Podcasts
Hacking Humans
Ep 240
Hacking Humans 4.20.23
Ep 240 | 4.20.23

Lazarus Group: Breaking down the evolution.

Show Notes
Transcript

Jean Lee: And that's probably where the name Lazarus comes from. Just when you think you [inaudible] them out, they come back. They're very, very clever in evading [inaudible] because they've been doing it for decades.

Dave Bittner: Hello everyone, and welcome to the CyberWire's Hacking Humans Podcast where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello Joe.

Joe Carrigan: Hi Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, I speak with Jean Lee, public policy fellow at the Wilson Center, and author and journalist Geoff White. They're bringing us a preview of season two of their podcast, the Lazarus Heist. All right, Joe. Let's jump right into our stories this week. You want to start things off for us here.

Joe Carrigan: Dave, no AI story from me this week.

Dave Bittner: Okay.

Joe Carrigan: But I will say that there are multiple stories out there about generative AIs being used in kidnapping scams.

Dave Bittner: Oh.

Joe Carrigan: So you can just Google that and look at it. I don't know how we defend against this.

Dave Bittner: Yeah.

Joe Carrigan: But I got to move on to some regular, old social engineering stories.

Dave Bittner: Okay.

Joe Carrigan: And this one comes from Lauren Jackson at WBRC. I always want to say WBRB because it sounds like, I'll be right back. But it's-

Dave Bittner: Okay [chuckles].

Joe Carrigan: -WBRC. This is a story about a scam that has been running around local businesses in the area and it is- here's what happens. Here's how this works.

Dave Bittner: Hmm.

Joe Carrigan: Somebody calls in to a tire shop; that's who's getting targeted this time.

Dave Bittner: Okay.

Joe Carrigan: And they order tires, like $20,000 worth of tires.

Dave Bittner: [Chuckles]. As you do.

Joe Carrigan: As you do.

Dave Bittner: [Chuckles]. That's some nice tires. Don't get caught in the snow with those tires, Joe. [Chuckles].

Joe Carrigan: You'd be able to roll over everything with those things.

Dave Bittner: Yeah. [Chuckles].

Joe Carrigan: Then they say, hold on. I got a bunch of credit cards. I have to try to pay with this because I'm going through some financial stuff right now. So let me just start running through some- some credit cards. And of course, the person the other end is entering credit card information. Some of them get approved for $1,000. Some of them get declined. And then before everything's over, they've paid for $20,000 in tires. And then they send somebody to go pick up the tires. Dave Bittner: Huh?

Joe Carrigan: Right. This guy goes and picks up the tires, and then all the credit cards get charged back because somebody goes, I didn't order $1,000 worth of tires. I live in Wisconsin. Why are these tires on my credit card?

Dave Bittner: Okay. Joe Carrigan: So I put the story in here. This is a short story. It's just an obvious chargeback scam. Somebody's going to get some free tires, $20,000 worth of free tires. But the idea that stuck out to me is, this operation requires that they have tire mules.

Dave Bittner: Uh-huh.

Joe Carrigan: -mules who specifically go around and pick up tires from places.

Dave Bittner: Yeah.

Joe Carrigan: And then they have to fence these tires.

Dave Bittner: Uh-hmm.

Joe Carrigan: It's the standard stolen goods scheme-

Dave Bittner: Right.

Joe Carrigan: -with a different angle.

Dave Bittner: Seems to me like it wouldn't be hard to find somebody with a pickup truck or a van and pay them, you know, whatever - 100 bucks.

Joe Carrigan: They could just go rent a U-Haul.

Dave Bittner: Yeah. Right, right. To just go -

Joe Carrigan: Right. Put them all in there.

Dave Bittner: -pick up the tires and then take them to whatever place- you know a storage unit or something where they fence the stolen tires.

Joe Carrigan: Yeah.

Dave Bittner: It feels like a lot of work, but I guess-

Joe Carrigan: It does seem like a lot of work.

Dave Bittner: -it's working. [Laughs].

Joe Carrigan: But people are making money. I mean, if you get free tires, and you can turn around and sell them for half their cost, you got $20,000 worth of tires, in a day, you've made 10 grand.

Dave Bittner: Yeah. That's true. That's true.

Joe Carrigan: So, not bad work if you can get it.

Dave Bittner: No. You'd think that this would raise red flags with the tire companies, the retailers, if somebody's trying to- if somebody's playing- you know, opens up a bunch of credit cards- like, you know, fanning them like they're playing poker, you know.

Joe Carrigan: Yeah. I think that what happens is there's a salesperson who's going, ooh, I'm going to get a big commission on this one.

Dave Bittner: Yeah, that's true.

Joe Carrigan: And that's- and they're willing to do whatever they have to do, I think. But that would strike a red flag in my head or put up a red flag in my head.

Dave Bittner: Absolutely.

Joe Carrigan: My second story comes from Dave Sentendrey [assumed spelling], or David Sentendrey at KDFW, from one of my favorite places in the world, the Dallas Fort Worth area.

