Hacking Humans 7.1.21
Ep 154 | 7.1.21

An inside view on North Korean cybercrime.

Transcript

Geoff White: The North Koreans have been accused of breaking into banks not to steal money, but to control cashpoints.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, Carole Theriault returns with an interview with Geoff White. He's a reporter from the BBC and co-host of "The Lazarus Heist" podcast. 

Dave Bittner: All right, Joe, before we dig into our stories this week, we have a little bit of follow-up from one of our listeners. What do we have here? 

Joe Carrigan: It's a question, actually, that comes from Mike (ph). 

Dave Bittner: All right. 

Joe Carrigan: And Mike says, hi, I'm a retired software engineer. I have a solid background in computer science. I know how networks, operating systems, compilers, et cetera work, which is actually rare among modern computer science graduates. 

Dave Bittner: (Laughter). 

Joe Carrigan: They understand compilers, but they may not understand networks or operating systems. However, I know very little about cybersecurity, and I'd like to get educated, then volunteer to help nonprofits or small businesses protect themselves from cyberthreats. Any recommendations? Is the TIAA (ph) Security+ Cert the best place to start? I'm going to say yes. The TIAA (ph) Security+ Cert is the best certification to start with. 

Dave Bittner: OK. 

Joe Carrigan: There are tons of online training that can get you up to speed pretty quickly. There's Cybrary. That has free online training. That's based out of Baltimore. 

Dave Bittner: Yep. 

Joe Carrigan: Get you set up with some basic cybersecurity stuff - take a look at that. If you're a retired software engineer, I think this material is going to be very approachable for you. I don't think it's going to be challenging at all. If you come from a technical background, you can leverage that to help yourself pick this up faster. 

Dave Bittner: Do you think that this listener even needs a certification? If he's setting out to do volunteer work, is that necessary? 

Joe Carrigan: Probably not. Charities are not going to go, oh, you're going to help us with volunteering? Well, let me see your certifications. 

Dave Bittner: (Laughter). 

Joe Carrigan: They don't really have a tendency to do that. They will say, we'll be grateful for anything you can give us. The Security+ Certification is pretty straightforward and easy to get. I wouldn't recommend going out and getting a CISSP to do volunteer work... 

Dave Bittner: Right. 

Joe Carrigan: ...Or become a - you know, become a Certified Ethical Hacker. The Security+, I think, is - if nothing else, read the materials for the test prep. It's pretty rudimentary, and with the basic understanding of network or the rather advanced understanding of network that someone with an older computer science degree has, it should not be challenging material at all. 

Dave Bittner: OK. 

Joe Carrigan: It should be very approachable. 

Dave Bittner: All right. Well, thanks to our listener for sending in that question. We would love to hear from you. You can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, let's dig into our stories this week. I'm going to kick things off for us. This is a story from Brian Krebs over at Krebs on Security. And it's titled "How Cyber Sleuths Cracked an ATM Shimmer Gang." Are you familiar with ATM shimming at all? 

Joe Carrigan: You said shimmer and I thought like light shimmering off water, right? 

Dave Bittner: Right, like glint - yes. 

Joe Carrigan: Yes. 

Dave Bittner: (Laughter) I know. That's what I thought first, too. It's like, is this some sort of sparkly attack on ATMs? 

Joe Carrigan: Right. 

Dave Bittner: No. 

Joe Carrigan: Is this something that criminals put on top of the ATM and then it skims the - it's like a skimmer? 

Dave Bittner: Sort of. So a skimmer - you know, most skimmers sort of get grafted on to the outside of the ATM like a barnacle, right? 

Joe Carrigan: Right. Yeah, a very convincing barnacle (laughter). 

Dave Bittner: Right, exactly. They look - exactly. They're very convincing. And chances are you probably wouldn't notice it. What a shim does is it actually goes inside the slot. 

Joe Carrigan: Aha. 

Dave Bittner: And in this case, law enforcement were kind of bedeviled by this particular shimming case, where these shims were being put inside of the ATMs. And the way that it worked, they were able to draw power from the ATM itself using the connections - the little contacts that connect with your card, with your ATM card. 

