The Rest Is Classified - 9. North Korea’s CIA: Inside Kim’s Crime Family (Ep 1)
Episode Date: January 1, 2025How did a group of North Korean cyber criminals manage to pull off the biggest bank heist in history? Did Kim Jong Un really orchestrate the murder of his own brother? And what does it take to keep an... authoritarian state afloat? A seemingly innocuous spearfishing email lands in the inbox of an unsuspecting employee at the Central Bank of Bangladesh. Months of patient digital hacking follow, all masterminded by a team of cyber criminals within North Korea’s shadowy spy service. But how did they manage it? Listen as David and Gordon uncover how the North Korean state created one of the world’s most dangerous crime syndicates. Get our exclusive NordVPN deal here ➼ www.nordvpn.com/restisclassified It’s risk-free with Nord’s 30-day money-back guarantee! Email: classified@goalhanger.com Twitter: @triclassified Assistant Producer: Becki Hills Producer: Callum Hill Senior Producer: Dom Johnson Exec Producer: Tony Pastor Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
This episode is brought to you by our new friends at NordVPN.
Now, David, what do you find useful about Nord?
Well, I really like NordVPN's Threat Protection Pro,
which is an incredibly powerful and effective antivirus tool.
It is integrated directly into the NordVPN app
and allows you to browse safely and smoothly
while also protecting you from phishing and other cyber threats.
It can often be hard to distinguish fake websites from real ones or phishing texts that appear to be real,
but Threat Protection Pro will prevent you from accessing these dangerous things.
So NordVPN is actually the first and only VPN app to receive the certification that their anti-phishing software is reliable.
So to stay secure online, you should take advantage of our exclusive
NordVPN discount. All you need to do is go to nordvpn.com slash rest is classified. When you
sign up, you can receive a bonus four months on top of your plan, and there's absolutely no risk
with Nord's 30-day money-back guarantee. The link is also in the episode description box.
I am Russell Alam. I'm extremely excited about the idea of becoming a part of your company,
and I'm hoping that you will give me an opportunity to present my case in further detail in a personal interview. Here is a link to my resume and cover letter.
Thank you in advance for your time and consideration.
Welcome to The Rest Is Classified. I'm Gordon Carrera. That was the text of what's called a
spear phishing email, a targeted email sent to employees of the Central Bank of Bangladesh by cyber operatives of the
North Korean government. They were the nose under the tent of the largest cyber heist ever attempted.
If successful, it would have been one of the biggest bank robberies in history.
Well, that's right. I'm David McCloskey. And Gordon, I think we're going to talk today about
something that maybe doesn't immediately seem like a spy story.
It's a bank robbery. It's a heist performed on the Central Bank of Bangladesh by the North
Korean security services. And I think what is so fascinating about this story is that it is
a bank robbery, and that's just exciting. But at a deeper level, it's also a
story about security services, espionage agencies that effectively operate like the mafia, right?
Like an organized crime syndicate. Because underneath all of this and behind that very
horribly worded email is North Korea's foreign intelligence service
out there trying to run a bank robbery, which I think, you know, we tend to think about in a lot
of the spy stories that we talk about in this show are, you know, we think about Moscow rules,
we think about the world of John le Carre, we think about spy agencies that are out there
trying to collect information.
The North Koreans, as we'll see, they kind of don't operate that way.
So it's a kind of mix of Ocean's Eleven, the heist movie, with James Bond. A bit of a blending of the
two we're going to try and do with this story. That's right. It's interesting. North Korean,
and by the way, inside CIA, the North Korean security services were referred to as NORCs.
The NORCs, the North Korean security services.
I've never heard that before.
I've only heard, now, not North Korean people, but the services, the intelligence agencies.
Right.
Were always called the NORCs.
So people are working on the NORCs.
You're a NORC specialist.
Exactly. You're a NORC specialist. North Korean covert action is bank robbery, as we'll see, you know, a push for cash for,
you know, a family for the Kim regime that runs North Korea. And I think maybe Gordon,
because the robbers tend to be more interesting than the victims in heist movies, maybe we start
there. We don't want to turn them into heroes. No, no, no. But equally, it's not quite like,
you know, Brad Pitt and George Clooney in Ocean's Eleven, these heroes, but equally, it's not quite like Brad Pitt and
George Clooney in Ocean's Eleven, these characters, but they are kind of the more
interesting ones. So yeah, the robbers.