Dave Bittner: Okay.

Joe Carrigan: And it's a good news, bad news story. The first part is going to be bad news, and it's about a 70-year-old widow who in 2019 was scammed out of $75,000 in a romance scam.

Dave Bittner: Aww.

Joe Carrigan: She is now telling her stories because she doesn't want other people too fall victim. And this is a great quote from her in the article. They're not naming her in the article, which is also good.

Dave Bittner: Yeah.

Joe Carrigan: It's great that she's coming forward though. But she says I fell for it. It's embarrassing. I'm not a stupid person, but believe me, they've got their act together.

Dave Bittner: Hmm.

Joe Carrigan: So I believe that this woman is not stupid-

Dave Bittner: Yeah.

Joe Carrigan: -and honestly fell for a romance scam. When you hear how this thing works or what's going on here, it kind of makes sense. The scammers were ready for her. They had all kinds of documentation to make things seem legit. And then the people who communicated with her, or the person who communicated with her- I don't know if it was one or more people-

Dave Bittner: Yeah.

Joe Carrigan: -they convinced her that they had a big business deal in the making, but they needed a loan to make it through to when the business deal came through.

Dave Bittner: Aah.

Joe Carrigan: Now they were so convincing, she had her church group praying for the success of this business deal.

Dave Bittner: Oh wow.

Joe Carrigan: So that's- I think that's convincing. So she was talking to other people about it, and it didn't set off any red flags with them either. But she was sending numerous packages containing cash to different addresses in the Dallas Fort Worth area, and someone at the UPS store that she was using said, something's going on here. And they called the police.

Dave Bittner: Oh.

Joe Carrigan: Right.

Dave Bittner: Okay.

Joe Carrigan: So law enforcement then got involved, and law enforcement found out that there was a ring of about four people in the DFW that were handling the money and laundering it. They were calling themselves the Yahoo Boys.

Dave Bittner: Okay.

Joe Carrigan: Very clever name.

Dave Bittner: Yeah.

Joe Carrigan: I don't know why they called themselves the Yahoo Boys. Maybe they just opened up massive amounts of Yahoo accounts. I don't- I don't get this.

Dave Bittner: Well yahoo is kind of a Texas thing to say, isn't it?

Joe Carrigan: It is.

Dave Bittner: Yeah.

Joe Carrigan: Yee-haw more so.

Dave Bittner: Well true, true. Yeah.

Joe Carrigan: Beings someone who goes to Texas quite frequently, is the owner of not one but two cowboy hats, eyeing a third by the way- yes, I'll say that. So there's three or four people. Of the four people they've identified in this group of people, one of them, a Mr. Obi- I have no hope of ever properly pronouncing his first name, so I won't attempt it, but he has now been sentenced to 20 years in prison.

Dave Bittner: Wow.

Joe Carrigan: I don't know if this is federal prison or Texas prison.

Dave Bittner: uh-huh.

Joe Carrigan: I don't know what Texas jurisprudence is, if it's like federal prison- like you don't- When you get sentenced to 20 years in federal prison, you're going to be put away for about 20 years.

Dave Bittner: Yeah.

Joe Carrigan: You don't get time off for good behavior. There's no parole. None of that. That's what you're going to do. I don't know what it's like in Texas. Texas is a state court. And I don't even know which system this guy was sentenced in. The article doesn't mention that. But here's what's interesting about him. He moved, during the two months they were watching him, $1.3 million to Nigeria. So he was obviously the money mule, and they nabbed him for fraud and money laundering.

Dave Bittner: Huh.

Joe Carrigan: And he was taking delivery of these packages, and somehow getting that money over to Nigeria, and Turkey, and one other place that I can't remember from reading the article. But it was- he was sending money all over the world, and now he's going to be the guest of some legal system for the next 20 years. Prosecutors are still working on cases for the other three people that are not named in the article because- I guess because they haven't been convicted. But my guess is they're also going to be convicted or hit a plea deal or something.

Dave Bittner: And no word in this article whether the- this victim, the 70-year-old widow has any chance of getting any of her money back?

Joe Carrigan: Probably not. There is no word in the article about that. Being that it's from 2019 and here we are four years later, she's probably no going to get that money back.

Dave Bittner: Yeah, yeah. Wow. All right, interesting stuff. Well it is good news that-

Joe Carrigan: It is good news.

Dave Bittner: -at least somebody's being brought to justice here. So-

Joe Carrigan: Yes, indeed. That's the good news part of the good news, bad news equation here.

Dave Bittner: Uh-hmm, uh-hmm. All right. Well my story this week comes from the folks over at Nine News. This is in Colorado, one of the local affiliates there. It's an NBC affiliate.

Joe Carrigan: Okay.

Dave Bittner: And this is the story of- this is a weird one, Joe.

Joe Carrigan: Okay.

Dave Bittner: This is a story of a heist that took place at a casino in Blackhawk, Colorado. It's a Monarch casino.

Joe Carrigan: A heist.

