N Korean Cyber Attacks Continue Despite Peace Talks

As Kim Jong-un speaks publicly about nuclear disarmament, North Korea’s hacker army continues to launch cyber-attacks against different businesses across Asia, Europe and the US, according to private sector analysts and former US officials.

Experts from several cybersecurity firms, Dell SecureWorks, McAfee, Symantec, FireEye and Recorded Future, all say that activity from North Korea has stayed steady or grown in volume since peace talks gained steam earlier this year.

The activities of these Pyongyang-linked hacking groups largely focuses on financial theft and covertly stealing digital secrets. While affected companies have quietly dealt with the onslaught in recent months, their contracted cybersecurity firms confidentially collected and studied recent malware samples that show the North Koreans are still actively developing new iterations of their toolsets.

“Similar to operations conducted prior to that date [circa January], North Korean actors have engaged in broad cyber espionage using a Destover-variant tool, developed and deployed malicious Android applications, and developed more destructive malware,” said Priscilla Moriuchi, a threat intelligence expert with Recorded Future and former NSA analyst focused on East Asia.

“We have seen a heavy concentration of targeting in Southeast Asia and the United States, with some cross over into the Middle East,” McAfee Senior Researcher Ryan Sherstobitoff said. “We have even seen an entire country’s financial sector targeted by Hidden Cobra during this period.”

Hidden Cobra is one of the nicknames assigned by the US government to North Korea’s hacking activities; other names authored by the private sector include “Lazarus Group,” “Blue Nortoff” and “Red Eyes.”

Recently, the Department of Homeland Security and Federal Bureau of Investigation released a joint alert-about the spread of a specific malware variant that’s been widely associated with Hidden Cobra since at least 2009. It’s not clear if a recent breach prompted the new DHS-FBI alert. But experts say it wouldn’t be surprising.

“The group continues to use implants such as Bankshot and newly created hybrid Trojans based on previous notable activity,” described Sherstobitoff, referencing a type of malware that infected Turkey’s banking system. 

“The TTPs (Tactics Tools and Procedures) have not changed much, only to the degree that targeting appears to extend more beyond the borders of South Korea … The underlying goals have always remained the same: financial and classic data collection in support of intelligence operations.”

The findings, as disclosed to CyberScoop, provide a stark reminder that North Korea remains highly dependent on cybercrime for both financial and geopolitical gain, so much so in that they’re willing to risk angering foreign governments amid a diplomatic push.

“During the past few months we’ve seen Lazarus conduct attacks on financial organizations, with the intention of attempting bank heists,” said Vikram Thakur of Symantec’s Security Response team. “The volume of these attacks is not massive but the trend reflects a small uptick in overall attacks and attempts of financial fraud.”

The diplomatic talks regarding North Korea involve several key countries, including China, Russia, South Korea and the US. A number of research teams see the US and South Korea still being targeted.

“During the timeframe, North Korea had been focusing their attention to South Korean targets, specifically North Korean defectors and related organizations for intelligence gathering,” a spokesperson for SecureWorks’ Counter Threat Unit said. 

“Based on targeting select victims, it appears that the North Korean government is keen to acquire information that could affect current peace process … We have not directly observed but are aware of phishing lures containing topics concerning current peace talks.”

North Korea’s use of these diplomatically inspired phishing emails was not previously known. How the small, resource-strapped nation will move away from this type of behavior if it is to improve foreign partnerships is an open-ended question, experts say.

The challenge is especially significant because of the decentralized nature of North Korea’s hacking units. Prior reporting by Bloomberg showed that Pyongyang was able to establish small teams of hackers in Southeast Asia in order to pursue official and unofficial criminal schemes. This loose structure would conceivable make operations difficult to suddenly wind down.

“DPRK cyber espionage operations continue to increase in scope and sophistication, developing new offensive capabilities and leveraging zero day vulnerabilities,”

So said Cristiana Brafman Kittner, principal security analyst at FireEye. These financially motivated intrusions have continued during the run up to a potential Kim, Trump summit.”

On Wednesday, top North Korean and US government officials met in Singapore to discuss next steps in the negotiations, according to The Washington Post. Cybersecurity did not appear to be a topic of conversation.

The meeting was held to organize a potential upcoming summit between Kim and President Donald Trump. In the past, a noticeable spike in malware detections inside of North Korea have followed these types of meetings.

New Jersey-based cyber-security firm Comodo saw an increase following a meeting between Secretary of State Mike Pompeo and Kim on May 9.

Such detections could suggest one of two things: that the country is itself being hacked or that hackers inside North Korea are testing their own tools internally before operating abroad.

CyberScoop: 

You Might Also Read: 

North Korea's Cyber Soldiers Are Concealed Abroad:

N Korea Is A Bigger Cyber Threat Than Russia: