“Remember the 11th of September 2001.” That chilling threat was posted on the internet after North Korea’s cyberattack against Sony Pictures Entertainment in 2014, which aimed to prevent the release of a movie that ends with the death of a fictitious version of North Korean leader Kim Jong Un. In his new book, The Lazarus Heist, investigative journalist Geoff White digs into the fascinating evolution of Pyongyang’s cyberactivities, from terrorism to sanctions evasion to other criminal activities. While the book reads like a typical Hollywood crime drama, in the end the good guys do not win.
White’s engaging prose takes us around the world—Ireland, Macao, South Korea, Bangladesh, China, the Philippines, Slovenia, Malta, the United Kingdom, Canada, and the United States—to document Pyongyang’s cyber-intrusions and other illicit activities. In particular, White comprehensively reviews the record of the North Korean hacking team code-named Lazarus Group by U.S. government investigators.
Much of White’s book draws from information already in the public domain, but his compelling narrative highlights the trail of accomplices and victims that North Korea leaves behind. U.S. law enforcement continues efforts to prosecute North Korean hackers—an admirable goal but extremely unlikely to happen—including the three North Koreans listed on the FBI’s Cyber’s Most Wanted list. The upshot is that “North Korea’s alleged computer hackers get away scot-free, while their accomplices (or some of them, at least) get caught in the net,” as White notes.
White devotes an entire chapter early in the book to Pyongyang’s counterfeiting of U.S. $100 bills, also known as superdollars or Supernotes. The connection between North Korea’s cyberactivities and fake $100 bills may not be obvious. But White ties them together by explaining that currency counterfeiting was long a focus of Pyongyang’s illicit activities—and when the financial revolution moved transactions from physical currency to online banking, it set off a slew of North Korean cyberactivities. An alternative explanation is that the Kim regime will always try to exploit the weakest point of the U.S. sanctions regime. The U.S. Secret Service told a Senate subcommittee in 2006 that the Supernotes were first detected in 1989 and that it had seized approximately $50 million of the notes globally. The George W. Bush administration’s efforts to stop the Kim regime’s illicit activities—counterfeit cigarettes, drugs, and U.S. currency—increased the costs for North Korea and could explain its shift to cyberactivities.
“Computer hacks have become a key weapon in North Korea’s arsenal, and they now pose a significant threat to global security and stability,” White writes. Priscilla Moriuchi, a former analyst at the U.S. National Security Agency, tells White that Pyongyang’s “strategy is about utilizing its asymmetric strengths, being able to find tools of national power that they can use to level the playing field against their much stronger adversaries in the West.”
Early in the book, White also emphasizes that the main goal of North Korea’s hackers—like the counterfeiters before them—is to make cash for the regime, which has few legitimate opportunities to earn hard currency given the international sanctions due to Pyongyang’s nuclear weapons and ballistic missile programs. The illicit funds are used to fund everything from Kim Jong Un’s lifestyle to Pyongyang’s nuclear weapons and missile programs. But in the book’s conclusion, White includes a warning from Thae Yong-ho, a former North Korean deputy ambassador in Britain, who defected to South Korea and is currently a legislator there. “During peaceful times,” Thae says, “they can use their hacking ability to create income.” However, Thae also asserts that in wartime, they can “easily” conduct a cyberattack to harm South Korea.
Occasionally, White observes, Pyongyang does use cyberattacks to terrorize targets for pettier reasons. In the case of the Sony attack, one of the regime’s earliest major hacking operations, Kim sought to avenge a personal slight. Sony’s The Interview is a middling comedy starring Seth Rogen and James Franco as a producer and journalist, respectively, who land an interview with the faux Kim Jong Un, played by Randall Park. The CIA then recruits Rogen’s and Franco’s characters to assassinate the North Korean leader by poisoning him. As in most comedies, hijinks ensue, and eventually they complete their mission. Unsurprisingly, the real-life Kim was not pleased with his Hollywood treatment—though it’s unclear whether he was more incensed by his fictitious death or the buffoonish treatment.