Dave Bittner: A heist, sort of. So a quarter to one in the morning in March. Aa cashier named Sabrina Eddie, 44 years old, she went to the casino's vaults, and she was someone who- she was a cashier at the casino, so she was authorized to be in the vault. She goes to the vault, and she was videotaped reaching into the vault and grabbing bricks of $50,000 each.

Joe Carrigan: Okay.

Dave Bittner: She put the bricks in a bag. She went out to her car. Put the money in the car. Drove off. Came back a little while later. Went back to the cage, to the vault, got some more money, went back to her car. Drove away.

Joe Carrigan: So she was able to do this twice?

Dave Bittner: She was able to do this twice. She took $500,000.

Joe Carrigan: Huh.

Dave Bittner: Okay- which you know, with $50,000 bricks, 10 bricks.

Joe Carrigan: Right.

Dave Bittner: You know, [inaudible]-

Joe Carrigan: It seems to me like a small take for grabbing $50,000 bricks.

Dave Bittner: So this is where it gets weird.

Joe Carrigan: Okay.

Dave Bittner: She calls the casino after a little while. She explained to the casino that while she was on her shift, she'd received a phone call on the casino's phone-

Joe Carrigan: Right.

Dave Bittner: -from a man claiming to be the casino's head of operations.

Joe Carrigan: Okay.

Dave Bittner: He and another man, who claimed to be the cage manager, told her that the casino was having a problem with a UPS order and they needed the money or the casino would be in some sort of breach of contract, and that she would be- They asked her to take the funds to a lawyer. She took the funds to a local hospital. They say it's a place called St. Anthony's Hospital.

Joe Carrigan: Okay.

Dave Bittner: -where a man met her and took the money. After that is when, I think, maybe it dawned on her that something was up, and that's when she called the casino back. She said I'm coming back, and she said- She told the casino she'd taken the money off property and she thought she might be arrested- which is indeed what happened. She goes back to the casino. She gets arrested. As far as I know she is still in jail.

Joe Carrigan: Right.

Dave Bittner: She was not- she did not have the means to post bond. The local prosecutor was okay with her having bail with just her personal guarantee.

Joe Carrigan: Right. Or her recognizance.

Dave Bittner: On her recognizance. Thank you. And the judge actually said no. $500,000 is too large an amount of money to be involved here to do that. I'm curious what your take on this, Joe, is, and then I'll share my thoughts, which I suspect probably align with yours. But what do you think's going on here?

Joe Carrigan: Well, there's two things that could be going on.

Dave Bittner: Yeah.

Joe Carrigan: One of them is that she is just stealing money from the casino and using this as a cover-up. She has an accomplice on the outside that's holding the money. That she's actually stolen half a million dollars from the casino.

Dave Bittner: Right.

Joe Carrigan: The other possibility is that this is what she says it is.

Dave Bittner: Yeah.

Joe Carrigan: -and that is that somebody called her, impersonating the management they said they were. I don't know- Does it say in the article whether or not they sounded like the people on the phone? Or does she know them?

Dave Bittner: No, it doesn't say but it does say that she did try to call them back and that she couldn't. No one answered. You know, couldn't get back through to them. So I suspect they're probably burner phones, but who knows.

Joe Carrigan: Correct- if it did happen that way. Yeah. There are ways you could find out. Did calls come in? I mean, can you even find those records?

Dave Bittner: Certainly on her end you could.

Joe Carrigan: Yeah. Are the calls recorded coming into the casino?

Dave Bittner: Oh. Yeah. You'd think probably that would be certainly plausible, that that would be a security thing.

Joe Carrigan: Check that out. See if those calls exist and if the recordings of those calls exist.

Dave Bittner: Yeah.

Joe Carrigan: Also, if it was a heist, if she was the one stealing the money, I don't know that she would be going back and saying, look what happened.

Dave Bittner: Right.

Joe Carrigan: Where's the benefit in that for her? It's best for her to take the half million dollars and leave. It doesn't make sense to me. I kind of tend to think that this- that what she's saying is probably true.

Dave Bittner: Yeah.

Joe Carrigan: -especially since the prosecutor's willing to let her- was willing to let her go on her own recognizance.

Dave Bittner: Right.

Joe Carrigan: Does she have a defense attorney?

Dave Bittner: Well if she doesn't one will be assigned to her. [Chuckles].

Joe Carrigan: Right. I hope that she has the attorney and has utilized the attorney before talking to anybody.

Dave Bittner: Yeah.

Joe Carrigan: But I don't know. This is a tough one. I kind of leaned towards the fact that she might be a scam victim here.

Dave Bittner: Yeah.

Joe Carrigan: That's just certainly my first impulse, that she just found herself the victim of this, that somebody was very convincing, and she did what she thought she was being asked to do. I will say I had not considered what you brought up which is that it's possible that she could have been using the story of social engineering to cover her tracks.

Dave Bittner: Right.

Joe Carrigan: -and in that case, go on with her life.

Dave Bittner: Yes.

