N. Korea, Lazarus & SWIFT: Are the white hats closing in? (Update: SWIFT cuts off remaining N. Korean banks)

In the last month, major news stories about North Korea have bombarded my batting cage faster than I’ve been able to swing at them. I’d wondered when I’d have a chance to cover Katy Burne’s detailed story in the Wall Street Journal about the empty half of the SWIFT glass — that despite its recent decision to disconnect three U.N.-designated North Korean banks, it’s still messaging for banks that are sanctioned by the Treasury Department, but not by the U.N.:

The U.S. Treasury-sanctioned banks that remain on Swift include the state-owned Foreign Trade Bank of the Democratic People’s Republic of Korea, the country’s primary foreign-exchange bank; Kumgang Bank; Koryo Credit Development Bank; and North East Asia Bank, according to people familiar with the network. A search on Swift’s website listed active bank identifier codes for the institutions as of Monday.

The U.S. designated for sanctions the Foreign Trade Bank in 2013, saying it facilitated weapons of mass destruction programs in North Korea. The other three were sanctioned in December as the U.S. targeted entities it said supported the North Korean government and its weapons programs following the Asian nation’s September 2016 nuclear test.

The apparent sanctions gap raises questions about how easily North Korea could move currency through alternative banking channels, something the U.N. said it has been known to do in the past through fronting companies. [….]

While based in Brussels and regulated by Belgian authorities, the company intersects daily with U.S. financial institutions, processing tens of millions of payment instructions, including through a large facility in Culpeper County, Va. [WSJ, Katy Burne]

I won’t sugar-coat this; the fact that these dirty and important (to His Porcine Majesty) banks can still use SWIFT is a major hole in our sanctions, and whether Congress and the administration are willing to close it will be a test of how serious they are about stranding Pyongyang’s money.

I can understand some of SWIFT’s likely arguments against that, mind you: first, SWIFT has earned much good will from Treasury for favors it has done them on terrorist financing; second, there may be other potential providers of the same service that may be less responsive to U.S. legal pressure. Fair enough, but whoever takes up that slack in SWIFT’s wake should be sanctioned to swift extinction (yes, intended). For a list of North Korean banks indicating which ones are designated by the U.N. and the U.S., see this post, and scroll down.

Meanwhile, Symantec now claims it has additional evidence that the hacker group Lazarus, which it had previously linked to the robbery of the Bangladesh bank using hacked SWIFT software, is responsible for that attack, and more:

A North Korean hacking group known as Lazarus was likely behind a recent cyber campaign targeting organizations in 31 countries, following high-profile attacks on Bangladesh Bank, Sony and South Korea, cyber security firm Symantec Corp said on Wednesday.

Symantec said in a blog that researchers have uncovered four pieces of digital evidence suggesting the Lazarus group was behind the campaign that sought to infect victims with “loader” software used to stage attacks by installing other malicious programs.

“We are reasonably certain” Lazarus was responsible, Symantec researcher Eric Chien said in an interview.

The North Korean government has denied allegations it was involved in the hacks, which were made by officials in Washington and Seoul, as well as security firms.

U.S. Federal Bureau of Investigation representatives could not immediately be reached for comment.

Symantec did not identify targeted organizations and said it did not know if any money had been stolen. Nonetheless, Symantec said the claim was significant because the group used a more sophisticated targeting approach than in previous campaigns.

“This represents a significant escalation of the threat,” said Dan Guido, chief executive of Trail of Bits, which does consulting to banks and the U.S. government. [Reuters]

Further down, the report suggests that one or more Polish banks may also have been hit, but “Reuters has been unable to ascertain what happened in that attack.” The headline having promised evidence of attribution to North Korea, however, the text of the story itself left me wanting more. It’s not news that Symantec has linked Lazarus to North Korea; Symantec did that almost a year ago. Nothing in Reuters’s report adds evidence to that attribution.

Nor does this story suggest that there’s enough evidence for the feds to act against Lazarus, although it does hint that the FBI is investigating. Jurisdiction shouldn’t be an issue in the Bangladesh case; money moved through the New York Federal Reserve Bank. Attribution is the real question. Depending on what they can prove, the feds would have many potential charging options, including bank fraud, wire fraud, the Computer Crime and Abuse Act, racketeering, and money laundering. Furthermore, there are anti-hacking provisions in both the NKSPEA (section 104(a)(7)) and Executive Order 13722, which means that if the feds could find any of Lazarus’s money, or any assets of Lazarus’s co-conspirators — regardless of whether those assets can be traced to any of these specific acts — the Treasury Department could freeze them, and the Justice Department could forfeit them.

And needless to say, the indictment of a state actor would be a big deal, for a lot of reasons.

So far, I don’t see enough in the open sources to support that, but it’s good news that the white hats are working diligently on this. If they can attribute this to senior officials in the North Korean government — most likely, within the Reconnaissance General Bureau — then it would be our legal basis to go after the RGB’s assets, which we’ve recently learned include some sophisticated and global commercial operations. This story bears close watching.

~   ~   ~

Update:

Reuters is reporting that SWIFT will disconnect the remaining North Korean banks:

SWIFT, the inter-bank messaging network which is the backbone of international finance, said it planned to cut off the remaining North Korean banks still connected to its system, as concerns about the country’s nuclear program and missile tests grow. SWIFT said the four remaining banks on the network would be disconnected for failing to meet its operating criteria.

The bank-owned co-operative declined to specify what the banks’ shortcomings were or if it had received representations from any governments. Experts said the decision to cut off banks which were not subject to European Union sanctions was unusual and a possible sign of diplomatic pressure on SWIFT. [Reuters]

Now that SWIFT has gotten itself right with Jesus, I would like to implore everyone, everywhere to lay off SWIFT. It’s absolutely true that if we turn SWIFT into a political surrogate for our sundry political conflicts, the world’s dirtiest banks will just take their business elsewhere. That’s not a trend we want to encourage. SWIFT has usually been a responsible member of the financial community, sometimes at great cost to itself.

My argument all along has been that (1) North Korea deserves to be an exception to that rule because (2) North Korea is a unique threat to the financial system — not to mention, to all of humanity — as documented in (3) seven U.N. Security Council Resolutions, a Patriot Act 311 determination, and a call for “countermeasures” by the Financial Action Task Force. You can’t say that about any other country on earth right now — not even Iran. I can’t reconcile messaging for North Korean banks with any of those authorities. And if any competitor tries messaging for the FTB, it’s especially important that the Treasury Department should have the authority to obliterate them (which is why Congress should still proceed with something like the BANK Act).

Having said all that, I wouldn’t be too quick to assume that diplomatic pressure was the main reason for this most welcome decision. “Operating criteria” could mean a lot of things, but it’s a slightly better fit with “massive global bank fraud” than it is with “diplomatic pressure.” If there are more developments in the Lazarus investigation than the Reuters report makes apparent, and if those developments convinced SWIFT that it had unwittingly helped the North Koreans defraud its more reputable clients by sharing its software with them — and their hackers — that would be a perfectly good (and equally plausible) reason for SWIFT to have cut the North Koreans off.

Yet again, the North Koreans are tactically brilliant criminals. And yet again, they’re strategically moronic. It’s a rare and happy day when someone finally holds them to account for it.