exp TSR.Todd.North.Korea.linked.to.more.bank.hacks_00001401.jpg
exp TSR.Todd.North.Korea.linked.to.more.bank.hacks_00001401.jpg
Now playing
02:45
North Korea linked to more bank hacks
Nicolas Asfouri/Pool/Getty Images/AFP PHOTO/KCNA VIA KNS
Now playing
01:27
North, South Korean leaders to meet again
Airbus Defense and Space
Now playing
01:44
New images show N. Korea dismantling test site
CNNI
Now playing
00:40
Pompeo dismisses N. Korea's 'gangster' comments
SINGAPORE - JUNE 12: In this handout photo, North Korean leader Kim Jong-un shakes hands with U.S. President Donald Trump during their historic U.S.-DPRK summit at the Capella Hotel on Sentosa island on June 12, 2018 in Singapore. U.S. President Trump and North Korean leader Kim Jong-un held the historic meeting between leaders of both countries on Tuesday morning in Singapore, carrying hopes to end decades of hostility and the threat of North Korea's nuclear program. (Photo by Kevin Lim/THE STRAITS TIMES/Handout/Getty Images)
Handout/Getty Images AsiaPac/Getty Images
SINGAPORE - JUNE 12: In this handout photo, North Korean leader Kim Jong-un shakes hands with U.S. President Donald Trump during their historic U.S.-DPRK summit at the Capella Hotel on Sentosa island on June 12, 2018 in Singapore. U.S. President Trump and North Korean leader Kim Jong-un held the historic meeting between leaders of both countries on Tuesday morning in Singapore, carrying hopes to end decades of hostility and the threat of North Korea's nuclear program. (Photo by Kevin Lim/THE STRAITS TIMES/Handout/Getty Images)
Now playing
01:56
Kim Jong Un snubbed Mike Pompeo, source says
WASHINGTON, DC - MAY 09:  National Security Adviser John Bolton speaks on a morning television show from the grounds of the White House, on May 9, 2018 in Washington, DC. Yesterday President Donald Trump announced that America was withdrawing from the Iran nuclear deal.  (Photo by Mark Wilson/Getty Images)
Mark Wilson/Getty Images
WASHINGTON, DC - MAY 09: National Security Adviser John Bolton speaks on a morning television show from the grounds of the White House, on May 9, 2018 in Washington, DC. Yesterday President Donald Trump announced that America was withdrawing from the Iran nuclear deal. (Photo by Mark Wilson/Getty Images)
Now playing
01:34
Bolton: US has plan for denuclearizing N. Korea
Planet Labs Inc.
Now playing
01:25
Satellite images show missile plant construction
CNN
Now playing
01:14
Susan Rice: Kim Jong Un beat Trump at summit
Images of the Norrth Korea missile launch on November 28 taken from Rodong Sinmun, North Korea's official newspaper.
From Rodong Sinmun
Images of the Norrth Korea missile launch on November 28 taken from Rodong Sinmun, North Korea's official newspaper.
Now playing
02:14
Will North Korea restart nuclear tests?
Photo Illustration/Getty Images
Now playing
03:00
Will Kim Jong Un ever give up his nukes?
Photo Illustration/Getty Images
Now playing
02:27
What's bringing Kim Jong Un to the table
Now playing
01:51
Who is Kim Jong Un?
CNN
Now playing
01:43
Connolly: Trump comment on Kim 'jaw-dropping'
Now playing
02:31
Moon: The masterful dealmaker
Trump Kim Jong Un comment 04240218
CNN
Trump Kim Jong Un comment 04240218
Now playing
01:26
Trump: Kim Jong Un very open and honorable
Now playing
03:06
Finding art on the edge of the DMZ

Story highlights

There are signs that North Korea is hacking banks worldwide

The stolen money fuels the country's illegal development of nuclear weapons

Saint Maarten CNN —  

North Korea’s hacking operations are growing and getting more bold – and increasingly targeting financial institutions worldwide.

North Korea is now being linked to attacks on banks in 18 countries, according to a new report from Russian cybersecurity firm Kaspersky.

And the stolen money is likely being spent advancing North Korea’s development of nuclear weapons, according to two international security experts.

Banks and security researchers have previously identified four similar cyber-heists attempted on financial institutions in Bangladesh, Ecuador, the Philippines and Vietnam.

But researchers at Kaspersky now say the same hacking operation – known as “Lazarus” – also attacked financial institutions in Costa Rica, Ethiopia, Gabon, India, Indonesia, Iraq, Kenya, Malaysia, Nigeria, Poland, Taiwan, Thailand, and Uruguay.

