I checked the email that arrived at the company and it was "from North Korea" January 17, 17:00

The usual work emails that arrive almost every day.


If the sender was from "North Korea's deadliest hacker"...


If you had opened the email, billions of yen might have been stolen from the company...


What happened in Japan where we live ?

It's everyday life.


A North Korean hacker is traced from a single email sent to a cryptocurrency exchange in Tokyo.


(Cyber ​​security coverage team)

1 email from the “President”

A crypto asset exchange operator in Tokyo.



The daily trading volume is equivalent to 7 billion yen.



One day, just after noon, an email arrived at Mr. Hashimoto, an employee.

"good morning.

I will send you a new profit share



.” It was from the “President”.



December just ahead of the payment of the winter bonus.

It was sent to all employees, apparently to give out a



'new profit sharing' bonus.

At the end, a link to the cloud service is attached, prompting you to check the details.

It was a natural sentence, and the content was interesting as a bonus, but there was a sense of incongruity.







"I wonder if the president will send something like this in a mass email."



Supposedly, the email was fake.



Other employees who received the e-mail also informed me that they had received a spoofed e-mail.



Fortunately, none of the employees clicked on the attached link, and there was no particular damage.

Arrived from "North Korea"

Is this fake email just another type of phishing scam?



For that reason, the president's address is also real, and it is elaborate.



With Mr. Hashimoto's permission, we (the NHK reporting team) had the e-mails analyzed by a security agency.

The JPCERT Coordination Center, which provides support for many companies that have suffered cyber attacks.



When Mr. Hayato Sasaki, who specializes in virus analysis, checked the link in the email, he found that it had already stopped working.



However, a closer look reveals certain characteristics.

I focused on the linked server.



According to past history, it was used by a group of hackers to transmit computer viruses in another cyberattack.



It was a hacker group called "Lazarus", which is said to be directly under the North Korean authorities.

When they obtained and examined the virus used in that attack, they also found that the same virus was used in multiple other cyberattacks attributed to Lazarus.

Mr. Hayato Sasaki, JPCERT Coordination Center:


"It's circumstantial evidence, but overall it's highly likely that it was the North Korean hacker group Lazarus."

If you access it, your terminal will eventually be infected with a virus.



It turned out that there is a high possibility that it is a mechanism that invites intrusion from the outside.



If the security is breached, it will allow illegal remittances.

Common Fake Emails?

attacks are routine

When I conveyed the analysis results to Mr. Hashimoto, I received an unexpected answer.

Bitbank Kenji Hashimoto


"I hear that they are aiming for various exchanges, but I feel that they actually came to us."

He said it was not uncommon to receive fake emails, and revealed that he had been hit by another cyberattack in the past.

The email I received at that time contained a notice of a cyberattack on the company and a demand for money in exchange for its cancellation.



Immediately after that, hundreds of times more access than usual concentrated on the company's website.



It is believed to be a cyber attack known as a DDoS attack.



It was said that it did not lead to serious problems because the strength of security was increased.

Mr. Kenji Hashimoto


"Cyber-attacks are taking place on a regular basis. I've always tried to be careful, so I think I was able to take measures without panicking."

On the other hand, Hashimoto said he also feels the limits of defense against attacks on a scale involving the state.

Kenji Hashimoto


``Unlike the hacker groups of the past, it is quite difficult for a single company to stand up against an opponent who attacks for the national interest as a nation.''

Domestic damage of at least 10 billion yen

In fact, this Lazarus is known for having leaked the movie of "Sony Pictures Entertainment" in the United States in the past and hacking overseas central banks.



According to analysis firm Chainalysis, Lazarus has been stealing crypto assets around the world, costing more than $200 million a year in recent years.



Damage has been confirmed not only in Japan, Europe and the United States, but also in Russia and China.



The email appears to be part of Lazarus' global attack campaign focused on cryptocurrencies.



According to officials, damages of at least 10 billion yen have been caused in Japan in the past few years.

Chase the stolen coins!

We interviewed an analytics firm working with law enforcement agencies around the world to track down stolen crypto assets.

Mr. Hayato Shigekawa, Chainalysis


"If it is stolen, where is the money going? Where can it be frozen? That will be the key."

Hayato Shigekawa of the crypto asset analysis company Chainalysis.



In fact, all transaction histories of crypto assets are open to the public.



Therefore, it is possible to confirm from which address (address) the asset has moved to where.



Careful tracking of this history is key to locating stolen assets.



He showed us some examples of how Lazarus is taking away crypto assets.



In March 2020, the U.S. Department of Justice indicted two men, including those involved in Lazarus' "money laundering."

First, the stolen crypto assets were spread across four exchanges.



