Internet Security Analysts: North Korea Is Planning a Global Bank Heist

North Korean leader Kim Jong Un receives applause as he guides the multiple-rocket launching drill of women's sub-units under KPA Unit 851, in this undated photo released by North Korea's Korean Central News Agency (KCNA) April 24, 2014. REUTERS/KCNA

The New York Times published a report from Internet security firm Symantec that revealed startling ambitions on the part of hackers affiliated with North Korea.

According to the report, they have plans to rob over a hundred banks around the world, including “institutions like the World Bank, the European Central Bank and big American companies including Bank of America.”

An attack on over 20 Polish banks near the end of 2016 was evidently thwarted without any money being lost. When security analysts pulled apart the virus software sent to these banks, they discovered a huge list of Internet addresses for other financial institutions, making up the target list described by Symantec.

The Times discusses the size and desperation of North Korea’s cybercrime ring:

The list of targets, which has not been previously reported, is part of a growing body of evidence showing how North Korea, a country that is cut off from much of the global economy, is increasingly trying to use its cyberattack abilities to bring in cash — and making progressively bolder attempts to do so.

North Korea’s hacking network is immense, encompassing a group of 1,700 hackers aided by more than 5,000 trainers, supervisors and others in supporting roles, South Korean officials estimate. Because of the country’s poor infrastructure, the hackers typically work abroad, in places like China, Southeast Asia and Europe. Like other North Koreans allowed to work abroad, the hackers are constantly monitored by minders for possible breaches in allegiance to the government.

Thus far, the biggest score for the North Korean operation appears to be a hack of Bangladesh’s central bank, revealed by Bangladeshi authorities in May 2016. The $81 million stolen from the bank ended up in the Philippines, but investigators were certain from early in the investigation that the thieves were not from either Bangladesh or the Philippines.

Early indications suggested Chinese hackers might have been responsible for the attack, but Symantec researchers soon isolated malicious code  linked to North Korea. Similar code and hacking techniques had previously been used against banks in Vietnam and Ecuador. According to the New York Times, analysts with the National Security Agency saw evidence the Bangladesh bank robbery was linked to the attack on Sony Pictures, which is generally seen as the work of North Korea.

The thieves were actually trying to steal a billion dollars from Bangladesh with fraudulent money transfer requests to the New York Federal Reserve, but only $81 million in bogus requests got through.

The attack on Poland’s banks was carried out with a “watering hole” hacking technique, which involves planting malware in locations the targets are likely to visit. Disturbingly, the watering hole for the Polish caper was the website of Poland’s banking regulator. Symantec mentioned similar watering hole traps have been laid for banks in Mexico and Uruguay, while virus attacks have been made already against a few targets in the United States.

An important point made by security analysts about these bank robberies is that huge amounts of manpower were involved, making state sponsorship of the attacks likely. The malware used in these assaults can lurk in targeted systems for weeks, going active during very limited windows of opportunity, so a large team of computer technicians has to work around the clock to supervise the intrusion.

Only one Chinese bank appeared in the target list distilled from captured viral code in Poland, a detail some analysts find significant. There are lingering suspicions that Chinese hackers assisted in pulling off the Bangladesh attack. This could become a major topic of conversation when Chinese president Xi Jinping meets with President Trump next month.

Security firm FireEye, which was instrumental in past actions against Chinese hackers, has reported a significant decline in Chinese industrial cyber-espionage over the past two years, coupled with an increase in Russian mischief. CEO Kevin Mandia warned Fortune last week that American companies are still “getting sucker punched pretty bad.”

North Korea has denied involvement in the wave of cyber attacks on financial institutions, claiming the United States reached “despicable heights” with its accusations. Pyongyang called America a “hacking empire, the worst of bullying countries” and said the hacking allegations were a pretext to “launch a pre-emptive strike” against North Korea.