Exactly. So the robbers. And a fundamental piece of this is we actually don't know a lot about the
individual robbers that pulled this off, right? We have a name of one of them, a guy by the name of Park Jin-hook. And by the way, it might not even be his real name, because as you know, he's featured in an FBI affidavit. There's a picture of him sort of scowling out there on the internet. But the North Koreans deny that anyone by that name even exists. And so, you know, he is sort of the shadowy face of the robbery, right? And he is one of the hackers responsible for the digital side of this heist. Now a little bit about Park Jin-hook. He's born on August 15th of 1984, although North Koreans, interestingly enough, don't celebrate their own birthdays, only that of the leader. And he's born into a North Korea that's really on
kind of the edge of calamity. He's growing up in this kind of totalitarian system that has been
run by Kim Il-sung since the 1940s. And, you know, a couple, I think, key points here about
the North Korea that Park grows up in. One is he's growing up in the shadow of the Korean War.
Okay, even though we're 30 plus years removed
by the time he's born,
Park would know this as the victorious fatherland,
the liberation war.
And it was a war in which the US dropped
more conventional bombs on North Korea
than in any part of the Pacific theater
rather than they had in World War II.
So it is a place that was utterly devastated during the war,
so much so that the US Air Force had complained that it had run out of things to bomb. And it is a place, and I think a critical piece of this is this history of Juche ideology, which is this kind of self-reliance, this idea of really a kind of hermit place that is going to produce everything itself and be totally insulated from the rest of the world.
Closed off from the rest of the world, yeah.
And so by the time Park is a toddler, though, this is starting to change. The Soviet Union,
the primary sort of backer of North Korea, is collapsing. And there's succession planning
underway. The torch is being passed from Kim Il-sung to Kim Jong-il, his son. That happens
when Park is 10 in 1994. And then there's a massive, and of course,
most of our listeners are probably aware of this, a massive famine, they call the arduous march,
that really ravages the country in the mid 90s. And Park, you know, if he's not part of kind of
the top, upper, upper crust in North Korean society, he probably saw some of this as a child.
He would have grown up in a world where there's a huge number of street urchins who are out orphaned
by starving parents. Maybe a half million to up to 2 million North Koreans die. And meantime,
the Kim family, they're living the high life. Interestingly enough, the Kim family's sushi chef,
who's a Japanese cook and actually has come out and made a bunch of comments about this time and said that during the 90s, the Kims ate rice produced in a very special area of the country.
They had female workers that actually picked each grain one by one to ensure the size was the same.
And actually for two years during the famine, Kim Jong-il was the world's largest buyer of Hennessy cognac, and he was importing about a million dollars of cognac
every year. So it's a country where people are starving literally on the streets, and hundreds
of thousands are dying, and the elite is very wealthy. And I think it's also around this time
where they're starting to look at nuclear weapons, aren't they, and ballistic missiles,
and starting to get more aggressive in their posture towards the West. Well, that's right. And all of that, and this will be a critical thread for how we end up
robbing the central bank of Bangladesh, but they need hard currency to support these programs,
the weapons program. It's not cheap. It's also not cheap to support really kind of an elite
structure in North Korea that is critical to keeping the family in power.
And I think, you know, this is in essence why we see a spy service become essentially the mob, right, is because it's all about money.
And in fact, there's a great kind of tagline about North Korea.
The best way to understand it is as North Korea Incorporated.
This guy, John Park, has popularized this idea of it. In an autocratic system,
it's all about money to buy elite support. You don't get tossed. You tend to not get tossed by
people power. You tend to get tossed by coups, other elites who decide they want to toss you.
So in other words, you need the money to buy off and to build your weapons, and you've got no revenue from exports or anything else
that you can rely on. Yeah, precisely. And so, you know, by the time Park is a boy,
the North Koreans have already started to kind of dip their toes into this world of really crime
to support the state, right?