Joe Carrigan: The article has a picture of the device here, and it's got what looks like essentially a little pass-through... 

Dave Bittner: Yep. 

Joe Carrigan: ...You know, electric pass-through that has contacts on both sides so it can do just that - draw power. 

Dave Bittner: Right, exactly. And so evidently, this device that they would put in the ATM required very little power. It was engineered to draw very little power. 

Joe Carrigan: Right. 

Dave Bittner: It was a very slim device, so it could fit inside of there. So what would happen is the unsuspecting person would come up to use the machine, put their card in as usual, and this device would be kind of a man-in-the-middle sort of attack. 

Joe Carrigan: Right. 

Dave Bittner: It would suck up their information from their card. But then also what they discovered was they were using a combination of this shim but then also a camera to look over the person's shoulder... 

Joe Carrigan: Right, to get their PIN. 

Dave Bittner: ...To get their PIN, right. Now, what's really interesting is how they tracked down who was doing this. So most of this shimming was going on in Mexico. 

Joe Carrigan: OK. 

Dave Bittner: The vast majority of it was going on in Mexico. And evidently, according to this story, that was because some of the chip-and-PIN capabilities were not fully implemented in Mexico. 

Joe Carrigan: I see. 

Dave Bittner: There was a transitional period of time when the chip-and-PINs were new and - sort of an in-between time. And according to this article, down in Mexico, they were a little slower than many of the banks here in the U.S. were to go all-in on that implementation. 

Joe Carrigan: Right. 

Dave Bittner: So because of that, it made it possible for the bad guys here to take advantage of that. However, they did start showing up here in the U.S. And law enforcement - there was one that showed up at an ATM in New York City. And law enforcement were able to combine the security camera footage - right? - surveillance footage - right? - from... 

Joe Carrigan: Right. From the ATM where the people put it in. 

Dave Bittner: Right. They were able to combine that. So they knew the time of day that someone was using this machine. They were able to cross-reference the use of a card, a card number. Your ATM card has a number on it. 

Joe Carrigan: Right. 

Dave Bittner: Right? So what... 

Joe Carrigan: It's like a credit card. 

Dave Bittner: Exactly. What they noticed was a card in New York had the same card number as a card that was being used in Mexico. And once they were able to make that cross-reference and say, this is interesting, that this particular card number is the common thing between these machines that have been skimmed - right? - that have had this shim device put inside of them. 

Joe Carrigan: So is this the same - are they - are the criminals using the same card to install the shim? 

Dave Bittner: Well, what they were able to discover is that the criminals were using a specially equipped card that had a tether on it that was how they would get the numbers off of their shims. 

Joe Carrigan: I see. 

Dave Bittner: So in other words, they would put this special card that they'd made. They'd slide that in. It would connect. And the card number that this device pretended to be was the key that unlocked the encryption on the shimming device and allowed them to get the numbers that they had scooped up and allowed them to get them back. 

Joe Carrigan: I see. That's very clever. So even if law enforcement did remove the shim, they would not be able to decode the information on it without the key. 

Dave Bittner: Correct. And it turns out that this particular number, (laughter) this credit card number matched up with a credit card that had been issued, you know, somewhere - I believe it was in Europe. And it was a credit card that had been reported as being ordered and never delivered. So it was just this number that was sort of out there, a legit number, had never been activated. And so now the game is afoot. 

Joe Carrigan: Right. 

Dave Bittner: Because now they have this number. So now they can start looking for every ATM where this number was used. 

Joe Carrigan: Right. 

Dave Bittner: And sure enough, where this number was used, that's where the bad guys were. 

Joe Carrigan: And every one of them had a shim in it. 

Dave Bittner: Every one of them had a shim in it. 

Joe Carrigan: Right. 

Dave Bittner: Right. So eventually, they were able to track these folks down. And they got their hands on this downloading card that they used. And there's a picture of it here in the article. And it looks like - it's the shape of a credit card. It's a little bit longer so that this ribbon cable can come off the back of it. 

Joe Carrigan: Right. 