Joe Carrigan: You know, she doesn't have to pick up and be on the run, and she could- just as you say, if she had an accomplice, she could say, we'll just say that this happened. That's an interesting possibility. I guess, you know- I tend to give her the benefit of the doubt because it's probably the better thing to do as a human being. [Laughs].

Dave Bittner: Right. Yeah. I think that- I don't know that she's guilty. I wouldn't immediately assume that of her in this case.

Joe Carrigan: No. And then obviously, of course, she's due the presumption of innocence until proven otherwise.

Dave Bittner: I mean, legally, she is due that presumption and I would have insisted that be the case. But you know, when you think about these things, when you hear the word allegedly-

Joe Carrigan: Right.

Dave Bittner: Like in our interview today, they used the word alleged hacking from North Korea a lot.

Joe Carrigan: Yeah.

Dave Bittner: I don't know how alleged that is. But in this case, I would be much more inclined to believe this person is the victim of something than she would be in on it.

Joe Carrigan: Yeah.

Dave Bittner: It just doesn't make sense. But you know, two weeks ago, we had Keith Houston on, who is now a prosecutor in Texas. But he started in a casino. And one of the things he said was that they have procedures in casinos, and it's easy to tell when someone's deviating from the procedure.

Joe Carrigan: Right.

Dave Bittner: So I assume that these- that everybody that works in a casino, especially everyone that handles the cash is rigorously trained in what the procedures are.

Joe Carrigan: Yeah.

Dave Bittner: Which is why I immediately- I don't immediately- but one of my possibilities here is that she's in on it because it seems like- one of the things that you would say is, nobody is ever going to ask you to take money off premises unless they're coming in an armored car.

Joe Carrigan: Uh-hmm. Right, right.

Dave Bittner: Because you don't just take half a million dollars out of a casino.

Joe Carrigan: No. That is one of the things that strikes me as being odd, that- as you say, there would be very strict procedures for everything having to do with handling money. It also strikes me as odd that she would do all of this without interacting with anyone else in person at the casino.

Dave Bittner: Right.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: Now we know that these social engineering folks can be very convincing-

Dave Bittner: Very persuasive.

Joe Carrigan: They can explain that stuff away. You know, they could say- you know, listen. Listen, as your boss, I just want you to know that this is really embarrassing for me. You're really saving me. Just don't mention this to anybody because, you know, this is just embarrassing for me. And you don't want to embarrass your boss.

Dave Bittner: Right.

Joe Carrigan: -for example. [Chuckles]. I don't know. I mean, I hope that- I hope that she's innocent here, I guess because- first of all, I'd hate to see someone who was innocent end up in big trouble for falling victim to something like this-

Dave Bittner: Right.

Joe Carrigan: -despite the fact that she did violate clearly some policies, and she did- I mean she mistook half a million dollars off premises and it got stolen. I guess she bears a certain amount of responsibility for her actions. But whether or not she was in on it, I guess that's for the prosecutors to determine. It's a weird one, isn't it?

Dave Bittner: It is. It's strange.

Joe Carrigan: Yeah.

Dave Bittner: That's a really weird combination of things. I don't know. It'd be interesting to see how this one plays out.

Joe Carrigan: Yeah, yeah. Before we recorded today, I went to look to see if there are any updates, and the only thing I found was that she had been denied bail. So I'll try to keep an eye on it. All right, we will have a link to that story in the show notes. And of course, we would love to hear from all of you. You can email us at hackinghumans@thecyberwire.com. Joe, it is time to move on to our catch of the day.

[ Soundbite of reeling in fishing line ]

Joe Carrigan: Our catch of the day comes from Morten who writes, Dear Dave and Joe. I found the following catch of the day quite amusing and yet troublesome. I can't seem to figure out how the scammer is gaining any valuable levers towards scamming me. To the contrary, it seems like the scammer is trying to protect me from being scammed. I think, Morten is writing here very tongue in cheek.

[ Laughter ]

Dave Bittner: Okay.

Joe Carrigan: So it's a beneficiary scam, Dave, and it begins down at the bottom of it. And I love the first line after, dear beneficiary.

Dave Bittner: Uh-huh. It goes like this. Dear beneficiary, are you alive or dead?

Joe Carrigan: Ahh. See he's very concerned about Morten's well-being.

Dave Bittner: How would they respond if they were dead?

Joe Carrigan: Right?

Dave Bittner: We have received several emails from one Mr. Garcia Charles Gilbert, who narrated to us about the auto accident you had two weeks ago. Mr. Garcia made us understand that you are in hospital for treatment, but there is no hope for your recovery. He stated that he is your business associate also your next of kin whom you have chosen and permitted to inherit all your properties. He is contacting this office based on your contract inheritance payment fund, which is about to be paid to you. He requested that the payment should now be transferred into his own personal account. We request your immediate confirmation before we can process this transfer to Mr. Garcia Charles Gilbert's bank account. This is to avoid releasing your money to the wrong person because Mr. Garcia Charles Gilbert is too eager and ready to follow every instruction to have this money into his account. If you do not have an auto accident, and you did not permit Mr. Garcia Charles Gilbert to claim your money, kindly reply to this message with your full contact information so we can process the release of your funds to you. Best regard Samuel Muthe, chief executive officer World Ban. And then it says, "this email is confidential and is intended solely for the use of the individual or entity to whom they are addressed and not binding any agreement on behalf of the department."

