N Korean Cyber Attacks Continue Despite Peace Talks

As Kim Jong-un speaks publicly about nuclear disarmament, North Korea’s hacker army continues to launch cyber-attacks against different businesses across Asia, Europe and the US, according to private sector analysts and former US officials.

Experts from several cybersecurity firms, Dell SecureWorks, McAfee, Symantec, FireEye and Recorded Future, all say that activity from North Korea has stayed steady or grown in volume since peace talks gained steam earlier this year.

The activities of these Pyongyang-linked hacking groups largely focuses on financial theft and covertly stealing digital secrets. While affected companies have quietly dealt with the onslaught in recent months, their contracted cybersecurity firms confidentially collected and studied recent malware samples that show the North Koreans are still actively developing new iterations of their toolsets.

“Similar to operations conducted prior to that date [circa January], North Korean actors have engaged in broad cyber espionage using a Destover-variant tool, developed and deployed malicious Android applications, and developed more destructive malware,” said Priscilla Moriuchi, a threat intelligence expert with Recorded Future and former NSA analyst focused on East Asia.

“We have seen a heavy concentration of targeting in Southeast Asia and the United States, with some cross over into the Middle East,” McAfee Senior Researcher Ryan Sherstobitoff said. “We have even seen an entire country’s financial sector targeted by Hidden Cobra during this period.”

Hidden Cobra is one of the nicknames assigned by the US government to North Korea’s hacking activities; other names authored by the private sector include “Lazarus Group,” “Blue Nortoff” and “Red Eyes.”

Recently, the Department of Homeland Security and Federal Bureau of Investigation released a joint alert-about the spread of a specific malware variant that’s been widely associated with Hidden Cobra since at least 2009. It’s not clear if a recent breach prompted the new DHS-FBI alert. But experts say it wouldn’t be surprising.

“The group continues to use implants such as Bankshot and newly created hybrid Trojans based on previous notable activity,” described Sherstobitoff, referencing a type of malware that infected Turkey’s banking system. 

“The TTPs (Tactics Tools and Procedures) have not changed much, only to the degree that targeting appears to extend more beyond the borders of South Korea … The underlying goals have always remained the same: financial and classic data collection in support of intelligence operations.”

The findings, as disclosed to CyberScoop, provide a stark reminder that North Korea remains highly dependent on cybercrime for both financial and geopolitical gain, so much so in that they’re willing to risk angering foreign governments amid a diplomatic push.

“During the past few months we’ve seen Lazarus conduct attacks on financial organizations, with the intention of attempting bank heists,” said Vikram Thakur of Symantec’s Security Response team. “The volume of these attacks is not massive but the trend reflects a small uptick in overall attacks and attempts of financial fraud.”

The diplomatic talks regarding North Korea involve several key countries, including China, Russia, South Korea and the US. A number of research teams see the US and South Korea still being targeted.

“During the timeframe, North Korea had been focusing their attention to South Korean targets, specifically North Korean defectors and related organizations for intelligence gathering,” a spokesperson for SecureWorks’ Counter Threat Unit said. 

“Based on targeting select victims, it appears that the North Korean government is keen to acquire information that could affect current peace process … We have not directly observed but are aware of phishing lures containing topics concerning current peace talks.”

North Korea’s use of these diplomatically inspired phishing emails was not previously known. How the small, resource-strapped nation will move away from this type of behavior if it is to improve foreign partnerships is an open-ended question, experts say.

The challenge is especially significant because of the decentralized nature of North Korea’s hacking units. Prior reporting by Bloomberg showed that Pyongyang was able to establish small teams of hackers in Southeast Asia in order to pursue official and unofficial criminal schemes. This loose structure would conceivable make operations difficult to suddenly wind down.

“DPRK cyber espionage operations continue to increase in scope and sophistication, developing new offensive capabilities and leveraging zero day vulnerabilities,”

So said Cristiana Brafman Kittner, principal security analyst at FireEye. These financially motivated intrusions have continued during the run up to a potential Kim, Trump summit.”

On Wednesday, top North Korean and US government officials met in Singapore to discuss next steps in the negotiations, according to The Washington Post. Cybersecurity did not appear to be a topic of conversation.

The meeting was held to organize a potential upcoming summit between Kim and President Donald Trump. In the past, a noticeable spike in malware detections inside of North Korea have followed these types of meetings.

New Jersey-based cyber-security firm Comodo saw an increase following a meeting between Secretary of State Mike Pompeo and Kim on May 9.

Such detections could suggest one of two things: that the country is itself being hacked or that hackers inside North Korea are testing their own tools internally before operating abroad.

CyberScoop

You Might Also Read: 

North Korea's Cyber Soldiers Are Concealed Abroad:

N Korea Is A Bigger Cyber Threat Than Russia:


 

 

« Quantum Computing - What You Should Know
Japan’s Secret Spy Agency »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Infoblox

Infoblox

Infoblox solutions help businesses automate complex network control functions to reduce costs, increase security and maximize uptime.

IntelliGO Networks

IntelliGO Networks

IntelliGO Networks is a cybersecurity company focused on Managed Detection and Response (MDR).

Sepior

Sepior

Our vision is to make Sepior the leading provider of cloud-encryption software in the world.

NTOP

NTOP

NTOP develop high-quality network traffic analysis and DDoS protection software used by small individuals as well by large telecom operators.

Inspirria Cloudtech

Inspirria Cloudtech

Inspirria Cloudtech is a specialized Cloud Technologies Services provider and Cloud Aggregator focused on executing cloud models for clients.

Information & eGovernment Authority (iGA) - Bahrain

Information & eGovernment Authority (iGA) - Bahrain

The Information & eGovernment Authority facilitates many services catering to different parts of the community within the IT sector in Bahrain including information security.

Genians

Genians

Genians provides the industry’s leading Network Access Control (NAC) solution, which ensures full visibility of all IP-enabled devices regardless of whether they are wired, wireless, or virtual.

Beryllium InfoSec Collaborative

Beryllium InfoSec Collaborative

Beryllium InfoSec Collaborative is an information security and cyber security company with 40-plus years of experience across industry & government.

ePLDT

ePLDT

ePLDT delivers best-in-class digital business solutions that include Cloud, Cyber Security, purpose-built Data Center facilities and Managed IT Services.

InsightCyber

InsightCyber

InsightCyber is on a mission to keep the world’s critical infrastructure, supply chains, and manufacturing operations cyber-safe, helping to prevent attacks that can have catastrophic impacts.

Hex-Rays

Hex-Rays

Founded in 2005, privately held, Belgium based, Hex-Rays SA focuses on the development of fast, stable, and robust binary analysis tools for the IT security market.

Apono

Apono

Apono enables DevOps and security teams to manage access to sensitive cloud assets and data repositories in a frictionless and compliant way.

Phriendly Phishing

Phriendly Phishing

Phriendly Phishing offers phishing awareness training programs designed to ward off potential security threats and minimise the impact of cyber attacks.

Muscope Cybersecurity

Muscope Cybersecurity

Muscope CYSR platform performs a risk assessment and offers a comprehensive overview of the potential cyber attack risks.

COPA-DATA

COPA-DATA

COPA-DATA is the only independent software manufacturer to combine in-depth experience in automation with new possibilities of digital transformation – reliable, future-proof and operating worldwide.

Moonlock

Moonlock

Cybersecurity tech for humans. At Moonlock, we make software that seamlessly protects you and has your back as you live your life.