There's actually a scheme in the 1980s called super dollars in which North Korea, of course,
you know, Soviet Union collapsing, hard currency needs are high.
They say, okay, well, how do we make up for a hard currency shortage?
Let's just counterfeit US dollars. And so the North Koreans actually acquire a press from the Italian firm that makes the same
press used by the US Treasury. You can buy one?
They go out and buy one.
Seems strange you can buy a printing press to make money, but there you go.
There's an Italian firm that makes them. They went out and bought a press.
They acquired $1 bills and then bleached them so they had the right paper. And then they actually
got a special color changing ink for sort of counterfeit prevention,
right? So they made the bills and then they tweaked them, of course, to look like American
hundred dollar bills and then started to pump these out and would just sell them at a discount
off of the face value out in the black market. Other sources of income, of course, all disreputable
meth, contraband, cigarettes, birth control pills, Viagra, which I don't have any firsthand knowledge of, but they say it's way more potent and has tons more side effects than the actual pharmaceutical Viagra.
So they are out there on the black market, just basically engaged in any amount of kind of illicit trade to earn money for the regime.
Right. And I mean, do we know how much money they're raising,
where it's all going? It just goes to the family, does it? And to the regime to keep them in place?
Well, yeah, I think it goes to military programs, it goes to the family. I mean,
it goes into buying off other potential rivals or sort of elites inside the system. And this idea,
though, of kind of a rigid social structure is also really key to our
story, because there's a system in North Korea that essentially sorts people into shades of
loyalty, right? There's kind of a class system that our bank robber Park is navigating as he
comes of age. And really, this class system, there are actually a number of permutations, dozens and dozens, but there are basically three. You're either loyal, wavering, or hostile. And some defectors call this tomatoes, apples, and grapes. Tomatoes are red, communist to the core. Apples need reeducation and the grapes, of course, are totally hopeless. And so your position is really determined kind of by your
family line and by your proximity to the leader, really. It's called Songbun. And actually, yeah,
there's 50 plus categories of this, but they all sort of feed into those three classes above.
And critical to Park and his rise is that a way to advance in a system that is apolitical is by being really,
really good at math. That is a way to improve your songbong, your position in North Korean society.
So Park, and we should say here that a lot of what we know about him and really about this
whole story comes from a brilliant book called The Lazarus Heist by Jeff White.
Great book. whole story comes from a brilliant book called The Lazarus Heist by Jeff White.
Yeah, Jeff, a great journalist, friend of mine, who's done the real original research on this.
But Park, we think he comes from a normal family, don't we? Not really part of the elite?
We don't know. He's probably not in the upper, upper crust, but he's also... One sort of key thing that we think about North Korean hackers, and I think we tend to apply kind of a Western view of hacking as being this thing that teenagers do in their basements, you know, and then might go get some education or might start a business.
But it's kind of this organic roundup thing.
And that is not how it happens in the North Korean system. This is not a cyber army
recruited out of parents' basements, right? He is probably spotted at a young age for his
proclivity in math. This is during the turmoil of the 1990s. He's probably spotted very young
as being in the upper crust of his cohort in math. And he's sorted into a high school for gifted children.
There would have been highly structured access to the internet in this environment. And he goes
to a very elite school called the Kimchick University of Technology. And he graduates
from that school in the early 2000s. Now, a word on the school is this is basically
a feeder into the military and security
services, right? So is this hacker school? Is this for maths whizzes? So if you're a maths whizz,
you get plucked out of wherever you are in the education system and put into this fast stream,
the kind of equivalent of Oxford and Cambridge, but for hackers where they think they can make
use of you. And that's the skill set they want. That's right. And I think of the American context,
I mean, this is probably like, you know, he's going to Stanford or MIT.
And then because there isn't a sort of option of, I'm going to go work in Silicon Valley
or go work for the NSA.
It's not sort of how it works in the North Korean context.
He doesn't have any choice.
Does he have any choice in this?
He's got really no choice.
And I mean, interestingly, though, I think we could take a lens on this story in which
the North Koreans are a bit cartoonish and kind of incompetent, right?