Joe Carrigan: I love the disclaimer at the end of it. It makes it seem more legit.

Dave Bittner: Sure.

Joe Carrigan: This is just an advanced fee scam. It's trying to create a sense of urgency with the fact that you might lose the money and have somebody else, Mr. Garcia Charles Gilbert-

Dave Bittner: Right.

Joe Carrigan: Who names their kid Garcia Charles Gilbert?

Dave Bittner: [Chuckles]. I don't know. I love that every time they mentioned him they used his full name. Yeah.

Joe Carrigan: Full name. Mr. Garcia Charles Gilbert.

Dave Bittner: Yeah.

Joe Carrigan: Yeah. It's hilarious.

Dave Bittner: It is. It is.

Joe Carrigan: We're going to see fewer and fewer of these as AI continues to generate these things. But it's- I'm going to miss these, Dave.

[ Laughter ]

Joe Carrigan: I'm really going to mis them.

Dave Bittner: [Laughs]. We're in the golden age of poorly-worded, social engineering scams.

Joe Carrigan: Right. We're int eh twilight of that.

Dave Bittner: At least for comedic purposes. Yes.

Joe Carrigan: It's going away. So they'll all be masterfully-worded, AI, genius-written pieces of art.

Dave Bittner: That's right. That's right.

Joe Carrigan: And you'll have to find other ways to laugh at them.

Dave Bittner: Yeah.

Joe Carrigan: Don't worry. I'm pretty sure we'll find other ways.

Dave Bittner: anyways. Yeah. All right. Well, our thanks to Morten for sending that in to us. And again, we would love to hear from you. If you have something you'd like us to consider for our catch of the day, you can email us. It's hackinghumans@thecyberwire.com.

[ Soundbite of reeling in fishing line ]

Dave Bittner: Joe, I recently had the pleasure of speaking with Jean Lee. She is public policy fellow at the Wilson Center, and also author and journalist, Geoff White. They are the co-hosts of the podcast, the Lazarus Heist, which of course is very popular on the BBC- over a year ago now, I suppose.

Joe Carrigan: Yes.

Dave Bittner: And they have just launched season two, and we're going to talk about that. So here's my conversation with Jean Lee and Geoff White.

Geoff White: Yeah. So season one of the Lazarus Heist dealt with this computer hacking group called the Lazarus Group, who are suspected of working on behalf of the government of North Korea. They have a long and illustrious hacking career. They've been accused of breaking into, among others, Sony Pictures Entertainment, and Bangladesh Bank, the national bank of Bangladesh, and also unleashing the WannaCry ransomware virus which went around the world in 2017. And season two of the podcast continues the story onwards. The Lazarus Group haven't stood still. They've done even more hacks, gone after even bigger targets, and are suspected of having stolen something like $3.2 billion worth of cryptocurrency. So seasons one and two kind of cover the whole story, and it is a story that's still ongoing.

Dave Bittner: Jean, as season one wrapped up and certainly received a lot of notice and good reviews, how did you go into the planning of the second season, of deciding what exactly it was you were going to cover?

Jean Lee: You know, it's interesting because- we made season one at a time when North Korea was pretty quiet, and they had gone, sort of into retreat, after diplomacy had failed. And it wasn't really on people's radars. But of course, since then, in the course of making season two, North Korea has just gone on a rampage when it comes to weapons testing. And so it did, I think, help shape part of the narrative which is to try to make that link between cyber-crime and the cyber-attacks and where that money is going. So, you know, season one, we went into the history of North Korea's illicit- alleged illicit money making, going into the past- making of super dollars, making of methamphetamines, some of these crazy cavers. But what we do now is bring it up to the present, and to also provide some of that context. Why are these hackers working on behalf of the state? They're not just individuals working on their own. They're young men assigned to work for their country. What do we need to know about North Korea to understand who they are? We did in season one get into how they get their training, but we needed to update listeners on where that training has taken them. So in season two, we just take the narrative forward, but also really step back and look at the context. Why is North Korea doing this? Where is that money going, and what should we be afraid of?

Dave Bittner: It strikes me that North Korea kind of stands alone on the global stage here, the degree to which they're isolated. Is it fair to say that most of their hacking is just to kind of keep the doors open and the lights on?

Jean Lee: So that, I think, is part of the reason the world has underestimated North Korea's cyber capabilities is because they are so isolated. It is a country that is largely cut off from the internet, and so it's hard for us to imagine that they could produce such aggressive hackers. That's probably what we explore. But I think that that also gives them even more incentive. Right. They're so isolated financially, economically, and politically, diplomatically that they're looking for those gray areas, those gray zones where they can get the money that they need, like you said, to keep the lights on. It's more than just keeping the lights on, but that is a big part of it. And so that's part of the investigation, is for us to kind of link, connect the dots and make sure that we're drawing a line between hacking and where that money goes.