Dave Bittner: And then that connects to a little circuit board. And so if you put this in the machine, the machine recognizes that this card has the number that triggers the decryption and transfer of all the credit card numbers that this shim had been storing up. 

Joe Carrigan: That's amazing. 

Dave Bittner: Yeah. Isn't it (laughter)? 

Joe Carrigan: Yeah. Why don't these people apply themselves to legitimate work? They'd be rich. 

Dave Bittner: (Laughter) I know. I know. I know. It really is clever. So I just think this is fascinating from a lot of different points. First of all, it's a really good look inside how these shims work. One of the things that this article pointed out is that after law enforcement and banks had discovered the bad guys using these shims, they narrowed the opening on a lot of their ATMs so that it would be harder to get a device like this in there. 

Joe Carrigan: OK. 

Dave Bittner: Which makes sense. 

Joe Carrigan: Yeah, they'll adapt. 

Dave Bittner: Yeah (laughter). Yes. I mean, that's all cat-and-mouse. But... 

Joe Carrigan: Right. 

Dave Bittner: I was trying to think of, you know, in terms of folks trying to protect themselves against this thing, first, I would say go cardless with your payments. If you can use a... 

Joe Carrigan: If you can, yeah. 

Dave Bittner: Yeah. If you can use Apple Pay or Google Pay or any of the ones that use an electronic token. 

Joe Carrigan: Yeah, a one-time electronic token. 

Dave Bittner: Right. That's going to be better than having to use your card anywhere. 

Joe Carrigan: Right. Much more secure. 

Dave Bittner: Yeah. But beyond that, I mean, this was very clever, very effective. I'm not sure if you are a user of the ATM. I suppose maybe being very vigilant about covering your PIN number as you enter it in... 

Joe Carrigan: Yeah. Yeah, I mean... 

Dave Bittner: ...So they can't see it over your shoulder. 

Joe Carrigan: I try to stand closer to the ATM when I'm entering a PIN... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Just in case there is something behind me. I've always been uncomfortable when there are people nearby. 

Dave Bittner: (Laughter) Hanging over your shoulder. 

Joe Carrigan: Right 'cause, you know, I'm always - they don't even need to hang over the shoulder - right? - to get the PIN. They just need to wait for me to get my money and then hit me in the back of the head with something, right? 

Dave Bittner: Well, that's true. 

Joe Carrigan: I'm like, all right, I got 200 bucks. Bam, I'm on the ground. 

Dave Bittner: Yeah. 

Joe Carrigan: Somebody else has my 200 bucks. 

Dave Bittner: Right. 

Joe Carrigan: It's been my fear so much that - to the point when I - where I go to an ATM with a friend, I will stand behind the friend and turn around and look out - right? - so that everybody knows, OK, this is going to be tougher than just hitting one guy. 

Dave Bittner: Giving them the evil eye. 

Joe Carrigan: Right. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: I'm just looking like the muscle. 

Dave Bittner: Yeah, right. Yeah, that's the first thing I think of when I look at you, Joe. 

Joe Carrigan: Right. Yeah, muscle. That's... 

Dave Bittner: Look at that guy. That guy is the muscle, no doubt about it. 

Dave Bittner: All right, well, that is my story. Again, that's from Brian Krebs over at Krebs on Security. And we'll have a link to that in the show notes. It's an interesting one, definitely worth checking out to see all the details. 

Joe Carrigan: That's cool. 

Dave Bittner: Yeah. All right, what do you have for us, Joe? 

Joe Carrigan: Dave, my story comes from Malwarebytes Labs, which is their research organization. They have a blog over there. And they're talking about Bitcoin scammers phishing for wallet recovery codes on Twitter. So we're all familiar with the scam where somebody is on Twitter complaining about some company, right? 

Dave Bittner: OK. 

Joe Carrigan: And then an impersonation account jumps in and says, well, let me help you. And they slide into the DMs - right? - as they say on Twitter. 

Dave Bittner: Oh. 

Joe Carrigan: And they say, hey, go to this page and enter your login credentials, and we can get started, right? 

Dave Bittner: Oh, I see. Yeah, yeah, yeah. 

