N Korean Cyber Attacks Continue Despite Peace Talks

As Kim Jong-un speaks publicly about nuclear disarmament, North Korea’s hacker army continues to launch cyber-attacks against different businesses across Asia, Europe and the US, according to private sector analysts and former US officials.

Experts from several cybersecurity firms, Dell SecureWorks, McAfee, Symantec, FireEye and Recorded Future, all say that activity from North Korea has stayed steady or grown in volume since peace talks gained steam earlier this year.

The activities of these Pyongyang-linked hacking groups largely focuses on financial theft and covertly stealing digital secrets. While affected companies have quietly dealt with the onslaught in recent months, their contracted cybersecurity firms confidentially collected and studied recent malware samples that show the North Koreans are still actively developing new iterations of their toolsets.

“Similar to operations conducted prior to that date [circa January], North Korean actors have engaged in broad cyber espionage using a Destover-variant tool, developed and deployed malicious Android applications, and developed more destructive malware,” said Priscilla Moriuchi, a threat intelligence expert with Recorded Future and former NSA analyst focused on East Asia.

“We have seen a heavy concentration of targeting in Southeast Asia and the United States, with some cross over into the Middle East,” McAfee Senior Researcher Ryan Sherstobitoff said. “We have even seen an entire country’s financial sector targeted by Hidden Cobra during this period.”

Hidden Cobra is one of the nicknames assigned by the US government to North Korea’s hacking activities; other names authored by the private sector include “Lazarus Group,” “Blue Nortoff” and “Red Eyes.”

Recently, the Department of Homeland Security and Federal Bureau of Investigation released a joint alert-about the spread of a specific malware variant that’s been widely associated with Hidden Cobra since at least 2009. It’s not clear if a recent breach prompted the new DHS-FBI alert. But experts say it wouldn’t be surprising.

“The group continues to use implants such as Bankshot and newly created hybrid Trojans based on previous notable activity,” described Sherstobitoff, referencing a type of malware that infected Turkey’s banking system. 

“The TTPs (Tactics Tools and Procedures) have not changed much, only to the degree that targeting appears to extend more beyond the borders of South Korea … The underlying goals have always remained the same: financial and classic data collection in support of intelligence operations.”

The findings, as disclosed to CyberScoop, provide a stark reminder that North Korea remains highly dependent on cybercrime for both financial and geopolitical gain, so much so in that they’re willing to risk angering foreign governments amid a diplomatic push.

“During the past few months we’ve seen Lazarus conduct attacks on financial organizations, with the intention of attempting bank heists,” said Vikram Thakur of Symantec’s Security Response team. “The volume of these attacks is not massive but the trend reflects a small uptick in overall attacks and attempts of financial fraud.”

The diplomatic talks regarding North Korea involve several key countries, including China, Russia, South Korea and the US. A number of research teams see the US and South Korea still being targeted.

“During the timeframe, North Korea had been focusing their attention to South Korean targets, specifically North Korean defectors and related organizations for intelligence gathering,” a spokesperson for SecureWorks’ Counter Threat Unit said. 

“Based on targeting select victims, it appears that the North Korean government is keen to acquire information that could affect current peace process … We have not directly observed but are aware of phishing lures containing topics concerning current peace talks.”

North Korea’s use of these diplomatically inspired phishing emails was not previously known. How the small, resource-strapped nation will move away from this type of behavior if it is to improve foreign partnerships is an open-ended question, experts say.

The challenge is especially significant because of the decentralized nature of North Korea’s hacking units. Prior reporting by Bloomberg showed that Pyongyang was able to establish small teams of hackers in Southeast Asia in order to pursue official and unofficial criminal schemes. This loose structure would conceivable make operations difficult to suddenly wind down.

“DPRK cyber espionage operations continue to increase in scope and sophistication, developing new offensive capabilities and leveraging zero day vulnerabilities,”

So said Cristiana Brafman Kittner, principal security analyst at FireEye. These financially motivated intrusions have continued during the run up to a potential Kim, Trump summit.”

On Wednesday, top North Korean and US government officials met in Singapore to discuss next steps in the negotiations, according to The Washington Post. Cybersecurity did not appear to be a topic of conversation.

The meeting was held to organize a potential upcoming summit between Kim and President Donald Trump. In the past, a noticeable spike in malware detections inside of North Korea have followed these types of meetings.

New Jersey-based cyber-security firm Comodo saw an increase following a meeting between Secretary of State Mike Pompeo and Kim on May 9.

Such detections could suggest one of two things: that the country is itself being hacked or that hackers inside North Korea are testing their own tools internally before operating abroad.

CyberScoop

You Might Also Read: 

North Korea's Cyber Soldiers Are Concealed Abroad:

N Korea Is A Bigger Cyber Threat Than Russia:


 

 

« Quantum Computing - What You Should Know
Japan’s Secret Spy Agency »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CERT.AZ

CERT.AZ

The national Cyber Security Center of the Republic of Azerbaijan.

Telelogos

Telelogos

Telelogos is a European provider of Enterprise Mobility Management software, Digital Signage software and Data Transfer and Synchronization software.

Allthenticate

Allthenticate

Allthenticate Single Device Authentication (SDA), enables seamless authentication in both the physical and digital words while unifying management in one easy-to-use interface.

Adyta

Adyta

Adyta specializes in cybersecurity solutions adapted to the needs of sovereign institutions, business groups and other organizations that handle information and sensitive or classified data.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Kintent

Kintent

With Kintent, compliance becomes a habit, is simple to understand and achieve, and is continuously testable so that your customers can see that you are adhering to all your trust obligations.

HALOCK Security Labs

HALOCK Security Labs

HALOCK is an information security consultancy providing both strategic and technical security offerings.

Xoriant

Xoriant

Xoriant is a technology leader and execution partner throughout the Build, Run and Transform lifecycle for companies that create and use technology products.

NexGen Cyber

NexGen Cyber

NexGen Cyber helps customers in commercial SMB markets with IT security, security integration, service management, outsourced service transition, and transformative security solutions.

Getvisibility

Getvisibility

Getvisibility enables customers to detect, classify and protect sensitive information increasing data security, governance, compliance and lowering the risk of losing valuable data.

Anetac

Anetac

Developed by seasoned cybersecurity experts, the Anetac Identity and Security Platform protects threat surface exploited via service accounts.

Cloudaeris

Cloudaeris

Cloudaeris is a trusted Microsoft Partner, and we've got what it takes to make your business more efficient and agile.

WillCo Tech

WillCo Tech

WillCo Tech works to enhance national security and force readiness for military and commercial enterprises with a suite of software capabilities surrounding the human element of cybersecurity.

CyberMindr

CyberMindr

CyberMindr is a SaaS platform for Automated & Continuous Attack Path and Threat Exposure Discovery helps you to proactively identify & assess your attack surface to mitigate associated threats.

Charm Security

Charm Security

Charm Security is an AI-powered customer security platform that protects organizations and their customers from scams, social engineering, and human-centric fraud.

Trustlink Technologies

Trustlink Technologies

Trustlink Technologies is an information technology company founded with a steadfast vision to fortify the digital landscapes of businesses through a foundation of trust.