KATHMANDU: A group of North Korean hackers has remained surreptitiously active in operating cyber espionage from Apartment No 16 ‘A’ of the Harmony Housing at Tokha, around five kilometers north of Kathmandu’s Basundhara (Ringroad), especially targeting banking and financial institutions across the world. This was revealed through investigations by Khabarhub for months. The Harmony Housing, away from the hustle and bustle of Kathmandu, has a total of 11 buildings.

The group, comprising of six members — identified as Song Hyok Peak, Jong Gon Choe, Jin Hyok Pae, Phyong Yun, Yong Guk Kim, and Jong Nam Won – stationed at the apartment are active throughout the clock to work for North’s army intelligence agency. Amassing money from various countries is a major part of its spying activities, it is learned. However, according to a security guard at the apartment, another five people are seen on and off.

Evidences obtained by Khabarhub’s two-month-long investigation with the support of computer experts reveal that the group has been found to be directly working for the 121 Bureau of the seven different intelligence bureaus under Section 586 of the North Korean Directorate General of Military Intelligence, which is also known as the Lazarus group or Hidden Cobra.

These hackers are found to be judiciously routing their signal through Virtual Private Network (VPN) from Singapore, India, Germany, South Korea and Taiwan to setup their server to shroud their presence in Nepal.

The group active in Nepal is also found to be creating dozens of internet addresses, including some IP addresses in the name of hospitals, charity firms, schools and other institutions, according to high-placed security sources.

They not only use common hacking techniques from Nepal like phishing, click jacking DDoS, but also make malicious software and malware programs like Virus or Trojans, worms, to infect damage financial, and others targets.

The North Korean hackers mostly use eavesdropping tactics that passively monitors the targeted computer systems to obtain secret technical information. The main motive of this shadowy hacker group in Nepal is to collect money for the North Korean government, evidences show.

The country, which is reeling under crippling sanctions imposed by several countries and international organizations, including the UN, apparently operates cyber espionage and hacking through the gang under a company named ‘Yong Bong Chand IT Company Pvt. Ltd’ registered on January 14, 2018, in Nepal.

However, the Government of Nepal seems indifferent to such activities operating under a false-flag company, which has been taking place in collaboration with Dharma Chand, a Nepali national. Record, however, shows that the company’s address is in Thapathali area.

It should be noted that the UN Security Council Resolution 2375 prohibits North Korean individuals and entities in activities such as opening, maintenance, and operation of all joint ventures or cooperative entities, new and existing whether or not acting for or on behalf of the government of North Korea, unless such joint ventures or cooperative entities, in particular those that are non-commercial, public utility infrastructure projects not generating profit, have been approved by the Committee in advance on a case-by-case basis.

Meanwhile, efforts to reach Chand’s office landline number (01-410…3) and cell number (984…8181) could not materialize since his employee informed that he was “out of station” while his cell was “switched off”.

Nepal’s Labor Department, however, has not issued the labor permission to the group of six and the other five, who, reports suggests, came to Nepal on tourist visa.

According to the data at the Department of Industry, the company promising to employ at least 55 people during its registration process, had sought 170-package data for ‘software development’.

North Korea, which has been banned by the UN Security Council from obtaining labor permit, had initially sought labor permission from Nepal cataloging it as a South Korean company to ‘install’ its hacking operation here. However, according to the evidence obtained by Khabarhub, the company was registered with the support of two incumbent ministers defying the Nepal’s international obligation and commitment.

Besides hacking, the company is involved in trading of software and money laundering activities through ‘dark web’. Similarly, North Korean diplomats, who are in regular touch with these hackers, have been funneling money to North Korea.

Retired Nepal Army General Binoj Bansyat told Khabarhub that North Koreans have been using the Nepali soil for such activities. “This will send a negative message to the world,” he said adding that Nepal’s intelligence should be further strengthened.

It has also been revealed that two of the six members frequently visit their home country, North Korea, acting as a bridge between the North Korean officials and the group. These two people receive hacking targets and instructions from their seniors and convey to the team.

“It is in fact reprehensible that North Korean hackers are clandestinely involved in illegal activities such as hacking, depositing a huge amount of money, and spying from the Nepali soil,” former CIB Chief Hemant Malla said.

“They have been actively involved in unlawful activities, including hacking servers of banks and financial institutions and spying against western countries from Nepal for quite a long time by taking due advantage of Nepal’s weak security mechanism,” he added.

Interestingly, while the Nepali partner holds 20 percent share of the Yong Bong Chand IT Company Pvt. Ltd, the North Koreans hold the rest 80 percent share with the company having a total of Rs 100 million as gross capital, around 8.90 million as fixed capital, and Rs 10.9 million as working capital.