Joe Carrigan: Well, there's a company called Trust Wallet that is an app on your phone that's used to send, receive and store your bitcoin. So it's kind of like a wallet and an exchange. I'm not exactly familiar with how Trust Wallet works. I haven't used it. But it lets you work with cryptocurrencies and other nonfungible tokens, as they're called. 

Dave Bittner: OK. 

Joe Carrigan: One of the things that they say that Trust Wallet has on their official Twitter page is the first rule of crypto is never give out your recovery phrase. 

Dave Bittner: Right. 

Joe Carrigan: The second rule of crypto is never give out your recovery phrase. And the third rule of crypto is when someone asks you for your recovery phrase, remember the first and second rule. Right? 

Dave Bittner: OK. 

Joe Carrigan: Because that's exactly what's happening on Twitter. Somebody has posted a tweet that says, thank God I finally got my stolen coin and money back. Now I can rest my head. That's the hook. 

Dave Bittner: OK. 

Joe Carrigan: But you scroll down a little bit further, and there's another reply that says, I lost all my money and coins last week until I contacted their support page and they helped me rectify and resolve it. I think if you have any problems, you should write them, too. And they provide a URL. 

Joe Carrigan: Now, when you go to the URL, if you are unfortunate enough to click on this URL, it is one of these survey development pages. This is one of my earliest projects was building a survey tool for internal use in a company. And it was interesting to do. But now these tools are out there, and everybody has them. So anybody can go in and set up a survey. 

Joe Carrigan: And this survey looks very much like a customer service form, right? And it has questions like, which of the following issues are you worried about - high fees, login issues, swap or exchange? And then it says Anders, which I don't know what that means, but it could be other 'cause it has a space next to it, a place where you can put text in. And then it has a field that says, kindly input your 12-word passphrase linked to your wallet account. And then parenthetically, it says, kindly note that this is processed by Trust Wallet encrypted cloud bot. Your security is our priority. And then it asks you to put the phrase in. 

Joe Carrigan: How this is supposed to work is you and Trust Wallet established what this 12-word phrase is, and it's very difficult for someone to guess it. If someone asks you for it, if someone - then you're much more likely to give it up. But Trust Wallet would like to remind everybody, don't do that. 

Joe Carrigan: There are a lot of Twitter accounts out there doing this. And the reason they're doing this is because it is a very low-effort attack that has very high payoff, right? If people get access to these crypto wallets out there, they can just transfer all the money out of it. And Bitcoin is worth, like, $30,000 apiece now or something like that. 

Dave Bittner: Yeah. 

Joe Carrigan: It's a lot of money. 

Dave Bittner: Yeah. It also strikes me that by using these survey sites, that's not going to trip any alarms in terms of it being a dangerous site... 

Joe Carrigan: Right. 

Dave Bittner: ...'Cause they're taking you to a legitimate site. 

Joe Carrigan: Right, exactly. That's a very good point. 

Dave Bittner: Yeah. 

Joe Carrigan: One that I hadn't actually considered with my reading of this article. Thank you for bringing that up because that is absolutely right. This is not a malicious site. You're not going to a scam - well, you're going to a scam survey on a legitimate site. 

Dave Bittner: Right, right. Interesting. So what are the recommendations then? I mean, how do folks protect themselves? 

Joe Carrigan: Well, Dave, the recommendation is never give out your recovery phrase. 

(LAUGHTER) 

Dave Bittner: I think I've heard that before. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: And remember that legitimate sites are probably not going to run their customer service organization on a survey site. That's - really the biggest thing here is don't give out your recovery phrase. That's a secret that you're supposed to have, and only you are supposed to use it. 

Dave Bittner: Right. 

Joe Carrigan: It's not something that you enter to get support. You never need to do that. 

Dave Bittner: Yeah. If you share it, it's no longer a secret. 

Joe Carrigan: That's right. 

Dave Bittner: Yeah. All right, interesting story. We'll have a link to that in the show notes. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from Rohit Srivastwa. You can follow him on Twitter - @rohit11. He's a friend of the show. He sent us a bunch of stuff before. And this is actually a piece of mail that was received that Rohit has sent us a picture of. So do you want to go ahead and give a crack at reading this? 

