In November 2014, a glowing red skeleton appeared on the computer screens of executives at Sony Pictures Entertainment. ‘Hacked,’ began the accompanying message. It went on to explain that Sony data had been stolen and would be released to the world. ‘This is only the beginning,’ it warned. Gossipy emails about Angelina Jolie, licensing problems around the character of Spider-Man, and the script of the next James Bond film were all leaked online and lapped up by showbusiness reporters.
Then things became much more serious. The hackers threatened a terror attack against the premiere of Seth Rogen’s film The Interview, which mocked North Korea and its leader. The studio capitulated, the premiere was cancelled and the film was never given a major cinematic release.
Two and a half years later, computers in hospitals all around Britain displayed a ransom demand: pay us $300 (£220) in Bitcoin or your files will be lost. The WannaCry worm, as it became known, spread automatically to other computers on a network, crippling large sections of the NHS. More than 19,000 medical appointments were cancelled and the attack cost the health service millions. Worldwide, WannaCry hijacked 300,000 computers in just four days.
In February this year it was revealed that these two events were linked. The US Department of Justice unsealed an indictment against three members of North Korean military intelligence, Jon Chang Hyok, Kim Il and Park Jin Hyok, accusing them of being members of the country’s state-sponsored hacking team, the Lazarus Group.
The indictment is stunning. It details a long list of crimes in addition to the Sony hack and WannaCry. The Lazarus Group was mostly focused on money, stealing millions in cryptocurrency such as Bitcoin from individuals and institutions. It blackmailed millions more out of companies by threatening to release confidential information.
The group pulled off audacious cyber-heists from real banks around the world, hacking into their systems and sending money into accounts it controls. The scheme netted the group around £280 million. It even hacked into cashpoint/ATM systems in some countries, getting them to dispense all their money and sending agents to collect the cash.
Nobody knows how North Korea trains its elite hackers. Parts of the WannaCry worm showed signs of being written in Chinese, which could suggest that China helps, or could just be a coincidence. Some North Koreans likely study in the West, too, using South Korean identities and passports. Of course, there are more extreme possibilities: in the 1970s, North Korea kidnapped people from Japanese beaches, stole their identities for espionage and forced the prisoners to teach Japanese language and behaviour to the dictatorship’s spies.
The Lazarus Group is considered an Advanced Persistent Threat (APT), the term given to hacker groups that operate with state backing. Security companies give them names, numbers or both: Lazarus is APT38, while APT37 is another North Korean group that focuses on attacking South Korea. Some APTs are military or intelligence units under formal state direction, while others are independent hackers operating with tacit government backing.
There is one obvious conclusion to be drawn from looking at the activities of the Lazarus Group: North Korea is desperate for money, especially untraceable money that can be laundered and used to skirt international sanctions. One of Lazarus’s failed plans was to set up its own cryptocurrency as a way of owning a stake in a shipping business. The US Justice Department believes this was also an attempt to circumvent some shipping sanctions. That plan failed after an anonymous internet user with the handle ‘ArsenalFan5000’ warned that it was secretly operated by North Koreans. ArsenalFan5000 never posted online again, making it likely that this was a western intelligence agency warning people away from the scam.
North Korea is far from alone in sponsoring hacking, but other states have different priorities. China has the most known APTs, and its state-sponsored hacking tends to focus on espionage, both government and corporate, rather than theft. Last month, Microsoft accused China’s Hafnium APT of breaking into the email servers of 250,000 organisations since the beginning of the year, including the European Banking Authority and Norway’s parliament.
Iranian APTs conduct espionage on military organisations in the Middle East and beyond, trying to steal weapons plans and occasionally sabotaging infrastructure. Iran was accused of trying to poison Israel’s water last April by hacking into a water plant and boosting the levels of chlorine.
Most famous of all is Russia. Its APT29, better known as Cozy Bear, was revealed as the perpetrator of a sophisticated hack attack of software company SolarWinds in December. By installing a hidden backdoor in SolarWinds’ products, hackers were able to gain access to dozens of government agencies and companies that used the compromised tools. The louder, brasher cousin APT28, known as Fancy Bear, was behind the hacks on the Democratic National Committee and Hillary Clinton’s campaign manager, Tony Podesta. Some still argue that the release of these materials through WikiLeaks possibly gave the then-candidate Donald Trump the edge he needed to win.
APTs from all four of these countries were caught hacking vaccine research facilities last year, either to steal data or sabotage development efforts. However, it’s not only non-western states that run APTs against their opponents. One of the most sophisticated APTs, the Equation Group, is widely believed to be run by the US National Security Agency, while the Stuxnet worm, believed to be a joint Israeli-American attack against Iran’s nuclear programme, was able to damage uranium enrichment centrifuges in 2010.
How should the rest of the world respond to APTs? The US government has started treating groups like common criminals, naming and indicting their members, and arresting them if they can, even if they’re uniformed officers of a country’s armed forces.
The UK’s response to cyberattacks was never very well defined. Boris Johnson created a National Cyber Force late last year, pulling experts from MI6, GCHQ and the Ministry of Defence together into a single command. The Integrated Review of security, defence, development and foreign policy, published two weeks ago, envisions the National Cyber Force working ‘to impose costs on our adversaries, deny their ability to harm UK interests, and make the UK a more difficult operating environment’.
Ultimately, cyberattacks are a means, not an end. Some APTs are conducting classic espionage and want our data. Some are seeking to sow discord and damage their opponents’ political systems. Other cyberattacks are designed to be damaging, and these are acts of terrorism or even war. And some, like North Korea’s Project Lazarus, are mostly old-fashioned theft. All of them are happening all the time, a constant onslaught of hostile state activity. Each demands a different response.
There’s no known British APT. Perhaps the UK’s National Cyber Force will be the new tip of the spear of our cyber-response, running daring operations in hostile computer networks. Or perhaps Britain already leads the world when it comes to cyber-operations. If so, we don’t know because they have been exceptionally good at it.