But in reality, his university, Kim Jae-ik University of Technology, it actually often
outperformed American and Chinese and, yes, Gordon, even British academic institutions
in what's called the International Collegiate Programming Contest. In 2019, Park's alma mater
placed eighth in this ICPC ahead of Oxford, Cambridge, Harvard, Stanford. So we are talking
about a kind of math and technical wizardry that is actually quite good and is competitive
internationally. And this is the world that he comes out of. But of
course, as we said, he's being directed in sort of this progression and where does he go? And this
is where our kind of hacker tale, as I think we'll both enjoy, becomes much more of a spy story,
because he is recruited out of Kim Chaik University into the Reconnaissance General Bureau,
which is North Korea's spy service.
And so I think we should set up kind of North Korean spying a little bit here.
And it is unclear, we should say, sort of when and how Park joins.
But at some point, he is pulled from university into a cyber group that's operating under the RGB.
Now, the RGB is a relatively new organization.
It's set up kind of out of a reorganization of North Korea's intelligence and security
services that happens in the tail end of Kim Jong-il's reign.
You scratch under the surface here, and we don't have a lot of hard information, but
it's probably the case that this reorg is all part of succession planning, as he's trying to
pass, you know, sort of the torch over to his son, Kim Jong-un. And the RGB is what I would describe
as a very piratical organization, Gordon. This is not MI6 out there, knife and fork set, whining and dining with diplomats and
collecting information from cocktail parties, right?
Right.
It's not regular, just collecting information, diplomatic intelligence.
It's a bit more aggressive than that.
It is very aggressive.
And its resume proves that.
I mean, a couple points here.
They're responsible, or the sort of predecessor organizations to it, are responsible for kidnapping Japanese citizens and rendering them to North Korea to teach Japanese. They sank auala Lumpur with a nerve agent actually convincing
two women to smear the agents on his face, killing him. Now, this is a particularly crazy story
because I remember this one vividly. Gordon, did you cover the assassination story?
Yeah. So I covered it, but then there's another strange reason why I remember it so well is that
a few years later,
I was asked to be a consultant on a TV drama, which is called Killing Eve, which is all about
assassinations. And they asked me to come up with a list of ways of killing people for the character,
the so-called kill list. And I remember thinking, well, the thing to do is to draw them from real
life. So one of the cases I looked at and I recommended that they look at was I wrote up this particular
assassination.
So I think if you look in the first series, there's one involving a perfume bottle and
an assassin somewhere.
And I think that comes originally from this airport scheme because, I mean, I think there's
some CCTV of this happening.
And Kim Jong-un's half-brother is in the airport. And one woman walks up to him and sprays something.
And another puts a cloth on his face.
And I think it's a binary agent.
So the combination of those two things creates VX, which then kills him.
And then when they interview the women, they say, we thought we were doing a prank for TV.
I mean, they were told they're going to get paid $100.
And I think that the guy they were doing it to was supposedly in on it.
And it was all for some TV show that they had to do this. And in the end, they become kind
of assassins in the middle of an airport. I mean, it's a crazy operation. But I guess the point is,
it gives you some sense of how far they're willing to go and what they're willing to do
if you're the North Koreans. I mean, this is outside of what most normal spy agencies would do.
It is. I think we could imagine the Russian, some combination of the Russian services doing this.
You know, I mean, it's not unheard of, of course, for a, you know, the Iranians target,
you know, defectors and sort of disloyal elites abroad. So killing opponents, political opponents, using a spy service to do
that is not unusual. But I would say that the risk tolerance that the RGB seems to have is different
from a lot of other spy services, including those that are maybe a bit more rogue or piratical. I
mean, literally, one of the subgroups inside the RGB is called the Enemy Collapse Sabotage Bureau, which at CIA,
we did not have anything bordering that name. I don't know, Gordon, does MI6 have anything
along those lines? I think if they did, they'd take the signs down when you went around the
building. I don't think you'd walk past an office called the Enemy Collapse Sabotage Bureau. Although
it does sound a bit like what Special Operations Executive were like in World War II though, which is basically going around blowing things up and bombing them.