Dave Bittner: Sure. It says, (reading) dear customer, Naaptol Online Shopping Private Limited is pleased to inform you on the occasion of its birthday celebration, the company has selected few of its customers in a random lucky draw contest. We are glad to amaze to inform you that you are one of those lucky customers that the company has selected. It's our ultimate pleasure to announce your winning scratch coupon, which you will be able to redeem by either calling on our toll-free prize helpline number, or you can also SMS or WhatsApp the coupon code to our WhatsApp number or visit our website. Please note that this is an internal initiative of the company solely meant for promotional purpose only. And all the prize-related information will only be available on our toll-free prize helpline number. This gift distribution is covered by our banking partner. The coupon value with this letter is guaranteed by HSBC Bank. 

Dave Bittner: (Reading) Redemption rules - please read term and condition carefully. One - the total amount coupon price value will be credited directly to your bank account. Two - all government, central and state taxes, processing fees, total redemption of the prize money will be paid by the winner. Three - the charge levied will be collected in advance and will not be adjusted against the prize money under any circumstances. Four - all payment will be made on terms of state and central government rules. Five - your bank ac (ph) no must link with Aadhaar card and PAN card. Please fill form and send by WhatsApp or mail to us. 

Joe Carrigan: What is amazing about this is this picture actually has somebody who has gone out and purchased an HSBC stamp, like a rubber stamp with an HSBC logo on it, and they've got other stamps down here. This looks really official. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right. Stamped and signed, approved. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: And they are asking for your account, the account holder name - and they give you a bunch of little boxes to write that into - your bank account number, your IFSC code - I'm not sure what that is - branch name, mobile number, bank name and PAN number if available... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And then Aadhaar number. I'm not sure what all these different numbers are. 

Dave Bittner: I suspect it's all, you know... 

Joe Carrigan: Banking numbers. 

Dave Bittner: Yeah, banking - the Indian banking system. 

Joe Carrigan: Right. 

Dave Bittner: You know, it's the standard stuff... 

Joe Carrigan: Right. 

Dave Bittner: ...In that part of the world. 

Joe Carrigan: What's interesting is the redemption rules. Item No. 3 says the charge levied will be collected in advance and will not be adjusted against the prize money under any circumstances. So what they're trying to do is trying to prevent people from going, well, OK, well, just send me the money and deduct the fees from it. They'll say, take - kindly take a look at item No. 3 on our requirements or our redemption rules. 

Dave Bittner: (Laughter) Right, right, right. 

Joe Carrigan: And just pay us the money and let us scam you. 

Dave Bittner: Yeah. Interesting that, you know, this - as with many we're seeing these days, there's a lot of effort here. They went to the trouble to design this form, print it out, put these rubber stamps and signatures on it and then put it in an envelope and mail it. 

Joe Carrigan: Right. Yeah, this is a high-cost attack. 

Dave Bittner: Absolutely. 

Joe Carrigan: It's not like a phishing email or spam email where you just send out millions for a couple bucks. 

Dave Bittner: No (laughter). 

Joe Carrigan: Each one of these things cost whatever it costs to send a letter in India. 

Dave Bittner: Yeah. 

Joe Carrigan: I don't know Indian postage rates. 

Dave Bittner: Yeah. I guess it works out for them, though. 

Joe Carrigan: Right. 

Dave Bittner: All right, well, heads-up and beware of that. And again, thanks to our listener, Rohit, for sending that to us. We appreciate it. 

Dave Bittner: And again, we would love to hear from you. If you have something you'd like us to consider for our Catch of the Day, you can send it to us at hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, it's always great to have Carole Theriault back on the show. 

Joe Carrigan: It is, indeed. 

Dave Bittner: And this is no exception to that. This week, she's got an interview with Geoff White. He's a reporter from the BBC and co-host of "The Lazarus Heist" podcast. Here's Carole Theriault. 

