Security news that informs and inspires

DHS Urges Vigilance on North Korean Attackers

With enterprises and government security teams focused on an ever-evolving set of daily challenges as the pandemic progresses, the United States government is warning that one of the more persistent and prolific threat actors on the landscape--North Korea--is not taking any breaks.

In a detailed advisory published this week, the FBI and the Departments of State, Treasury, and Homeland Security, said that attack groups associated with the government of North Korea are continuing to use several different techniques and strategies to go after targets in the financial sector and other industries in an effort to disrupt operations as well as generate revenue. Attack teams associated with the DPRK government or directly employed by government or military agencies in North Korea are among the more prolific groups active right now, and they have been under intense scrutiny by security researchers and U.S. and international authorities for many years. On several occasions in recent years the Departments of Treasury and Justice have taken action against North Korean individuals alleged to be connected to attack campaigns and intrusions, including the compromise of a cryptocurrency exchange in 2019 and the deployment of the WannaCry 2.0 ransomware in 2017.

In the advisory this week, U.S. authorities said that DPRK operators are specifically interested in using cyber operations as a primary means of making money for the government or as a means of laundering funds generated elsewhere.

“Many DPRK cyber actors are subordinate to UN- and U.S.-designated entities, such as the Reconnaissance General Bureau. DPRK state-sponsored cyber actors primarily consist of hackers, cryptologists, and software developers who conduct espionage, cyber-enabled theft targeting financial institutions and digital currency exchanges, and politically-motivated operations against foreign media companies. They develop and deploy a wide range of malware tools around the world to enable these activities and have grown increasingly sophisticated,” the new advisory says.

Much of this activity centers on compromising financial institutions or payment processors directly and then transferring money out and laundering it through various means before it makes its way to the North Korean government, the advisory says. But attackers associated with the DPRK government also have deployed cryptomining software on compromised machines in order to generate cryptocurrency, a tactic that many cybercrime groups use but isn’t quite as common with government-backed groups, which tend to focus on cyberespionage. The North Korean groups also have adopted another favorite tactic of cybercriminals: intimidation and extortion.

“DPRK cyber actors have also conducted extortion campaigns against third-country entities by compromising an entity’s network and threatening to shut it down unless the entity pays a ransom. In some instances, DPRK cyber actors have demanded payment from victims under the guise of long-term paid consulting arrangements in order to ensure that no such future malicious cyber activity takes place. DPRK cyber actors have also been paid to hack websites and extort targets for third-party clients,” the advisory says.

Attack groups associated with the DPRK, which the U.S. government refers to as Hidden Cobra, are known to employ a wide range of custom tools, malware, and backdoors, many of which are developed internally. The Cybersecurity and Infrastructure Security Agency (CISA) arm of DHS tracks Hidden Cobra activity and malware closely and has a comprehensive repository of known tools. In November 2019, DHS and the FBI warned of a new Hidden Cobra tool called Hoplight.

“The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files,” the DHS analysis says.

CC By-2.0 license image from Flickr.