And they fly away one after another.



It is divided into two addresses, and when you think it is sent, it will join immediately, and the transfer will be repeated without any context.



It tries to evade pursuit by creating complex paths.




The stolen assets ended up at five points and were found to be tied to two Chinese men who were indicted by the Department of Justice.



The two are believed to have been involved in the liquidation of crypto assets.

Clever "Money Laundering" Mixing

According to Mr. Shigekawa, in recent years Lazarus has been improving his "tracking and evading" technique.



One of them is "mixing".



It is a technology that collects various coins (cryptographic assets) together and hides the transaction history. It was developed to protect users' personal information, but there are many cases where it is abused for money laundering.



If the transaction history is lost, the clue to tracking will be cut off.



The same mix was also used in last year's robbery of $620 million in crypto assets from a game company.

Mr. Hayato Shigekawa of Chainalysis


“The rate of using difficult-to-reach services and laundering methods is increasing more and more. There is no doubt that it is becoming more and more of a threat from the point of view.”

Transcend national borders, public and private sectors should make arrests

How will Japan deal with Lazarus, who is seen as backing the nation?

This fiscal year, the National Police Agency established the Cyber ​​Police Bureau, which will lead investigations, and the Cyber ​​Special Investigation Unit, a specialized unit that will directly conduct investigations from the government.



The National Police Agency conducts direct investigations as a national government, instead of responding to national crimes at the prefectural level alone.

Junpei Kawahara, Director General, Cyber ​​Police Bureau , National Police Agency


"In cyberspace, technologies and services that enable sophisticated crimes are emerging, but we cannot sit back and wait."

The Cyber ​​Police Bureau operates 24 hours a day to monitor and respond to cyberattacks from North Korea and other countries around the world.



In addition to providing the latest knowledge of viruses discovered by highly skilled investigators to overseas investigative authorities, they are also trying to focus on tracking the crypto assets stolen by Lazarus.

Junpei Kawahara, Director General, Cyber ​​Police Bureau , National Police Agency


: “Our country as a whole is exposed to various threats in cyberspace. We will improve our proficiency by conducting general training that we are invited to.Always keeping in mind the importance of these things, we will protect the safety and security of society.”

Just "be careful" is not enough

So how should we prepare?



Mr. Sasaki of the JPCERT Coordination Center points out that Lazarus' attacks are not just about advanced hacking, but that analog methods such as deceiving people's minds are also characteristic.

"New Bonus Schedule"


"New Business Guidelines"


"New Job Opportunities"



These are the titles of emails and files that Mr. Sasaki thinks Lazarus actually sent.



In addition to e-mail, they may contact employees' SNS accounts under the guise of headhunting.



By tricking the victim into believing and opening a file, the victim is infected with a virus.



Lazarus also appears to be doing a lot of research to make sure he doesn't target his target audience.



Collect public information such as homepages.



At times, they resort to all means, including stealing, to gather "materials" for attacks.



The exchange's fake e-mail introduced this time used a real e-mail address.



In particular, mailing lists are used only by employees, and usually outsiders should not know about them.



Sasaki points out that it is necessary to develop a mechanism to prevent attacks from proceeding to the next step by comprehensively reviewing organizational systems.

Mechanism to notice is also important

And I felt that there are hints that I can learn from the exchanges that responded to the interview this time.



How did none of the 120 employees get cheated?

It was because there was a rule that communication within the company should be limited to chat tools, not emails.



Of course, chat tools are not perfect.



However, if only employees can use it in principle, it will be much more difficult for attackers to send messages.



This time, when the president contacted us by email, many employees realized something was wrong.



In order to deal with attacks that target gaps in people's minds, it is important not only to improve security systems but also to raise awareness through the accumulation of these rules one by one.



The risk caused by just one e-mail may eventually turn into a missile and lead to a security risk for Japan as a whole.



Each of us needs to recognize that.

Cyber ​​Security


Reporter, Science and Culture Department


Yohei Fukuda


Joined in 2013 After working at the Okayama and Sapporo stations

, covered Cyber ​​Security in


the Science and Culture Department


Keiichiro Furuichi Joined the Bureau in

2014

Reported on the Bank of Japan and the


financial

industry

after working at the Niigata Bureau





Cyber ​​Security Reporting Group


Social Affairs Department Reporter


Zhou Yinghuan


Joined in 2017


After working at the Okayama Bureau, Social Affairs


Department covers the National Police Agency and the Metropolitan Police Department

Cyber ​​security reporting group


Ohayo Nippon director


Yuto Sakai Joined


in 2021 Covering


cyber attacks on medical institutions in Ohayo Japan