Carole Theriault: So today, we have a pretty fun day. We have with us Geoff White, investigative journalist, author and broadcaster. He is really one of the U.K.'s top tech specialists. Now, working with BBC World Service, Geoff has created and published a podcast called "Lazarus Heist," and it is a hot ticket. Geoff, tell us, when did it first get published? 

Geoff White: Feels like a long time. It was beginning of April. I think it was the first week of April was Episode 1. And we're now up to Episode 5. So, yeah, it must be five weeks by now - yes, yes. 

Carole Theriault: So why don't you kick us off and give us the premise of the show? 

Geoff White: This is the inside story of North Korea's cyber army. So the Lazarus heist that the title refers to - of course, the attempted billion-dollar hack on Bangladesh Bank, which we go through in great detail, and just keeps giving and giving. We also go into the Sony hack, which again is attributed to North Korea. Obviously, North Korea have denied a lot of this stuff, FBI accusations. 

Geoff White: But we also talk about life in North Korea. We've got this amazing co-presenter, Jean Lee, who spent eight years as a journalist inside North Korea. And she's got all this amazing insight into just how North Korean society works and how on earth, you know, a society where most people can't even access the internet can give rise to computer hackers. How does that even work? 

Carole Theriault: I think that makes this podcast so interesting because you're sitting there saying, this is what's going on in the world of cybercrime during this time. And your co-host, Jean, is telling us what is going on actually in North Korea at the time because she was there. 

Geoff White: Exactly so, yeah. And interestingly, she witnessed the rise of computing in North Korea. 'Cause to say that North Korea doesn't have computers is obviously false, but she saw these computers and a sudden emphasis. They even had a theme song for computers in North Korea, as (laughter) they tend to in communist countries. And she thought, well, there's got to be a - there's got to be other explanations for this. It can't just be, you know, let's pull North Korea into the computerized society. You know, there's got to be some military application for this 'cause, of course, in North Korea, there's always a military application for things. 

Geoff White: And so she's been really interested in, you know, the cyber side. So we're sort of seeing it from both ends of a telescope, I guess you could say. 

Carole Theriault: So you kick off the podcast with the infamous Sony Pictures hack from 2014. And in fact, the entire podcast covers the cybercrime activity conducted by the Lazarus Group. And I guess that's why your podcast is called "Lazarus Heist." 

Geoff White: Indeed, indeed. Well spotted. 

Carole Theriault: Thanks. Genius at work here. OK, so let's start with the Sony Pictures hack. Maybe you can tell us a little bit about why this hack actually happened. 

Geoff White: Well, this - the reason this has been attributed to North Korea is Sony famously had a film that they were making called "The Interview," written by Seth Rogen, who also starred in the film. And this was - the subplot was an assassination of Kim Jong Un, the leader of North Korea. And again, one of the things that's fascinating talking to my co-host, Jean Lee, is just how offensive that would be. I mean, you're talking within North Korea. It would be like the thing with the Prophet Muhammad in Islam. It is that level of offense that you've caused by saying all of that. 

Geoff White: Sony went ahead with the film after taking some advice. And the strong suspicions on the part of the FBI is North Korea took unkindly to this and hacked into Sony. And what was remarkable was the way that hack was perpetrated, first of all. 

Geoff White: But what they did afterwards, the incredibly cynical and meticulously managed campaign to leak the information they'd stolen to do Sony the maximum PR damage, it was almost like somebody had done a course in destructive PR and how you leak things to cause the most damage to your target, your victim. And the North Koreans did that, certainly according to the FBI. And Sony - I mean, it was just a slew of embarrassing headlines. And, of course, in the end, the film got canned. A lot of Sony senior staff moved on. It was a very painful, very painful experience for Sony. 

Carole Theriault: And not just Sony Pictures, but producers, actors, celebrities. 

Geoff White: They basically stole, from the looks of it, the entire email spool within Sony Pictures Entertainment, so every email that everybody sent to everybody else within Sony for a certain period of time. And, of course, you know, there's gossip in the film industry. You can understand that. Some of this gossip got very, very embarrassing for those concerned. There were headlines about Angelina Jolie being called a spoiled brat. I don't want to call it banter because that underplays it, but the kind of stuff that goes on in offices that shouldn't go on but you never think will hit the headlines. 