In September 2014, three months before the movie’s scheduled December release, a Sony employee opened an email with a virus embedded in video files. White explains that this allowed the attackers to access Sony’s computer system, where they “carefully [moved] from computer to computer to avoid detection, stealing data and planting more viruses as they geared up for their big finale.” On Thanksgiving, North Korean cyberattackers triggered the viruses to devastate the company’s computer systems. Sony executives received emails demanding a ransom payment. When the company did not comply by the specified deadline, the hackers released films that were still in production and sent reporters incriminating proprietary information, including executives’ salaries and contracts for actors and actresses. Then they leaked 5,000 emails from the account of Sony co-chair Amy Pascal. White observes that some contained embarrassing details.
Following the movie’s premiere, the hackers issued a terrorist threat invoking 9/11, urging Americans to keep themselves away from theaters showing the movie. “If your house is nearby, you’d better leave,” the threat stated. White explains that Sony had a dilemma: It could continue with the film’s release or pull the movie. “In the end,” White writes, “the studio’s hand was forced, when the major cinema chains refused to screen the film.”
Then-U.S. President Barack Obama said Sony and the theaters had made a “mistake.” He also expressed outrage at Pyongyang’s scheme, saying, “We cannot have a society in which some dictator someplace can start imposing censorship here in the United States.” But he did not retaliate in any meaningful way.
To be sure, Obama issued an executive order in January 2015 authorizing additional sanctions against the North Korean government, which the U.S. Treasury Department used to sanction three entities and 10 individuals serving as entities, agents, or officials on behalf of Pyongyang. However, the impact of these sanctions on hacking operations was negligible at best, since the three entities, including the organization that oversees the Lazarus Group, were already under sanctions and the 10 individuals on the list were actually involved in the regime’s proliferation activities, not cyberattacks. It was not until September 2019 that the Treasury Department sanctioned the Lazarus Group.
Moriuchi tells White that the Sony attack failed to cultivate any significant U.S. appreciation for the North Korean cyberthreat. Instead, the U.S. intelligence community downplayed or ignored the danger. The Sony hack, Moriuchi says, showed that “North Korean cyber-operators are much more technically adept and aware and plugged into contemporary Internet society and media culture than they ever really get credit for.”
In 2016, North Korea further escalated its cyberaggression when it set its sights on stealing almost $1 billion from Bangladesh Bank, the country’s central bank. The attackers sent the New York Federal Reserve fraudulent messages purporting to originate from Bangladesh Bank requesting the transfer of nearly $1 billion to bank accounts opened by the hackers’ accomplices at a Philippines-based commercial bank, the Rizal Commercial Banking Corp. The New York Fed stopped most of the requested transfers—but only after $81 million had already been sent to the Philippines-based bank.
Bangladesh Bank tried to recover the money, but the attackers were always one step ahead of it. White explains that the hackers moved the balances from four accounts to a single account and then transferred the funds to a money-changing business, which converted them into Philippine pesos. The attackers then laundered $51 million in casinos using accomplices and, for reasons that remain unclear, transferred the remaining $30 million to a mysterious Chinese man who promptly left the country.
White writes that the FBI and the U.S. Attorney’s Office for the Central District of California were still investigating the Sony hack when they discovered similarities to the Bangladesh Bank heist. For example, the FBI found three IP addresses shared by the viruses used for the hacks.
In sum, the book’s chronicle of events shows how North Korea’s cyberattacks have evolved into a wide range of activities, from terrorizing Americans to circumventing the sanctions regime. Worryingly, Washington’s concern does not rise to the level of the danger these activities represent. As the United States might have learned from its failed efforts to address North Korea’s nuclear and ballistic missile programs, the only chance to halt Kim’s misconduct will be when a U.S. president seriously prioritizes stopping him and devoting the necessary resources.
Anthony Ruggiero is a senior fellow at the Foundation for Defense of Democracies and a former senior director for counterproliferation and biodefense on the U.S. National Security Council during the Trump administration. Twitter: @NatSecAnthony. FDD is a nonpartisan research institute focusing on national security and foreign policy.