I mean, that's the job. Yeah, I guess when the RGB would bring in
foreign liaison, maybe the enemy collapse, sabotage bureau, the little name played outside
says like technology group 204 or something more anodyne. So the cyber capabilities though,
that become so critical to this bank heist that we're
talking about, live inside the sixth bureau of the RGB, which is their sort of technical
bureau.
Now, interestingly, there's a whole bunch of different bureaus, enemy collapse, sabotage
being one of them.
This story, though, Gordon, is a story about luck and gambling, too, which is a little
tease for folks here, because we're going to spend some time in casinos as this rolls
on. There's no fourth bureau inside the RGB because four is a very unlucky number. And I'll also note that most of
the places in Vegas, like hotels, don't have a fourth floor. Really? Yeah, there's tremendous
because so much of the gaming, both in Asia and in Vegas, is done by Asians who come to game,
right? Chinese or otherwise who might come to Vegas to game.
The whole environment really caters to these kind of superstitious gambling practices.
And four is a very, very unlucky number.
You will never have a pool in Vegas that is four feet deep or that has four in the depth.
Wow.
You will not see it because it's very unlucky.
Anyway.
We have to do a trip to find out.
Right. Anyway. We have to do a trip to find out. Right.
Exactly.
Exactly.
I think we need to take a rest is classified research trip, Gordon.
Around the pools of Vegas.
The number of cyber officers inside the Reconnaissance General Bureau, we don't really know.
It's probably somewhere up to 6,000 or 7,000.
So it's not small.
I mean, it's a large number of people.
And again, we know Park. we have a picture of him. But a lot, in fact, most of what we know about these guys, and they're all
guys, is through the code that they write. So there's a tendency when you talk about North
Korean cyber banditry, there's a bunch of technical kind of names for these
different pockets of the organization that are deploying malware, deploying code as part of
these attacks. And they all have different names, you know, Lazarus Group, Hidden Cobra, Beagle
Boys, you know, that kind of makes, again, it has this weird tendency of making it all kind of sound
like a bunch of tech, you know, nerds, right? And all
these names are, of course, given by Western kind of cybersecurity watchers, right, who named the
code effectively. So Park, and I think this is a key point is because he's coming from this,
or in this organization that is extremely aggressive. It's extremely brutal. It is
predominantly, if not entirely male. And the people who look at the code say it's simple, it's practical, and it's brutal.
So Park is in this organization.
Now, he is working in Pyongyang, but at some point, there's some digital dust where we
start to learn a little bit about him.
And it is because in 2011, he's sent to China to work as a developer for something called Chosin Expo, which is basically a front organization for the RGB.
Now, isn't this interesting that the North Koreans have an outpost or a front in China from which they do some of their hacking?
Should we be surprised at that, that the Chinese allow that or tolerate it?
Yeah, well, I mean, it is practical. You think,
you know, broader access to the internet, of course, you don't have to use North Korean IP
addresses, you know, from China. So you can mask where you're coming from.
Yep. It's kind of a, it is an outpost, I think is the right way to think about it. Because
a lot of what Park is doing in this period,
he also gets married, by the way, lucky guy gets married in September, after he goes to China,
he refers to his fiance as comrade in the written communications and actually does go back to North
Korea for the wedding. But really what he's doing, again, it's the beginnings of what will become the
heist, but he's just making money. You money. He's making online games and writing the code for
them and then selling them. Games. So he's a developer. He's a software developer. Yeah,
exactly. And you think from the North Korean standpoint, here's a guy who's probably one of
their most promising cyber recruits. He's come out of this elite organization or elite university, and he's
working for the RGB. This is a bit of like his first kind of field expedition, you know, in some
ways. It's a field posting to learn how the internet works, you know, to really understand,
to do reconnaissance, in effect, on the open internet, which is not something he would have
done even in his university days in North Korea.
Because we should be clear that in North Korea, access to the internet is really limited. I think
there's 1% of people have access to it. And what access there is, is very tightly controlled.
So Park has been honing his skills as a software developer, maybe even a hacker. I think that's a great place to take a break before we take him back
to Pyongyang, to a boomtown of meth, pet dogs, plastic surgery, and flashy real estate,
all paid for by the proceeds of crime.
