The consensus view in information security circles was that North Korea was behind some of the more audacious attacks over the past four years, such as the theft of emails that crippled Sony in 2014, the massive heist of $81 million from Bangladesh Bank, and the devastating WannaCry ransomware that infected large healthcare organizations around the world in 2017. The United States Department of Justice has charged a North Korean programmer for taking part in the attacks, and provided detailed information about the tools and techniques that were used.
Enterprise defenders gain a wealth of information from the Justice Department’s complaint, including email addresses used to register domain names and buy online services, IP addresses used to access social media accounts and malware command-and-control (C&C) servers, compromised servers that hosted malware, and types of phishing lures used. The same devices, IP addresses and encryption keys were used repeatedly, and the attackers controlled the domain names hard-coded into the malware. While most of the attacks started off with spear phishing, investigators described an array of digital tools that was used in attacks against Sony Pictures, various financial institutions around the world including the Bangladesh Bank, U.S. defense contractors including Lockheed Martin, university faculty members, technology companies, virtual currency exchanges, and U.S. electric utilities.
The DoJ alleged that a programmer named Park Jon Hyok took part in a number of offensive operations as an employee of Chosun Expo Joint Venture, an e-commerce, online gaming and gambling company. According to the complaint, Choseun Expo is affiliated with North Korean military intelligence, the Reconnaissance General Bureau, which oversees North Korean cyber warfare units, Unit 121 and Lab 110. Chosun Expo is also believed to be behind denial-of-service attacks against various government agencies, banks, and media entities in South Korea.
"The scope and damage of the computer intrusions perpetrated, and caused by the subjects of this investigation, including PARK, is virtually unparalleled," according to the complaint.
Arsenal of Tools
The group used multiple Gmail accounts and Facebook profiles to carry out their attacks, but investigators was able to track down the attack infrastructure and identify Park after finding multiple connections between accounts used by Park and accounts tied to different aliases. Park used his real name in email accounts for Chosun Expo and used them to create social media accounts and subscribe to other services. Park’s accounts were linked to accounts belonging to a “Kim Hyon Woo,” which was an alias that was used in the attacks against Sony Pictures and Bangladesh Bank. The complex mesh of connections between accounts and systems belonging to the Lazarus Group infrastructure led investigators to the fake Kim Hyon Woo persona, which then leads to Park’s Chosun Expo accounts.
Park’s email@example.com account was linked to firstname.lastname@example.org, which was used to target Sony Pictures, the Bank of Bangladesh, and other victims, the investigators said. Investigators found that Park’s account was the only other account with access to a password-protected file on a remote file-storage service associated with an alias account. Park’s Chosun Expo accounts and the attack accounts shared the same IP addresses in North Korea, as well.
The investigators also found the attackers following and tracking specific individuals at targeted companies through their social media accounts, as well as pulling domain name and business records to understand the company systems. The online reconnaissance helped attackers figure out the most effective way to spear phish employees. In some cases they impersonated hiring managers at rival companies.
Park and his team used phishing messages that looked like it was from Google or Facebook but contained links to install malware. The DoJ complaint described how attackers intercepted a Facebook alert email about a suspicious IP address accessing the account and resent it with a different link. The victim saw what looked like a legitimate Facebook alert (it was a real alert, remember) and clicked on the link (which wasn’t legitimate), which wound up installing malware on the computer.
Investigators believe multiple team members used the Kim Hyon Woo alias for other email and social media accounts, not just Park.
Shared Attack Tools
Sony Pictures, AMC Theaters and other entertainment companies were targeted ostensibly to stop the release of ‘The Interview,’ a Seth Rogen-movie depicting the assassination of North Korean leader Kim Jong-un. A British production company was targeted because it was working on a (presumably negative) film about North Korea. Park flooded these companies with messages sent from various aliases and email addresses. The attack also included fake Facebook profiles that sent messages to employees with links to nude photos of celebrities but actually pointed to malware. Spear phishing messages were sent to employees at Sony Pictures and “actors and other personnel associated with the movie ‘The Interview,’” several months before the actual breach. Once the computers at Sony were infected, attackers stole and dumped internal emails of senior executives. Sony said it lost $15 million to the attack.
“The 'John Mogabe' Facebook account also sent a friend request to one of the actors in 'The Interview,' among others, and 'liked' Sony Pictures and two of the actors in 'The Interview,'” according to the complaint.
The email address email@example.com that was used to research contact information for actors in the movie was also used to send spear phishing emails to employees at Bangladesh Bank more than a year later. The account was used to send 10 messages posing as a job applicant to 16 different email addresses to employees of Bangladesh Central Bank. The link in the messages pretended to be a link to the resume but was actually malware. A few days later, the same account sent two more job-applicant messages to 10 recipients at the bank with a zip file attached, instead of a link, according to the complaint.
The attacks against banks started in 2015, long before the group successfully stole $81 million from Bangladesh Bank in February 2016. Other attempts against financial services institutions in Europe, Asia, Africa, North America, and South America, if successful, would have netted well over $1 billion, the investigators said.
Park and his team targeted the website of Poland’s Financial Supervision Authority to use in a watering hole attack, where legitimate websites are compromised to download malware to unsuspecting visitors, against the Polish banking sector. The attack was detected in January and blocked before funds could be stolen.
Park allegedly helped create the WannaCry ransomware, which crippled the United Kingdom’s National Health Service and infected companies around the world. The WannaCry malware had attributes similar to the malware that was used to target defense contractor Lockheed Martin, although it doesn’t appear those attacks were successful. The malware used against Sony Pictures and various banks all had a portion of code that was similar to WannaCry, the investigators said. All the strains used a FakeTLS data table that lets the malware mimic a TLS connection while actually using a different encryption scheme to hide stolen data while in transit.
"This group's actions are particularly egregious as they targeted public and private industries worldwide–stealing millions of dollars, threatening to suppress free speech, and crippling hospital systems," FBI director Christopher Wray said in a statement.
Image credit to João Silas from Unsplash