When hackers associated with North Korea tried to break into Polish banks late last year they left a trail of information about their apparent intentions to steal money from more than 100 organizations around the world, according to security researchers.
A list of internet protocol addresses, which was supplied by the security researchers and analyzed by The New York Times, showed that the hacking targets included institutions like the World Bank, the European Central Bank and big American companies including Bank of America.
While some of the Polish banks took the hackers’ bait, the scheme was detected fairly quickly, and there is no evidence that any money was stolen from the intended targets. Yet security researchers said the hit list, found embedded in the code of the attack on more than 20 Polish banks, underlines how sophisticated the capabilities of North Korean hackers have become. Their goals have now turned financial, along with efforts to spread propaganda and heist data and to disrupt government and news websites in countries considered enemies.
The list of targets, which has not been previously reported, is part of a growing body of evidence showing how North Korea, a country that is cut off from much of the global economy, is increasingly trying to use its cyberattack abilities to bring in cash — and making progressively bolder attempts to do so.
North Korea’s hacking network is immense, encompassing a group of 1,700 hackers aided by more than 5,000 trainers, supervisors and others in supporting roles, South Korean officials estimate. Because of the country’s poor infrastructure, the hackers typically work abroad, in places like China, Southeast Asia and Europe. Like other North Koreans allowed to work abroad, the hackers are constantly monitored by minders for possible breaches in allegiance to the government.
The security firm Symantec said it believed that the hackers behind the Poland attack were also behind two other major breaches: the theft of $ 81 million from the central bank of Bangladesh and a 2014 attack on Sony Pictures, which rocked the film industry.
“We found multiple links, which gave us reasonable confidence that it’s the same group behind Bangladesh as the Polish attacks,” said Eric Chien, a researcher at Symantec, which studied both attacks.
The firm has not traced the attacks to a specific country’s government, but American officials have blamed North Korea for the Sony attack, partly based on intelligence that came from American breaches of North Korea’s computer systems.
The list of targets uncovered in the Polish attack — including big American financial institutions like State Street Bank and Trust and the Bank of New York Mellon — is illuminating for its ambition, Mr. Chien added. “It’s one thing to go after Bangladesh,” he said, “but it’s a whole other thing to take on the U.S.”
United States prosecutors are investigating North Korea’s possible role in the Bangladesh heist, according to a person briefed on the inquiry, who asked to remain anonymous because the details are confidential. And on Tuesday, Richard Ledgett, a deputy director of the National Security Agency, said that research linked the Sony Pictures attack to the Bangladesh heist. He also affirmed that he believed nation states were now robbing banks.
North Korea has denied involvement in the attacks on Sony and others, instead accusing South Korea of disrupting its websites. North Korea’s population is cut off from the internet except for a handful of state-run sites filled with propaganda.
The Polish episode provides a case study of how North Korean cyberattack goals have escalated.
The attack began around October when the hackers planted a virus on the website of the Polish financial regulator — then waited for banks to inadvertently download it when they visited the site.
The perpetrators used what is called a watering-hole attack — named after the way predators ambush prey by lazing around a high-traffic spot — to go after the banks; in this case, the “watering hole” was the financial regulator’s website. When the visitors on the list landed on the page, they would be redirected to software that would attempt to download malware. The list of targets extended beyond Poland, investigators said, because the group intended to carry out similar attacks elsewhere.
“This was a global list, but they hadn’t gotten around to making a watering hole for all these country banks,” Mr. Chien said, adding that the hackers appeared to have created watering-hole sites in Mexico and Uruguay, too. Symantec said it had blocked 14 attacks against computers in Mexico and 11 in Uruguay.
The fact that the hackers were able to attack a specific site showed that their capabilities had improved, Mr. Chien said. The group also used its own modifications of code and exploits more broadly shared by cybercriminals, whereas before it had mostly built its own tools — another indication of evolution.
While Polish banks were the most numerous targets, the second-largest number was in the United States, including the American arm of Deutsche Bank. CoBank, which lends to agriculture and rural projects, was targeted, too. The central banks of Russia, Venezuela, Mexico, Chile and the Czech Republic were on the list. The only target associated with China: branches of the Bank of China in Hong Kong and America.
North Korea has been carefully cultivating its cyberattack capabilities since the early 1990s, according to South Korean officials. Generally, the country selects young computer prodigies and trains them as hackers, according to people who have attended the South Korean government’s discussions of the North’s hacking operations. South Korean cybersecurity officials began detecting attacks attributed to North Korean hackers around 2009.
Working overseas is a huge incentive for young hackers, since many North Koreans have little chance to leave their impoverished, isolated country. As long as the hackers meet their government-set targets, they are allowed to live abroad and often get the added perk of running illegal gambling sites online, generating profits they can share with supervisors.
While North Korea lags developed countries in hacking capabilities, it has occasionally startled observers in South Korea. In 2011, investigators found that a South Korean bank had been hit by malware when an infected computer used by a maintenance-company employee was briefly hooked into the bank’s server network.
South Korean hackers who forensically analyzed the attack were impressed not so much by the malware, but by the fact that North Korean hackers had been so constantly on alert, apparently for hours or days on end, waiting for the short window during which the infected computer was connected to the bank’s servers so that they could activate the virus.
While the Pentagon has recently warned that North Korea’s hacking abilities could be a cost-effective way of conducting military operations, the attacks on banks shows the country’s more prosaic goal of getting money.
“In the past, North Korean hackers usually attacked government websites with the goal of destroying systems and triggering social confusion,” said Kim Seung-joo, a professor at the Graduate School of Information Security at Korea University in Seoul, who is an adviser for the South Korean government’s cybersecurity division.
“Now they have shifted to making money, attacking banks and private companies, apparently because the North’s other means of raising foreign currency are increasingly blocked under United Nations sanctions,” Mr. Kim said.
North Korean hackers have also begun using ransomware — viruses that encrypt all data in an infected computer or smartphone — to make money. The hackers demand a ransom, usually in Bitcoin, in return for providing victims with a decryption code.
In July, the South Korean police said North Korea’s main intelligence agency had stolen the personal data of more than 10 million customers of Interpark, an online shopping mall in South Korea. Interpark did not learn about the breach until it received an anonymous message threatening to publicize the leak of personal data unless it paid the equivalent of $ 2.7 million in Bitcoin.
South Korea attributed the attack to hackers belonging to North Korea’s Reconnaissance General Bureau, its main spy agency.
In the end, no Bitcoin changed hands. Instead of paying the ransom, Interpark reported the attack to the police.