Dave Bittner: Geoff, can we dig into some of the stories that you're going to share this season in the show?

Geoff White: Yeah, absolutely. As I say, North Korea and the Lazarus Group hackers, according to the accusations against them, haven't stood still. I mean, some of the hacks that we're covering are absolutely astonishing. One of the things we kick off with in season two is a raid on an Indian bank called Cosmos Cooperative Bank. So back in 2018, the hackers broke into the bank. The way they got in, as your listeners, I'm sure, will be aware is very standard procedure. They send phishing emails to employees of the bank, and one of the employees, it seems, fell for those phishing emails, downloaded the hackers' viruses and allowed them in. What they did next, though, was to navigate their way around the bank and get to the ATM-approval software. So basically any withdrawal of cash anywhere around the world, using a Cosmos Bank card comes into Cosmos bank, obviously. And so the hackers were then sitting on those communications and could see any withdrawals for any cash anywhere around the world coming into Cosmos Bank. And the hackers could then approve them and authorize them. Now that's a pretty good position to be in, but for the hackers, it presented a problem. They've got a great bit of access there, but they somehow got to utilize it, and to do that, they need two things. They need a bunch of Cosmos Bank cards because you've got to take it to a cash point and use them. And to do this around the world, they need accomplices out on the street with those cash cards to take them to ATMs and make the withdrawals. So what the North Koreans were accused of doing is reaching out, we think, through the dark web, for accomplices in various countries, issuing them with bank details so that they could then use to cloned card, fake bank cards that were linked to real accounts at Cosmos Coop Bank, and then take those cash cards to ATMs and withdraw money. And they did this during a crime spree which lasted 2 hours and 13 minutes, during which they managed to get, astonishingly, nearly $14 million out of cash points before Cosmos Bank and its partners caught up with them and closed the loophole. So you've got people running around in 28 different countries with wads cash they've withdrawn from cash points because of the access that Lazarus Group's accused of getting to Cosmos Coop Bank. Absolutely astonishing crime spree- a sort of flashmob of cybercrime if you like. So that's one of the most remarkable stories that we kicked off with in season two.

Jean Lee: Okay, Geoff. Don't give away too much.

[ Laughter ]

Dave Bittner: Well it's a really interesting insight. I mean, does the Lazarus Group tend to be episodic with their capers? Do they lay low for a while, and then, as you say, in two hours- essentially an ATM smash and grab.

Geoff White: My sense is that they're constantly working. Looking at their different jobs and when they do them, there's barely a year goes by where they don't have some major operation on the go. And the other thing about this is, you know, we see the results of this. We see that 2 hour 13 minute-window during which they make these thousands of withdrawals. What we don't see, of course, is the months and months of preparation that goes into that. I mean, those phishing emails that hit Cosmos, they were arriving at the bank for months previously. And then even before they send the phishing emails, they've got to do a bit of reconnaissance about Cosmos Bank, get the employees' email addresses and so on. So I just get the feeling there's this rolling campaign of researching targets, working out who to hit, working out how to hit them, getting the tools and the bits in place, the pieces in place to carry out those hacks. So it does seem to be a kind of ongoing campaign, and it's getting bigger and more aggressive all the time from where I'm sitting.

Jean Lee: If I can jump in, these are military missions. These are very carefully calculated, plotted over many, many months, as Geoff said, and planned well in advance. And so if we look at it that way- and that's why I think it's so important to- first to provide the context and background when it comes to the North Korean alleged hacking so that we understand that these are military missions that are not done- it's not just an individual working in their basement. They're carrying out a mission as a unit. So I think that is helpful for understanding the intricate nature, the careful planning, the orchestration. But what Geoff's talking about as well is the incorporation of their overseas networks and all these middlemen, and we went into that in season one, and we just go into it in different regions of the world actually in season two. But it's helpful, I think, in understanding, how they physically carry out these fast after they launch that malware.

Dave Bittner: Now Jean, it's my understanding that you have the unique privilege or position of having actually spent time in North Korea. What perspective has that provided you with. For our listeners, are there things that you think we should know about North Korean life, about the mindset there that informs this this type of activity?

