It Really Was the Lazarus Group, in North Korea with SWIFT

swift

Last week, news broke that the US had linked North Korea to the theft of millions against the Federal Reserve in a series of bank heists involving the SWIFT messengering system.  I did a couple talks last year about banking insecurity as a fairy tale that misrepresented itself in the form of that trusted messengering system, SWIFT.  The deeper I delved, the scarier that fairy tale got. But from the start I had my suspicions about who was behind it and why. Why was a big factor because it ruled out the usual bank cyber crime suspects, aka Russia and Eastern Europe. This was too overt a move for a nation state to make right? Well, that depends which nation state you are.

And this was where my poli sci years kicked in.  I’ve always stood at that intersection of international relations and cybersecurity. It’s one heck of a vantage point. I do threat intel. Still pinching myself because I didn’t know this thing I love to do even existed a few years ago. But as I learn and grow in this field, what becomes increasingly clear is the need for context. That we have to take more than we surmise into account to really get the big picture. And we need the big picture to do this right. Otherwise we risk making the wrong call when we choose to play the attribution blame game, where the stakes are high and the consequences could level a lot more than the proverbial playing field.  So international relations, current affairs, global economy and history all need to be factored in. Then we have data with context and points that link, so we can see patterns.

kimbo

Linda Davidson/Washington Post

Because for me this story was always so much more than just “hackers went after a billion but only got 81 million”.  Who was behind those hackers? Why Bank of Bangladesh? Who needed a billion badly enough to digitally “rob” a bank? I’ll admit I have my likely crew: Russia, China, North Korea.  In this case, Russia and China were too big to make this kind of a play and have to contend with the global condemnation.  That’s a headache they would rather avoid and neither needed a billion dollars that badly. However, North Korea was a different story: impoverished, starving, and whose wildcard of a leader answered to no one in his quest for nukes. As per a recent story in the Washington Post:

“North Korea has consistently been treated like a joke, but now the joke has nuclear weapons,” said John Park, director of the Korea Working Group at the Harvard Kennedy School. “If you deem Kim Jong Un to be irrational, then you’re implicitly underestimating him.”

Kim Jong Un may be crazy but he’s crazy like a fox.  Hence why the attacks were on banks where nobody would care. Because the truth is first world problems get the attention, not developing nations like those in South East Asia. And of course, security was lax, because the resources just weren’t there. Nor was the mindset.  Corruption and coercion get things done in many parts of the world. How do you factor those into NIST spreadsheets and security audits?

A colleague and I had a great brainstorming session on geopolitics and cybersecurity as we put the details together. His keen insights and my paranoia spun the needle to land on North Korea. We just didn’t have any proof.  Fast forward a few months later, though, and tracks were found in the butter. Remember what I said earlier about the importance of history, context and patterns? Key pieces of code harkened back to the attack on Sony, and some very crafty work by the Lazarus Group.  While it wasn’t a smoking gun, it certainly was substantive. After his work on decoding Stuxnet, I listen when Eric Chien of Symantec weighs in. He knew what he saw there and he called it.

sonyhackIn the realm of cyber criminals, The Lazarus Group are somewhat nebulous, hard to pin down, and known for their ability to die off and then resurrect themselves, hence their name.  They’ve been identified as operating out of North Korea. To me, that means North Korea gives them a safe haven in return for services rendered. They are the bag man for their host supplying “dirty deeds”, just not done dirt cheap.  Because nation states don’t do this stuff for themselves when they need to remain one step removed.  Let me state that things are no where near this simplistic, and yes, China factors into this as well.  But no surprise there given the long-standing partnership between China and North Korea.

lazarus_map_ENWhere does this lead? Well, I did allude to the possibility of global economic chaos being used in the games nations play, because it’s all about the power and money is just a means to that end. Now we have news reports saying how nation states have resorted to robbing banks, and what a terrifying prospect that is. According to Richard Ledgett, Deputy Director of the NSA, in a story by the Wall Street Journal:

“If that linkage is true, that means a nation-state is robbing banks. That is a big deal; it’s different,” he said on Tuesday during a panel discussion at the Aspen Institute.

Mhm. I have a lot more where that came from.

Please click here if you’d like to see my talk on SWIFT and banking insecurities.

sectorslide

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s