This episode is brought to you by our new friends at NordVPN.
Now, Gordon, you have been a NordVPN user for over a year now.
Why do you like them so much?
So many reasons, David. But one particular feature that I love is with just one subscription,
you can keep multiple devices safe, up to 10 at once with the NordVPN app.
I've got lots of laptops and phones at home that I use for my work and my personal
life, and I can keep them all safe with just one subscription. You can also protect unlimited
devices on your router by using NordVPN, which means that it is perfect for keeping your family
safe online when they're using social media, email, banking online, or really anything for
that matter. If you want to ensure that you're safe online, you should take advantage of our exclusive NordVPN discount. All you need to do is go to nordvpn.com slash rest is classified.
And when you sign up, you can receive a bonus for months on top of your subscription plan.
And there's no risk with Nord's 30 day money back guarantee. The link is also
in the episode description box.
We're back with the story of this amazing cyber heist. And David, we're in Pyongyang,
which I guess may be contrary to what people might expect. It is a bit of a boom town in a strange way. Gordon, my mental model of Pyongyang was massive military parades, very organized, choreographed, big stadiums full of people
weeping for the dear leader, or frankly, a famine, a famine ravaged place. And I think
the Pyongyang of 2014 that Park comes back to
is that Kim Jong-un, of course, Rocket Man, you know, as Trump famously called him,
is now the North Korean leader. And Pyongyang is undergoing massive changes, which I think,
you know, Park, he's kind of this shadowy figure here, because we don't know a lot about him. But I have to think that he's not
unaffected by the change in leadership. And frankly, by the fact that Pyongyang is now,
as you said, a boomtown. I mean, you know, Kim in his first speech marking his grandfather's
100th birthday, says North Koreans will never have to tighten their belts again. And there is a massive
loosening going on in Pyongyang in this era of restrictions on private enterprise. There's
a massive increase in the number of government approved markets. The population, of course,
is still, I think you could say, undernourished, but it is not a famine, right? People are not
dying from hunger. The economy is growing. As you teased before the break,
there's a tremendous amount of recreational meth usage
in North Korea.
And Kim Jong-un's nickname is Nanugi,
the person who shares.
Lots of people are making money under him.
It's also going to him.
Most of it is going upward.
But the individual is actually given opportunities
to make some cash in the Kim economy. So if you're a person on the make,
if you're this young programmer part, you're seeing a bit of that boomtown life and you think
you've got a shot at being part of it effectively by having been selected as a hacker. I mean,
you've got a route, a road into perhaps wealth or maybe not, if not the top
elite, but into this world. I think so. I mean, a little bit of speculation here on Park's
psychology, I think would be warranted because you got to think this is a guy who has probably
improved his family standing significantly by working for the RGB. He's gone to one of the best schools in
the country, right? So he is a sort of upwardly mobile member of the elite. He spent time abroad,
very few North Koreans do that, even if it's just across the border in China. And he is in this gold rush kind of Pyongyang where it's not just working for, you know, an extra ration
of rice or anything like that. I mean, he has the opportunity for some real, you know, conspicuous
consumption, you know, I mean, more than 10% of North Koreans have cell phones now and, you know,
pet dogs, there's status symbols that would have been absolutely unthinkable
a generation earlier. And I got to think that Park thinks, I want to get me some of that. I mean,
that's got to play a role in his psychology here. But this is a country which is not exporting much
and yet it seems to be importing all these luxury goods and other things you've been talking about
and it needs money. So where is the money coming from? That's the obvious question.
What's supporting the North Korean economy? That's right. Well, and it's crime in many
respects. How is it being paid for? Well, the North Koreans call this the secret war. And this
is what Park is going to become an elite soldier in the midst of.
So there is, to pay for all of this, a massive uptick in cybercrime in the first kind of decade of Kim's rule.
Now, some estimates actually have the hacking maybe responsible for a third of North Korea's GDP.
So it is a massive-
A third. I mean, that's an astonishing figure.
It's an astonishing figure, right?
It's insane.
So a third of the country's income
is coming from international crime.
International crime, exactly.
So this is, in some respects,
Park is part of one of the biggest businesses
in North Korea.
