The hacker state: How North Korea weaponised internet

In 2024, India was stunned when WazirX, one of India's leading cryptocurrency exchanges, fell victim to a devastating cyberattack in which hackers stole over USD 230 million worth of cryptocurrency. The recent joint statement from Japan, US and South Korea revealed that Lazarus, a group of hackers operating from North Korea, were behind this attack.

North Korea, where international sanctions choke its economy, and global isolation which often threatens its survival, is seen using cyberwarfare as an economic and political weapon. These cyber operatives are often referred to as state-sponsored groups, which mostly target financial institutions, cryptocurrency exchanges, and governments worldwide.

North Korea's hacking groups are no ordinary cybercriminals. According to Mandiant, an American Cybersecurity firm, these state-sponsored operatives work primarily under the Reconnaissance General Bureau (RGB), a division of the General Staff Department of the Korean People's Army, led by Supreme Leader Kim Jong-Un.

The Lazarus Group, an umbrella term often used to refer to numerous North Korean cyberattacks, has developed a distinct set of malware for intelligence gathering, asset recruitment, destructive attacks, and financial crime.

Apart from the RGB, the United Front Department (UFD), sponsored by the Central Committee of the Workers' Party of Korea, and the Ministry of State Security are also involved in cyber operations. The RGB oversees intelligence collection and clandestine operations, comprising six bureaus, each serving specific purposes such as reconnaissance, foreign intelligence, technology, and support.

The UFD focuses on spreading propaganda targeting South Korea to undermine its geopolitical rival. They leverage online information operations, including an "army of cyber trolls," to promote pro-DPRK narratives on web forums, as reported by Mandiant. Meanwhile, the Ministry of State Security conducts covert intelligence gathering to support strategic military, political, and economic interests.

These groups have targeted victims primarily in South Korea but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and the Middle East.

These hacking operations are known for their persistence and deception. They use techniques such as phishing, malware deployment, and infiltration of cryptocurrency exchanges.

The groups employ highly deceptive and calculated methodologies that exploit the growing demand for remote jobs and developer opportunities. They often target developers on platforms like LinkedIn and GitHub by posing as recruiters or representatives of reputable companies.

They craft enticing job offers promising high salaries. Once the developer is hooked, the attackers share links to public GitHub repositories, which appear legitimate but are embedded with malicious scripts.

In a blog, Google's Threat Analysis Group revealed sophisticated campaigns like "Operation Dream Job" and "Operation AppleJeus" that use fake profiles and phishing schemes to distribute exploit kits. These kits are disguised as legitimate software packages, enabling attackers to deploy malware once the files are downloaded.

Recently, cryptocurrency theft has proven especially lucrative, with over USD 2 billion reportedly stolen in recent years. These stolen funds are laundered through complex networks of fake accounts and brokers, making it nearly impossible to trace the money, said in the report.

There are various groups which operate under RGB, which include Alluring Pisces (Lazarus), targeting financial institutions and large-scale cyber heists; Gleaming Pisces, which is specialised in cryptocurrency-focused operations. Jumpy Pisces engages in cyberespionage and ransomware.

Selective Pisces targets the media, defence, and IT sectors. Sparkling Pisces, which focusses on intelligence gathering and cybercrime funding, was reported by an American cybersecurity firm, Palo Alto Networks.

These state-sponsored hackers have executed various high-profile attacks from the Sony Pictures breach, the Bangladesh Bank heist to WannaCry ransomware, and cryptocurrency thefts.

India has also faced significant cyberattacks, including the USD 235 million WazirX cryptocurrency heist in July 2024, officially attributed to North Korea by the US, South Korea, and Japan. In 2019, the Lazarus Group and Kimsuky targeted the Kudankulam Nuclear Power Plant using malware to steal sensitive nuclear data.