N. Korea Could Expand Cyber Espionage Activities

North Korea's nation state hackers have shown no limits in what they will target, from a Hollywood entertainment company to a Bangladeshi bank

Divining a method to the madness is key to warning potential victims. Analysts say that foreign corporations and defectors have been high on the list of Pyongyang’s potential targets. On New Year’s Day, North Korean dictator Kim Jong Un delivered his annual address, telling North Koreans, and the world, what would preoccupy his reclusive regime’s time in the coming months.

The message was clear: with its nuclear weapons program well underway, Pyongyang would continue to try to develop its anemic economy.

“The might of the independent socialist economy should be further strengthened,” he said. By 2020, according to its national economic development plan, North Korea wants to make advances in key sectors like coal, agriculture, and machinery, and time is running out.

North Korea’s cyber operatives have long known how to turn a profit, with one regime-linked group alone reportedly responsible for millions of dollars in bank heists.  Now, in the face of stifling international sanctions, the Hermit Kingdom’s hackers could be more important to the regime than ever.

CrowdStrike says hacking operations could be crucial to helping Kim meet his 2020 goal, and that his speech is a public hint of what’s to come.

“We think that there is going to be a lot more commercial targeting by North Korea,” Adam Meyers, CrowdStrike’s vice president of intelligence, told CyberScoop. “We’ve seen lures and we’ve seen an increased pace of activity out of North Korea.”

In other words, North Korea could take a page out of a playbook long associated with Chinese hackers: steal data from foreign companies to boost the domestic economy. There already have been quiet signs that this is happening.
Last year, Egyptian company Orascom Telecom Media and Technology, which runs a joint-venture mobile phone business with the North Korean government, was hacked. 

The venture competes with a state-run service known as Byol, providing an incentive for Pyongyang’s computer operatives to go after the company’s proprietary data. CrowdStrike believes the culprit is part of a suspected North Korean group it calls Ricochet Chollima, which traditionally has focused on espionage in South Korea.

In another example of economically-motivated activity, North Korea-linked hackers have in recent months tried to breach a Western manufacturing company’s network, CrowdStrike said. Analysts at cybersecurity company Symantec also expect suspected North Korean hackers to continue to conduct economic espionage.

“Over the years we’ve realised that one shouldn’t put anything outside of the purview of Lazarus,” said Symantec technical director Vikram Thakur, using an industry term for a broad set of hackers the US officials have tied to Pyongyang. North Korea has denied it engages in the extensive and destructive malicious cyber activity for which the US government has blamed Pyongyang.

However, stealing proprietary data is one thing; turning that data into a competitive company is quite another. And unlike China, the second largest economy in the world, North Korea’s frail economy makes that difficult.

“Their ability to turn stolen intellectual property around into a usable product is very limited,” said Priscilla Moriuchi, director of strategic threat development at cyber-intelligence company Recorded Future. “So my sense is that the goal in targeting companies would be to monetise information that they’ve gained, unless it’s a few specific sectors.”

Whether or not they are contributing to national economic development goals, the hunt for money drives much of what North Korean cyber personnel do, according to Moriuchi. Each computer operative is responsible for bringing in a certain amount of money each year, she said, resulting in plenty of “day-to-day, low-level cybercrime.”

Researchers say the North Korean government has plenty of assets abroad to enhance its criminal activity. The regime has been dubbed “the Soprano state” because of a longstanding overseas network of criminal activities for raising cash, from narcotics to counterfeiting, said Tom Creedon, senior managing director for East Asia Pacific at LookingGlass Cyber Solutions. Over the last decade or so, the North Koreans have likely tapped that network, sometimes using front companies, to support malicious cyber activity as another means of generating revenue, he said.

While financially-motivated hacking continues, evidence suggests that malware-based surveillance of North Korean defectors does too.

Days before Kim delivered his New Year’s address, South Korean officials revealed that hackers had broken into a database of information on defectors, stealing names, addresses, and dates of birth on nearly 1,000 people. There is no public forensic evidence pointing to who committed the hack; South Korean authorities haven’t named a suspect.