North Korea's mysterious Lazarus hacking operation has been blamed for several large international cyberattacks in recent years.
North Korea's mysterious Lazarus hacking operation has been blamed for several large international cyberattacks in recent years.

The hackers can be traced back to North Korea, according to Kaspersky researchers.

To hide their location, hackers typically launch cyberattacks from computer servers far from home. According to Kaspersky, the Lazarus hackers carefully routed their signal through France, South Korea and Taiwan to setup that attack server. But there was apparently one mistake spotted by Kaspersky: A connection that briefly came from North Korea.

“North Korea is a very important part of this equation,” said Vitaly Kamluk, who leads Kaspersky’s Asia-Pacific research team.

Researchers disclosed their findings publicly on Monday at Kaspersky’s Security Analyst Summit, a cybersecurity conference on the Caribbean island of St. Maarten.

Kaspersky is one of the world’s top cybersecurity firms, providing popular anti-malware protection to computers at homes and companies worldwide. Its researchers are known for exposing some of the most complex global hacking operations. US law enforcement remains suspicious of the firm’s ties to the Russian government, but Kaspersky strongly denies Kremlin influence on the company’s business.

Cybersecurity firm Kaspersky denies ties to the Russian government.
Bloomberg via Getty
Cybersecurity firm Kaspersky denies ties to the Russian government.

North Korea’s targets have been shifting in recent years.

In 2013, when South Korea’s banks and broadcasters were attacked, that government blamed its neighbor to the north. In 2014, the US government blamed North Korea for the the hack on Sony Pictures. Clues in both cases pointed to Lazarus.

By late 2015, the Lazarus hackers shifted their attention to the global financial system, according to researchers at BAE Systems, FireEye and Symantec.

The earliest known victim was a Vietnamese commercial bank. The latest attacks, observed by Kaspersky in March, included operations attacking financial institutions in Gabon and Nigeria in Africa.

Though most of the attacks were not successful in stealing money, several were, according to Symantec.

And researchers said these hackers intend to attack major Western banks using increasingly sophisticated methods.

One recent example is a trap set at the website of Poland’s financial regulator. Hackers embedded malicious code onto that Polish website, according to BAE Systems. And they limited the infections to visitors from particular internet addresses – employees at banks.

The code showed that Lazarus hackers created a list of 150 internet addresses that served as “a hit list,” said Eric Chien, a researcher at Symantec, which issued its own warning about North Korea hacking earlier this year.

CNN ran those addresses through internet records kept by DomainTools, a cybersecurity firm. Those IP addresses belong to the World Bank, as well as the central banks of Brazil, Chile, Estonia, Mexico and Venezuela, as well as a wide range of well known global banks.

Kaspersky said its defense software has blocked more than a dozen infections from Lazarus. It’s unclear which banks were ultimately infected.

Researchers at several cybersecurity firms theorize that North Korea is attempting to build a network of infected banks to move around stolen money.

For example, millions of dollars were taken from Bangladesh’s account at the New York Federal Reserve last year and moved to Sri Lanka and a casino in the Philippines, according to investigators.

North Korea tried to funnel some of that money through one infected bank in Southeast Asia, according to a researcher at FireEye. But an emergency team at FireEye managed to block it in time.

American prosecutors in Los Angeles are now investigating the Bangladesh bank hack, a federal law enforcement source told CNN.

And the money may be going to help develop North Korea’s nuclear program.

“This is all for their nuclear weapons and missile programs. They need this money for building and researching more ballistic missiles,” said Anthony Ruggiero, a senior fellow for Foundation for Defense of Democracies who tracks North Korea’s illegal behavior.

North Korea’s secret banking

This aggressive hacking operation coincides with a global effort to block North Korea from the financial system as punishment for its nuclear program. United Nations sanctions block countries from allowing banks to do business with the tightly-controlled regime of Kim Jong Un.

But in February, a UN investigation revealed that North Korea is using a network of front companies and secret agents to access global banks. For example, North Korea used electronics and shipping companies to move millions of dollars, essentially making them financial institutions. The regime also set up several banks as subsidiaries of Chinese and Malaysian firms, masking their true ownership.

Cyber heists play a role in this illicit scheme, because stolen funds can be used to prop up those front companies, according to Sung-Yoon Lee, a Korea expert who teaches at Tufts University.

“We tend to patronize North Korea and mock them. But over the past decade, they have shown the world they are… very capable when it comes to cybercrime,” he said.

CNN’s Scott Glover contributed to this report.