June 18, 2022 | Foreign Policy

‘The Lazarus Heist’ Is the Gripping Story of North Korean Cybercrime

Worryingly, Washington’s concern does not rise to the level of the danger.
June 18, 2022 | Foreign Policy

‘The Lazarus Heist’ Is the Gripping Story of North Korean Cybercrime

Worryingly, Washington’s concern does not rise to the level of the danger.

“Remember the 11th of September 2001.” That chilling threat was posted on the internet after North Korea’s cyberattack against Sony Pictures Entertainment in 2014, which aimed to prevent the release of a movie that ends with the death of a fictitious version of North Korean leader Kim Jong Un. In his new book, The Lazarus Heist, investigative journalist Geoff White digs into the fascinating evolution of Pyongyang’s cyberactivities, from terrorism to sanctions evasion to other criminal activities. While the book reads like a typical Hollywood crime drama, in the end the good guys do not win.

White’s engaging prose takes us around the world—Ireland, Macao, South Korea, Bangladesh, China, the Philippines, Slovenia, Malta, the United Kingdom, Canada, and the United States—to document Pyongyang’s cyber-intrusions and other illicit activities. In particular, White comprehensively reviews the record of the North Korean hacking team code-named Lazarus Group by U.S. government investigators.

Much of White’s book draws from information already in the public domain, but his compelling narrative highlights the trail of accomplices and victims that North Korea leaves behind. U.S. law enforcement continues efforts to prosecute North Korean hackers—an admirable goal but extremely unlikely to happen—including the three North Koreans listed on the FBI’s Cyber’s Most Wanted list. The upshot is that “North Korea’s alleged computer hackers get away scot-free, while their accomplices (or some of them, at least) get caught in the net,” as White notes.

White devotes an entire chapter early in the book to Pyongyang’s counterfeiting of U.S. $100 bills, also known as superdollars or Supernotes. The connection between North Korea’s cyberactivities and fake $100 bills may not be obvious. But White ties them together by explaining that currency counterfeiting was long a focus of Pyongyang’s illicit activities—and when the financial revolution moved transactions from physical currency to online banking, it set off a slew of North Korean cyberactivities. An alternative explanation is that the Kim regime will always try to exploit the weakest point of the U.S. sanctions regime. The U.S. Secret Service told a Senate subcommittee in 2006 that the Supernotes were first detected in 1989 and that it had seized approximately $50 million of the notes globally. The George W. Bush administration’s efforts to stop the Kim regime’s illicit activities—counterfeit cigarettes, drugs, and U.S. currency—increased the costs for North Korea and could explain its shift to cyberactivities.

“Computer hacks have become a key weapon in North Korea’s arsenal, and they now pose a significant threat to global security and stability,” White writes. Priscilla Moriuchi, a former analyst at the U.S. National Security Agency, tells White that Pyongyang’s “strategy is about utilizing its asymmetric strengths, being able to find tools of national power that they can use to level the playing field against their much stronger adversaries in the West.”

Early in the book, White also emphasizes that the main goal of North Korea’s hackers—like the counterfeiters before them—is to make cash for the regime, which has few legitimate opportunities to earn hard currency given the international sanctions due to Pyongyang’s nuclear weapons and ballistic missile programs. The illicit funds are used to fund everything from Kim Jong Un’s lifestyle to Pyongyang’s nuclear weapons and missile programs. But in the book’s conclusion, White includes a warning from Thae Yong-ho, a former North Korean deputy ambassador in Britain, who defected to South Korea and is currently a legislator there. “During peaceful times,” Thae says, “they can use their hacking ability to create income.” However, Thae also asserts that in wartime, they can “easily” conduct a cyberattack to harm South Korea.

Occasionally, White observes, Pyongyang does use cyberattacks to terrorize targets for pettier reasons. In the case of the Sony attack, one of the regime’s earliest major hacking operations, Kim sought to avenge a personal slight. Sony’s The Interview is a middling comedy starring Seth Rogen and James Franco as a producer and journalist, respectively, who land an interview with the faux Kim Jong Un, played by Randall Park. The CIA then recruits Rogen’s and Franco’s characters to assassinate the North Korean leader by poisoning him. As in most comedies, hijinks ensue, and eventually they complete their mission. Unsurprisingly, the real-life Kim was not pleased with his Hollywood treatment—though it’s unclear whether he was more incensed by his fictitious death or the buffoonish treatment.

In September 2014, three months before the movie’s scheduled December release, a Sony employee opened an email with a virus embedded in video files. White explains that this allowed the attackers to access Sony’s computer system, where they “carefully [moved] from computer to computer to avoid detection, stealing data and planting more viruses as they geared up for their big finale.” On Thanksgiving, North Korean cyberattackers triggered the viruses to devastate the company’s computer systems. Sony executives received emails demanding a ransom payment. When the company did not comply by the specified deadline, the hackers released films that were still in production and sent reporters incriminating proprietary information, including executives’ salaries and contracts for actors and actresses. Then they leaked 5,000 emails from the account of Sony co-chair Amy Pascal. White observes that some contained embarrassing details.

Read in Foreign Policy

Issues:

Cyber Cyber-Enabled Economic Warfare North Korea Sanctions and Illicit Finance