Geoff White: And suddenly - and by the way, the North Koreans were emailing journalist at publications and saying, hey, have you looked at this leak? Because there's a story in there you should cover. They were urging journalists to cover these individual stories. It was incredible - absolutely incredible. 

Carole Theriault: Yeah. It's like all systems go to make Sony really feel the pain. Now, what other Lazarus attacks do you cover? 

Geoff White: So, yes, the Lazarus Group's been pinned for a number of things. We go on to cover the Bangladesh Bank story, which is the now-infamous billion-dollar attempted theft from Bangladesh Bank - money then stolen from Bangladesh Bank's accounts in New York, laundered through the Philippines and Sri Lanka, laundered through casinos in the Philippines. There is also a connection to Japan, which we explore, and multiple links back to Macao. And Macao has for a very long period of time been sort of North Korea's financial conduit to the outside world, if you like. It's where money and goods and people and services go in and out of North Korea 'cause, obviously, North Korea is sort of sealed off from much of that from the outside world. So we cover the whole Bangladesh Bank case. 

Geoff White: And a bit of a spoiler alert, but the end episode is the WannaCry story, which again - the WannaCry ransomware attack, 2017, attributed to North Korea, certainly by the FBI and others. 

Carole Theriault: What's pretty remarkable about this podcast is you're talking about pretty complex attack vectors here, but somehow you're able to make it so accessible to non, you know, IT security people. 

Geoff White: I mean, this all grew out of a chapter of a book I wrote last year called "Crime Dot Com." And the reason I pitched this chapter for a podcast was it is hands-down the most compelling and filmic cyberattack. I mean, it's - in terms of the Bangladesh Bank heist and to some extent Sony, it's almost like these hackers have watched, you know, a heist movie like "Ocean's Eleven" or, you know, "L.A. Takedown" or whatever, and they've thought, oh, we'll do that in cyberspace, and then they've actually done it and carried it out. It's almost like scene for scene. There are certain scenes you have in a film that take place almost exactly the same, but in cyberspace. So it's incredibly accessible. It's obviously got the heist plot at the heart of it. That's the sort of spine of the story. 

Geoff White: But that's what I'm always looking for as a journalist is these opportunities to explain to people how this stuff works, but explain it in this kind of compelling and gripping way, which I hope the podcast does. 

Carole Theriault: I mean, it's a pretty cool way to learn about cybersecurity and how to be more safe by listening to this podcast, for sure. Now, what did you learn? I mean, you're pretty au fait with all things cyber and technology. 

Geoff White: Yes, absolutely. I mean, for starters, say, working with Jean Lee, my co-host, has been just an incredible experience to find out so much more about North Korea and how the North Korean society works and how North Korean computer technology and computer society works. That's been amazing. 

Geoff White: We've also scribbled out (ph) - I mean, I thought I knew the Bangladesh Bank heist back to front, but we found out stuff I - bits of information I never knew. I mean, I always knew they were going to send $80 million of the stolen money through the Philippines. What I did - through four bank accounts. What I didn't realize was their plan was to send the entire 951 million that they were intending to steal. All of it was going to go through those four bank accounts in the Philippines. So they... 

Carole Theriault: Wow. 

Geoff White: They were going to end up with - because they withdrew this in cash, eventually. I think their plan may have been to have $951 million in banknotes sitting in the Philippines so they could then launder... 

Carole Theriault: Not suspicious or anything. 

Geoff White: Amazing. But the other thing - and this isn't in the podcast, but again, spoiler alert. It looks like there may be a book of the podcast coming out. And if there is, this will be in it. 

Carole Theriault: That's exciting. 

Geoff White: Subsequently, the North Koreans have been accused of breaking into banks not just to steal the money, but to control cashpoints. They've managed to make it so they can jackpot the cashpoint. So you can basically withdraw as much money as you like at cashpoints around the world, and it will all be attributed back to the victim bank. 