Jean Lee: Yeah. Where do I begin. It's very unusual, as an American in particular, to have that opportunity. And it was a difficult assignment, as you can imagine, but it was- it was very hard to do reporting. For me the most valuable thing, though, was just being on the ground. So unlike other foreign journalists, I wasn't just brought there by the government on a two- or three-day junket, but I was there for weeks on end working and living with my North Korean staff, and so you get to see a different side of the country. What we get in their state media is propaganda, right, the prettiest pictures, that they want us to see, those images of strength. But I saw the other side, which I think is important. I saw how poor it was. I felt how cold it was. I struggled with my own health. I struggled with the surveillance. So you have a sense of the difficulty of life; the kind of repression that they live under; the lack of freedom of choice and of movement that they have, and also the system of rewards that are granted. So I hope that I bring all of that into our understanding of why and how these young men are working on behalf of the North Korean state, and also to provide some of that color so that we understand just how desperate they are and how that shaped their motivation. And [inaudible] I just want to bring that country to life because so much of what we do when we talk about cyber is hidden from us. Whatever I can do to make it feel real, like this is a real place, these are real people who are doing this, in many times- in many circumstances under duress, I hope that I bring that to our listeners and so that it doesn't feel like it's just this mythical place, off in a country we can't get to. So I serve as a proxy, in a way, for the North Koreans who don't have a voice, and I try to bring some of that color into the podcast.

Dave Bittner: That's a really interesting insight. And I think it's hard for us to understand, as you say, particularly perhaps, as Americans here, as far away as we are and as isolated as they are. I'm curious, when it comes to international law enforcement, what have you learned in terms of how they regard these actors? I suppose- well would it be fair to say that you underestimate them at your own peril?

Jean Lee: We underestimate the North Koreans at our own peril definitely. Now when it comes to international law, what I've learned is the North Koreans don't feel beholden to any international law. They only feel beholden to their own country's law. And so that means that they feel that they are not necessarily a part of the world, that they're- they only care about any repercussion or punishment that they may face from their own governance, and their government has a global reach. I do think that the FBI takes the North Korean or the alleged North Korean hackers very seriously. So a lot of the information that we get is from that US chase, and a lot of the information we get is from US indictments. However, the North Koreans are always one step ahead. They're very good at evading US authorities. And until you have the cooperation of many of these other countries in that global network, the North Korean's overseas networks, it's going to be very hard to really catch them. And so you know, I do see this as a cat and mouse game. Somebody else called it recently Whac-A-Mole, where- and that's probably where the name Lazarus comes from. Just when you think you've wiped them out, they come back. They're very, very hard, very clever, very hard to capture, and very clever in evading, escape because they've been doing it for decades. And in terms of whether people, whether we take them seriously- I hope that our podcast is drawing attention. I think that cyber can sometimes be a bit of a blind spot because it's so hard to comprehend. And so, with this podcast, we try- I mean, Geoff knows all of this stuff inside and out, but I'm not a cyber expert. And many of the experts in my field just sort of- their minds go blank because it's hard to comprehend. So I hope in a way that we break it down to a level that anyone can understand, but we scare them to a certain degree, and draw more attention to this threat that this poses. I do think it has actually after season one, drawn attention to the North Korean and- the North Koreans and their cyber campaign. And I do think that it's actually brought both the South Korean and the US governments together to try to work collaboratively on coming up with some strategies on how to stop them.

Geoff White: And just to add a point to that, I think it's interesting that the North Korean's activity, certainly according to the accusations against it, has got more global, more global reach, which has given them both advantages and disadvantages. One of the things hackers in North Korea and indeed lots of cyber-crime groups have is, what you might call, sort of, international deniability. So you can try and hack organizations in lots of different countries. And what that presents, law enforcement, locally with, is a challenge. You know, you hack a bank in Bangladesh. You move the money to New York, the Philippines into Macau. Suddenly you've got four jurisdictions you're working with. Now, can all of those police forces and all those jurisdictions work together? Can they swap information? Yes eventually, but nowhere near as fast as the hackers can work. So they've got this international arbitrage they're doing in terms of cyber-crime. But conversely, the more international these campaigns get, the more they sort of trip over the tripwires in different countries. So for example, the US government- if you move money through the US in any type of cyber-crime, the US government has the ability to go after you because suddenly you've committed a crime in the US. You've used its financial system. So suddenly the US radar perks up as soon as you trip over those trip wires. And so, the more international you get, the more brazen you get, the better you can get away with it in terms of playing countries off against each other, but the more likely you are to trip across a particular country's tripwire and get them interested in you. So again, the cat and mouse analogy, I think, is a really interesting one from that perspective.

Jean Lee: And I'll just make one more point, which is that the UN Security Council has been trying to stop the flow of money into North Korea's weapons program with some of the toughest sanctions we've ever seen. But unless those sanctions are enforced by member nations, they're not particularly effective. And right now we're in the middle of a global divide because- heightened, I would say, by the war in Ukraine, and the tensions between the US and China. And so it's very hard to get the US- I'm sorry. It's very hard to get China and Russia on board with new sanctions. And sanctions, it's very difficult because of attribution issues to really target cyber. So the North Koreans have figured out that it's just incredibly difficult for countries to stop them. They're taking advantage of a vulnerability or a gray area, and it's both impressive and frightening.

[ Music ]

Dave Bittner: All right, Joe, what do you think?

Joe Carrigan: I had to look this up, Dave. I always get Geoff White and Jamie Bartlett mixed up in my head.

Dave Bittner: Oh. [Laughs].

