly warned the private sector that North Korea, formally known as the Democratic People’s Republic of Korea (“DPRK”), routinely engages in malicious cyber activities and has specifically targeted financial institutions.

This Alert serves as a reminder, especially during this pandemic as businesses go remote and virtual to an unprecedented degree, that the cyber threat, including from the DPRK, remains a critical risk for all companies.  Financial institutions in particular, a traditional target of North Korean cyber activity, should take steps to ensure they are protecting themselves from and responding effectively to malicious cyber intrusions.

History of DPRK Cyber Attacks on Financial Institutions

According to the Alert, DPRK cyber actors include “hackers, cryptologists, and software developers who conduct espionage, cyber-enabled theft targeting financial institutions and digital currency exchanges, and politically-motivated operations against foreign media companies.”[2]  In recent years, the technical tools used by DPRK-sponsored cyber actors have become “increasingly sophisticated.”[3]  Since 2014, the U.S. Government has publicly attributed multiple large-scale cyber attacks to the DPRK.  These attacks include: the Sony Pictures Entertainment hack, the Bangladesh Bank Heist, WannaCry 2.0, the FASTCash Campaign, and the Digital Currency Exchange Hack.[4]

With respect to financial institutions, between 2015-2018, one network of malicious actors affiliated with the DPRK attempted to steal at least $1 billion through multiple targeted cyber operations across the world.[5]  According to the Department of Justice (“DOJ”), in the 2016 Bangladesh Bank Heist, the network of conspirators was able to successfully steal $81 million from Bangladesh Bank.[6]  The cyber actors initially targeted bank employees through spear-phishing emails.  Once the bank’s computer network was comprised, the conspirators were able to access computer terminals that interfaced with the SWIFT communication system.  The malicious actors then distributed fabricated SWIFT messages which instructed the Federal Reserve Bank of NY to transfer funds from Bangladesh to numerous accounts throughout Asia under their control.  The conspirators also gained access to other banks’ networks through spear-phishing campaigns, “watering hole attacks,” and other means.[7]

Separately, as part of the FASTCash Campaign, DPRK-sponsored actors have “remotely compromise[d] payment switch application servers within banks to facilitate fraudulent transactions.”[8]  As a result, in just one instance in 2017, cyber actors were able to force the withdrawal of cash from ATM machines in over 30 countries simultaneously.  To date, the scheme has allegedly resulted in the theft of “tens of millions of dollars from ATMs in Asia and Africa.”[9]

In 2018, DPRK-sponsored actors also successfully hacked into a virtual currency exchange and stole roughly $250 million.  They submitted falsified documentation and altered photographs in order to sidestep the know-your-customer controls employed by the targeted currency exchanges.  The cyber actors then worked with two Chinese nationals who laundered the money “through hundreds of automated cryptocurrency transactions aimed at preventing law enforcement from tracing the funds.”[10]  The civil forfeiture complaint names 113 virtual currency accounts and addresses allegedly used in laundering the funds.[11]

Recommended Actions

The Alert lists numerous measures that should be taken by financial institutions to protect themselves from the DPRK cyber threat, many of which are already cybersecurity best practices.  For example:

  • sharing threat information through government and/or industry channels;
  • segmenting networks to minimize risks;
  • maintaining regular backup copies of data;
  • undertaking awareness training on common social engineering tactics;
  • implementing policies governing information sharing and network access; and
  • developing cyber incident response plans.[12]

To the extent an entity believes it has been the victim of a cyber attack, the Alert encourages companies to swiftly notify law enforcement officials.  Particularly in the context of financial crimes, an expedited response and law enforcement notification may increase the likelihood of recovering stolen assets.

U.S. financial institutions and other covered businesses are reminded to ensure they are in compliance with the provisions of the Bank Secrecy Act.  This includes the maintenance of effective anti-money laundering (“AML”) programs in addition to identifying and reporting suspicious transactions to FinCEN.  Other legal obligations may also be implicated in the event of an attack, including complying with federal and state data breach notification requirements and avoiding ransomware payments to known sanctioned parties.  With respect to the latter, the U.S. has imposed comprehensive sanctions on the DPRK, among other entities known to sponsor cyber attacks.  Sanctions and AML considerations must be considered carefully given it is often not possible for private companies to attribute an attack to a particular person or group.

In the event that a corporate victim suspects that a nation state is affiliated with an attack, law enforcement coordination will likely be preferred or, in some cases, necessary.  Companies should keep in mind, however, the fact that a nation state is responsible for an attack will not necessarily prevent enforcement actions and litigation, as illustrated by the Equifax breach.  The U.S. Government recently attributed the Equifax breach to Chinese military officers and nevertheless Equifax has settled significant actions brought by state attorneys general as well as private litigation.

In sum, the DPRK continues to be a source of sophisticated cyber attacks on financial institutions.  Financial institutions should stay vigilant particularly during the current crisis, which may exacerbate cyber risk due to large-scale remote working, strain on IT resources, and a potentially distracted workforce.  For more information on managing cyber risk during the COVID-19 pandemic, please see our previous Cybersecurity and Privacy Watch blog post.

[1] Alert AA20-106A: Guidance on the North Korean Cyber Threat, Cybersecurity and Infrastructure Security Agency (Apr. 15, 2020),  https://www.us-cert.gov/ncas/alerts/aa20-106a.

[2] Id.

[3] Id.

[4] Id.

[5] See North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions, U.S. Department of Justice (Sept. 6, 2018), https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and.

[6] Id.

[7] Id.

[8] Alert AA20-106A: Guidance on the North Korean Cyber Threat, Cybersecurity and Infrastructure Security Agency (Apr. 15, 2020),  https://www.us-cert.gov/ncas/alerts/aa20-106a.

[9] Id.

[10] Two Chinese Nationals Charged with Laundering Over $100 Million in Cryptocurrency From Exchange Hack, U.S. Department of Justice (Mar. 2, 2020), https://www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack.

[11] Id.

[12] Alert AA20-106A: Guidance on the North Korean Cyber Threat, Cybersecurity and Infrastructure Security Agency (Apr. 15, 2020),  https://www.us-cert.gov/ncas/alerts/aa20-106a.