Geoff White: Now, what's amazing about that is you're not just talking about, like, smuggling money to one country, like the Philippines. You're talking about, well, 29 different countries in one case. So you've got dudes running around with cash, little wads of cash, in 29 different countries. How do you get that cash back to - if it is North Korea, how do you get it back to Pyongyang? There's this entire network. 

Geoff White: I mean, more and more is coming out about these cases. There's connections to money launderers in the Philippines, to Canada. There's banks in Romania. So I suspect really over the next few months, certainly as I do more digging for any potential book that comes out of it, there's loads more to go that exposes this intersection between North Korean government's cyberactivity and, you know, organized crime - basically, the people who send mules to cashpoints with cash cards. That's what's to come out. And that's the really - for me, the really interesting stuff. 

Carole Theriault: God, it's like the more you dig, the more you find. Geoff White, thank you so much for coming on "Hacking Humans" and discussing your podcast, "Lazarus Heist." Not to be missed, folks. This is Carole Theriault for "Hacking Humans." 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Interesting interview. I am definitely going to have to check out "The Lazarus Heist" podcast. 

Dave Bittner: Yeah. Yeah, I've listened to some of it, and it is compelling. 

Joe Carrigan: Right. 

Dave Bittner: It's really a good story. 

Joe Carrigan: Yeah. And that's really what makes a good podcast sometimes. 

Dave Bittner: Yeah. 

Joe Carrigan: Geoff talks about how it seems like someone took a course in negative PR with the information they received from Sony. This is how a lot of oppressive regimes operate on a daily basis. The hard part for them is getting the information. But once they got the information from the cyberattack, doing the most damage to them is second nature, I think. I'm actually not surprised by that. 

Joe Carrigan: When that hack came out, I'm like, Sony is going to have a lot of problems here... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Because communist oppressive regimes are really, really, really good at propaganda. 

Dave Bittner: Yeah. 

Joe Carrigan: That's why they're in charge. 

Dave Bittner: Yeah. 

Joe Carrigan: So that doesn't surprise me at all. Do you remember Sony's response to all of this? 

Dave Bittner: Well, which - I - not specifically. What are you speaking of? 

Joe Carrigan: I think what they did was the exact right thing. They said, we're going to let everybody watch "The Dictator" (ph) for free. They put it out there, and you could just watch it. 

Dave Bittner: Right, right. 

Joe Carrigan: Now, this is one of those things where I've actually seen the movie. And it's supposed to be a comedy, but it's kind of a slog to get through. You know, it's... 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: Have you seen it? 

Dave Bittner: No, I have not. 

Joe Carrigan: It's - yeah, it's not worth it. 

Dave Bittner: OK. 

Joe Carrigan: But, you know, it's one of those things that if North Korea didn't do anything, it would've been less of a story than what it was because they attacked Sony. 

Dave Bittner: Right, just been - that might've been a movie that came and went without very much notice. 

Joe Carrigan: Right, yup. 

Dave Bittner: OK. 

Joe Carrigan: On the Bangladesh robbery, I'm amazed that these guys are trying to collect just a billion dollars in cash - right? - that that's their plan. You know how much a billion dollars in cash weighs? 

Dave Bittner: (Laughter) Well, it depends on what size bills you use. 

Joe Carrigan: Yeah. 

Dave Bittner: But no matter what, it's going to - I think it's a thousand million dollars. 

Joe Carrigan: Right. 

Dave Bittner: It's going to take a little bit of effort. 

Joe Carrigan: Right. It's a lot of money. 

Dave Bittner: Right. 

Joe Carrigan: And the money mule network must be huge. It has to be. And Geoff kind of alluded to this. They almost have to be subcontracting with organized crime for this. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah, it's an interesting story. It's a good interview. I am going to definitely check out this podcast. 

Dave Bittner: Yeah, absolutely. All right, well, our thanks to Geoff for joining us. And, of course, thanks to Carole Theriault for providing that interview for us. And, of course, if you want to hear more from Carole, she is the co-host of the "Smashing Security" podcast. 

Joe Carrigan: Another great security podcast. 

Dave Bittner: Another great security podcast. Definitely worth your time. 

Dave Bittner: All right, well, that is our show. We want to thank all of you for listening. And we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.