Joe Carrigan: Because Jamie Bartlett did the Missing Crypto Queen, and Geoff White did this Lazarus. Heist Podcast, which by the way, I still haven't listened to. But I'm adding it to my podcast list because I know that when Geoff was on promoting last season, I said, I got to listen to that podcast. And I haven't heard yet, but I'm going to. I'm going to listen to it right now. They said- or actually putting it on my list this afternoon. So one of the things that they talked about, that I hadn't heard of, is this scam of super dollars. Have you heard of that?

Dave Bittner: No.

Joe Carrigan: That was a North Korean operation to print up really, really high-quality, fake $100 bills.

Dave Bittner: Oh, yeah. I have heard about that. And then they take them to China, I believe. Or somehow they flow through China. Yeah.

Joe Carrigan: I wouldn't be the least bit surprised. That's the only land border they have. They got to flow somewhere.

Dave Bittner: Right.

Joe Carrigan: This hacking that is involved in- that's happening here, and they're talking about, it's all 100% financially motivated. Like most of the hacking that goes on. I was talking about this in last week's episode, the financial motivation is the main motivation of these attackers. You know, 10, 15 years ago, why did people do it? Money wasn't even on the list. Now it's pretty much the only thing on the list because it's been so profitable and so well monetized.

Dave Bittner: And become a global operation.

Joe Carrigan: And become global operations and large organizations have finally organized themselves around this. It's organized crime is what it is.

Dave Bittner: Yeah.

Joe Carrigan: Cosmos Bank got hit for $14 million from ATMs in less than three hours. Now those aren't all Cosmo ATM, or Cosmo Bank ATMs, right? They can't be. They have to be like affiliate bank ATMs, all the other ATMs that will connect to it because an ATM doesn't have to be run by a bank to access the funds in the bank.

Dave Bittner: Right.

Joe Carrigan: So I love the description that was given in the interview - flash mob of crime. These guys were very busy for a little less than three hours and rounded up $14 million.

Dave Bittner: Right. Not a flash mob that's going to end up on YouTube.

Joe Carrigan: Right. Yeah, exactly. For the two and a quarter hours that they were working, that planning had been going on for months. I'd been really interested to know how much of that actually wound up at its ultimate destination. How much did they have to pay to the mules to get the money? I'd like to know what a money mule makes. What percentage of the cut they get?

Dave Bittner: You'd also imagine that there could be a lot of skimming, right, from the mules. You've got a big wad of cash there that, you know, just spewed out of an ATM.

Joe Carrigan: Yeah. These guys know how much the transactions for the cards they gave you These guys could do the math. I wouldn't cross them.

Dave Bittner: That's true. That's a good point.

Joe Carrigan: If it is who the interviewees allegedly say it is, then- yeah. They do have a global reach. I wouldn't do that. I would be 100% fastidious in my accounting.

Dave Bittner: [Laughs]. Okay.

Joe Carrigan: I cannot imagine going to North Korea for any reason. It's just not a place that's on my list, you know, on my bucket list. There are a lot of places that are, but not there. And I really can't imagine what living there is like. I'm impressed that Jean was dedicated enough to her reporting to go actually live there for a long enough period of time to get a feel of what it was like to live there.

Dave Bittner: Yeah.

Joe Carrigan: I think that's impressive.

Dave Bittner: It's quite an experience and opportunity I would imagine. Yeah.

Joe Carrigan: Yeah. One of the main points I'd like to make is that attribution is difficult by its very nature. Even if you know where something came from, you can't ever say 100% that this came from XYZ organization, or from this country, or for what have you. You can't do it. And these Lazarus Group hackers are making it much more difficult to trace it around. So even if they do come- move things through the US, and they fire off all those tripwires they were talking about in the interview, it doesn't matter to these guys. The US is never going to get ahold of any of the people they've indicted for these things. It's just not going to happen. It's just not going to happen. Cryptocurrency targeting, that is a great thing that Geoff talks about. These cryptocurrency exchanges, they are in custody of billions of dollars' worth of assets, and nobody knows who they are, which is really interesting. I think, that there's these kinds of things out there where people go, yeah. Sure. I'll give you some of my Bitcoin. You hold on to it.

Dave Bittner: Yeah.

Joe Carrigan: Of course that becomes a target for just about every kind of attacker. We've had stories on this show about people applying for jobs in those places-

Dave Bittner: Yeah.

Joe Carrigan: -which they talk about as well. It's a fascinating interview and I am really looking forward to listening to this podcast, which I promise, this time I will.

Dave Bittner: [Laughs]. All right, fair enough. All right. Well, once again, the podcast is the Lazarus Heist, and they are just kicking off season two of that. Our thanks to Jean Lee from the Wilson Center, and author and journalist Geoff White, for taking the time to speak with us. We do appreciate it. We hope you check out their show.

Dave Bittner: That is our show. We'd like to thank you all for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The Hacking Humans podcast is proudly produced in Maryland at the startup studios of Data Tribe where their co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Ivan. Our executive editor is Peter Kilby. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.