Locals of Tokha area are unacquainted about the group’s activities since the hackers usually keep a low profile. They hardly come out of the house during the day to avoid public attention. However, they frequently visit the North Korean Embassy at Bukhundol in Lalitpur during the night while North Korean diplomats use a taxi instead of diplomatic vehicles to visit the Tokha-based apartment.

Investigations have revealed that two employees of the North Korean Embassy make available all necessary supplies, including food items, to the hackers either early in the morning or late night when everyone around is asleep.

These hackers use several SIM cards from various data package, which have been obtained in the name of some Nepalis, to use the internet, which means that they are carrying out their activities surreptitiously to avoid the fear of being detected.

“Several North Koreans coming to Nepal on a tourist visa, are found to be involved in unlawful activities. However, the government has to bring such elements to book while keeping its security organs effective,” opined Devi Ram Sharma, former Chief of National Intelligence Department of Nepal adding that the government has failed to carry out its surveillance, detect and arrest on such activities. “Nepal should abide by the international commitments on such issues,” he added.

Meanwhile, geo-strategist expert, Arun Subedi termed the issue as ‘serious’ while stating that it is unfortunate that some elements are trying to use the Nepali soil against Nepal’s neighbor and other friendly countries.

“This is, in fact, unfortunate,” Subedi said while suggesting the government to take immediate action to thwart such activities.

He was categorical to state that North Korea, which is facing strict UN sanctions and reeling under severe economic crisis, has been using its embassy here in such illegal activities to generate money through diplomatic cover.

Lazarus eyes on banks

The Lazarus hacker’s group, run by the North Korean army intelligence, funnels billions of money to North Korea after hacking from different countries. South Asia, including Nepal, is becoming the group’s recent target. This group had earlier hacked Rs. 460 million from NIC Asia Bank in 2017.

“We will look into the NIC issue,” Spokesperson of Nepal Police, Uttam Raj Subedi told Khabarhub adding that the police will further investigate the alleged involvement of North Koreans in cyber hacking from its Kathmandu base.

Accepting the fact that new techniques are being used in cybercrimes in recent times, he said a cybercrime investigation bureau has been formed to look into such issues. He informed that the department has been constantly in touch with the government to procure additional equipment and a forensic lab for the purpose.

In three days, between August 11-13, 2018, the North Korean group had managed to siphon IRs 940 million through a malware attack on the server of the Pune-based Cosmos Bank in India. Hackers also cloned several of the bank’s debit cards in just over two days. Despite being alerted by the Federal Bureau of Investigation (FBI), the group stole such a huge amount.

In 2016, the same group had also hacked and transferred over Rs. 85,000 million to various banks across the globe from the Center Bank of Bangladesh.

Towards its inception, the notorious Lazarus group had terrorized South Korea through cyber-attacks. However, it was the group’s attack on Sony Pictures of Sony Company in 2014 that ramified the group’s terror at a global scale. This was because the group had used sophisticated technology in the attack. It then attacked Del Austro, a bank in Ecuador incurring a loss of over US$12 million to the bank.

Similarly, the group also hacked from US$ one million from a bank in Vietnam. Likewise, the group hacked US$ 60 million from the East International Bank in Taiwan in 2017.

Stealing of money through hacking by the group has terrorized banking industry in Nepal, India, and Bangladesh. North Korea has resorted to amassing money through hacking as it faces resource crunch due to the strict sanction imposed by the USA and the UN.

The Lazarus Group earlier attacked financial institutions in several countries such as Ethiopia, Costa Rica, India, Gabon, Iraq, Indonesia, Kenya, Poland, Malaysia, Nigeria, Thailand, Taiwan, and Uruguay, according to reports.

Nepal at high risk

Given the hacking record of the group and its hacking business, bank and financial institutions in Nepal are highly vulnerable to the group. This is more so as the hacker groups are operating from Nepal. Besides, financial institutions have remained largely indifferent to the mandatory ruling by the Nepal Rastra Bank (NRB) for cybersecurity audits.

“Foreign hackers operating from Nepali territory is a matter of grave concern and could prove very costly to the country,” opines Dr. Suresh Chalise, former diplomat adding that this will draw the attention of the international community.

Meanwhile, analysts warn that the government must address the cybersecurity issue to avoid a disaster in the banking as well as other sectors.

The hackers shifted their base to Nepal after intense international monitor and crippling UN sanction to control its bad behaviors as well as nuclear and missile ambitions.