And I do just, I want to return for a second to
sort of put the scale of the consumption, you know, in context, because we're, of course,
talking about a Pyongyang where, I mean, that money is going to support two or three bedroom
apartment in Pyongyang is like $80,000. The official government salary is four bucks per
month. So again, how do you bridge that gap? Kim, the leader, he's got 33 homes,
28 are linked to private railway stations. His main compound covers five square miles.
He renovated recently, Gordon, you'll be happy to know. The price tag of the renovations was a cool
$175 million, although of course, it's hard to verify that. So the money to do this is coming
from this crime. Now, some of these attacks, of course, are political in nature.
The RGB is attempting to gain an advantage over its adversaries.
So it's trying to get IP from Western aerospace and defense firms, things like that, right?
Yeah.
So stealing commercial secrets.
Stealing commercial secrets, something that, quote unquote, normal espionage agencies do the world over, right? Yeah. So stealing commercial secrets. Stealing commercial secrets, something that quote unquote normal espionage agencies do the world over, right? But a lot of the crime is just
pure cash, right? They go after cryptocurrency exchanges. There's been multiple billions of
dollars raised from those kinds of attacks over the past six or seven years. There's ransomware
attacks against healthcare organizations. Very very famously there was the attack
against sony pictures right entertainment if you remember this one where sony i remember this sony
was releasing that film the interview which ends with a sort of i don't think it's actually he's
actually named kim jong-un but it's obviously kim jong-un and he's explodes in a fireball it's set
to katie perry music and they got really upset about that, didn't they? Because
the idea of a comedy film making fun of their leader and him being assassinated by, I think,
visiting journalists caused them enough upset to hack Sony Pictures and steal and release their
emails. And threaten 9-11 style attacks on theatres that showed the film for good measure.
You don't have any concerns then about us doing a podcast on North
Korea that that could... Yeah, that's actually... You're saying it too late, Gordon. We're too...
We're too deep. We're doing it. We're in too deep. If our stablemates get hacked and their
emails released, they can blame us. We should hope for the notoriety to land on Kim Jong-un's
radar. I think that would be... I would welcome such reach. Be careful what you wish for.
Frankly, that Sony Pictures attack, you know, is obviously very political in nature.
There's like a whole separate story there, right?
That could frankly be its own.
You know, they, of course, are going after academics and other institutions to kind of
solicit opinions on North Korea and North Korean policy in the West and make it look
like it's not actually coming from North Korea. It's going after defectors, of course, and critically, Gordon,
banks, right? They are going after banks from Vietnam to Mexico to Taiwan and Bangladesh.
That's where the money is, in the banks. And it's interesting, isn't it, that cybercrime
offers a new world for North Korea. You know, we were talking about printing presses before and counterfeit money.
I mean, that's an old-fashioned way of doing it.
Now, online, they've suddenly realized they've got this opportunity to reach into organizations and institutions around the world
and try and either hold them into ransom or, in the case of banks, actually steal their money and get inside it.
And that seems to be their modus operandi with this one particular hack, which we're going to look at. But it's
more than a hack, isn't it? It's a heist. It's a proper full on heist in 2015, where they're
looking at trying to get a massive sum of money from a bank. I mean, it is extraordinary how
ambitious this is, and targeting Bangladesh of all places. Maybe precisely because it's not the most obvious place to go for
with the highest security.
I think what their efforts to send these horribly written
spear phishing emails, like the one you so graciously read.
Yeah, that was the one I started with.
They're not being picky about where they're sending those, right?
I mean, they're sending those out to figure out where can we get in, right?
And between sort of the year before
the Bangladesh heist really starts to unfold, there's nine bank compromises all over the world
that are linked back to North Korea. Now, not on the scale and unsuccessful, ultimately,
taking money out. But this isn't someone sort of sitting in Pyongyang thinking it would be great to
take Bangladesh down a notch. I mean, this is very-
They're trying everywhere.
They're trying everywhere. Exactly.