But there is evidence North Korea has used its cyber capabilities to spy on some of the estimated 31,000 defectors living in South Korea. South Korean officials and the Ministry of Unification overseeing the breached agency “conducted a thorough inspection to prevent the spread of similar hacking cases” after that intrusion, a ministry official told CyberScoop.
Such measures can’t prevent hackers from training their sights on those who work on North Korean defector issues, and there is some evidence that is happening.

Simon Choi, a South Korea-based cybersecurity analyst, said he recently discovered a phishing lure from someone posing as a Ministry of Unification official. The perpetrator, he said, used a vulnerability in Daum Mail, a Korean-language email service.
Choi told CyberScoop he has seen evidence of hackers targeting South Korean reporters who cover defectors as a possible means of gathering information about the refugees.

Choi blamed an “NK hacker” for the lure, though CyberScoop could not independently confirm that the activity emanated from North Korea. CrowdStrike recently warned customers about a similarly named file that used Daum Mail as command and control, Meyers said.

The company has tied that activity to another suspected North Korean hacking group it tracks as Velvet Chollima.

As the ways in which Pyongyang can use cyber operations to support its domestic and foreign policy goals grow, so, too, do the potential targets. “They’ve been extremely adaptable and innovative,” said Moriuchi, of Recorded Future.

CyberSecoop:

You Might Also Read:

North Korea Is Using The Internet Like The Mafia:

 

« Britain Aims To Lead In CyberSecurity
President Putin Wants A National AI Strategy »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

International School of IT Security (ISITS)

International School of IT Security (ISITS)

The International School of IT Security (ISITS) is a leading provider of professional training in the field of IT Security.

Cyberia Group

Cyberia Group

Cyberia is a leading Internet and Security services provider with operations in Saudi Arabia, Lebanon and Jordan.

Cydome

Cydome

Cydome offers full-spectrum cybersecurity solutions tailored for the maritime industry.

NETAS

NETAS

Netas offers solutions in information and communication technologies including end-to-end value added solutions, system integration and technology services to providers and corporations.

RangeForce

RangeForce

RangeForce delivers the only integrated cybersecurity simulation and skills analysis platform that combines a virtual cyber range with hand-on training.

Nuspire

Nuspire

Nuspire provide services to protect your network with best-in-class managed detection and response, allowing you to stay focused on managing your business.

Search Guard

Search Guard

Search Guard® is an Open Source security suite for #Elasticsearch and the entire #ELK stack that offers encryption, authentication, authorization, audit logging and multi tenancy.

Center for Applied Cybersecurity Research (CACR) - University of Indiana

Center for Applied Cybersecurity Research (CACR) - University of Indiana

CACR serves Indiana and the nation by tackling cyber risk in research and other unusual environments through agile, holistic, principle-based cybersecurity.

Randstad

Randstad

Randstad provide outsourcing, staffing, consulting and workforce solutions in the USA across a wide range of job sectors including IT and cybersecurity.

BlackScore

BlackScore

BlackScore is a technology company seeking to disrupt risk assessment using AI-driven technology.

OwnZap Infosec

OwnZap Infosec

OwnZap Infosec aims to digitally shield the cyberspace by offering services like Penetration Testing and Red Teaming, Infrastructure Security Testing, and Vulnerability Assessments.

Romanian Tech Startup Association (ROTSA)

Romanian Tech Startup Association (ROTSA)

Romanian Tech Startups Association is an umbrella organization that aims to promote, support and represent the interests of tech startups in Romania.

Aikido Technology Services

Aikido Technology Services

Aikido Technology Services is a leading-edge technology solutions provider, servicing the Pacific North West USA. We offer affordable IT solutions designed to streamline and secure your business.

ThrottleNet

ThrottleNet

ThrottleNet provides world-class managed IT services and cybersecurity to organizations in St. Louis and throughout Missouri.

Blue Goat Cyber

Blue Goat Cyber

Blue Goat stands at the forefront of cybersecurity, particularly in medical device security and penetration testing.

Prizsm Technologies

Prizsm Technologies

Prizsm is a computational storage capability that provides flexible, easy-to-use, resilient solutions for quantum-resistant, hyper-secure cloud storage and communications.