But what I find fascinating is it's a long running operation. This isn't just a quick,
we're going to hack into it like you see in the movies where someone hacks into something and then
presses a few buttons and withdraws millions of dollars this is something which is very very well crafted in which they start out with that job seeker email that i read
from right at the start where they're using that to get into the bangladesh systems of a bank
getting someone to click on the link to think that this is a resume from someone who wants a job
and then using that access to effectively get inside the system and then understand the system. And that's a process which they spend months over, don't they?
I mean, this is not quick. They are really researching and trying to understand how the
bank system works and get access to the machines, get access to the networks, and then look for
how they can find a plan to basically steal a very large amount of money.
Exactly.
And I think here, so much of this story could just be one where we have a mental model of,
okay, it's a bunch of hackers kind of sitting in a room somewhere running this thing.
But keep in mind, this is going on and we don't have any sort of firsthand information on this,
but this is an operation going on in being run by the rgb so there there is an operational chief to this
this is an espionage operation at the end of the day and park and his team they're probably sitting
in some kind of brutalist building or compound owned by the RGB probably doesn't have those hacker hostile vibes.
It probably feels a little bit more like a barracks. And they are running reconnaissance
on the Central Bank of Bangladesh network. Now, it's not a smash and grab job, as you mentioned.
And I think we don't want to be overly technical, Gordon, but I think I'm going to talk dirty here
in code for a second to give you some sense of what the North Koreans are up to. They're using a piece of malware called Nest Egg, which gives them
persistent access to these infected machines. So you picture someone literally in Central Bank of
Bangladesh, HR has clicked on the link that Rasul Alam so graciously put into his email
advertising his services. So they're getting access to these machines,
right? They're using something called Sierra Charlie to then hop from infected machines to
more interesting parts of the bank because they're not ultimately interested in the HR,
you know, administrators computer, they want to get kind of into more sensitive pieces of the bank
that are actually responsible for transactions. And then they use something called Mac truck to make that hopping encrypted and critically to make it invisible to the bank's
IT staff. So literally over a reconnaissance operation that takes almost a year between 2015
and early 2016, they are moving around in the bank, sort of wiping the malware from the previous machines, covering their tracks, and trying to get closer and closer to a system that is very technical, but that will enable't it? Is in coming up with a plan, working out a way of hiding your tracks
and being able to get out with the money.
It is very similar to that rather than just the break-in.
It's no good just kind of breaking in
and people seeing what you're doing.
And the key is that they're going for something called SWIFT,
which is the mechanism used for banks
to move money between themselves, isn't it?
Internationally.
And that's the key that they
realize to be able to get hold of serious money for this heist. Yes, SWIFT, the Society for
Worldwide Interbank Financial Telecommunications, which is as dry as it sounds. But the North
Koreans, and again, you know, I like to think of Park and the software, the coders sitting in a
room eating the North Korean equivalent of
Pop-Tarts maybe.
And then you've got, you know, an operational chief who is starting to think and probably
conceptualizing an operation in which he says, once we get into this SWIFT system, how do
we think about actually bringing money, bringing actual dollars into North Korea. And what they come up with, and again,
they've been in the Central Bank of Bangladesh's computers for almost a year by the time we get
access to the SWIFT system. So they're very patient. They are looking basically to be able
to craft and authenticate and then send Swift messages that look totally legit,
that originate from Bangladesh Bank's computer system, and then to be able to destroy those
digital messages so no one else inside the bank would know anything is wrong. And what they end
up doing once they get access to Swift is it's very, again, this code being sort of simple and
brutal. They're able to accomplish all this by getting into the Swift system source code and then
just deleting a few characters.
So it's a year of work.
I mean, like I think in all good espionage operations, the gap that you're looking toward
is very small, but you've had to do a tremendous amount of legwork to kind of get to that point.
And so on Thursday, the 4th of February 2016, that groundwork is laid. Park and his RGB comrades
are in the SWIFT system at the Central Bank of Bangladesh, and they are about to initiate
one of the largest bank robberies in history.
Well, David, that seems like a good place to leave it there with the RGB and Park,
at least in cyber terms, walking into the vault with all those gold bars and all that bullion in front of them. And when we come back next time, we'll see how they get away with carrying out
the loot. Thanks for listening to The Rest Is Classified. See you next time.
Goodbye.