Cyber Threat Report: North Korea
Businesses hoping for a reprieve from North Korean malware attacks following the historic peace summit between American President Donald Trump and DPRK leader Kim Jong-un will likely be disappointed. Despite what many consider to be diplomatic progress, North Korean state-sponsored cyber attacks continue and will likely remain a significant threat to American businesses, consumers, and military for the foreseeable future as North Korea looks to improve its global economic and political standing.
North Korean hackers operate as an integrated branch of the DPRK military. This ensures that their cyber attacks are closely aligned with the goals of the regime, which has a history of using cyber warfare against adversaries. In 2016, North Korean hackers targeted South Korean businesses and accessed military data shared between the US and South Korea. It is likely that similar tactics will be used against the US if relations deteriorate.
TYPEFRAME: Evidence of Ongoing Threats
USCERT released a Malware Analysis Report on remote-access trojan TYPEFRAME just days after the summit, attributing the malware attack to HIDDEN COBRA, a North-Korean offensive cyber-attack team. HIDDEN COBRA, previously known as Lazarus, has been credited with many highly disruptive malware attacks such as WannaCry, BANKSHOT, Joanap, Brambul, and several DDoS attacks.
TYPEFRAME requires victims to open a file and agree to initiate the malicious Visual Basic for Applications (VBA) macros embedded within. After the malicious file is opened, TYPEFRAME installs malware, proxy and remote access trojans (RATs), and connects to command and control servers. It can also modify the victim’s firewall, leave backdoors for future access, and execute malicious files on command.
North Korean Malware Trends
According to the 2017 ENISA Threat Landscape Report, malware has been the greatest and most prevalent risk to US businesses and defense institutions for the past two years. Malware allows attackers to access sensitive data, infiltrate networks, and manipulate computers or other machines. North Korean hacking groups have developed many advanced malware programs that can easily evade standard cybersecurity measures.
Fewer, But More Serious Cyber Attacks
Although the frequency of malware attacks has experienced a slight decrease in recent years, the complexity and evasiveness of attacks has increased dramatically. In 2018 there has already been a rise in click-less attacks and network-spreading infections that are far more complicated than the method of infection used in TYPEFRAME and other click-based malware. Cyber attacks against US-based businesses will continue to become more advanced if diplomatic tensions with the DPRK rise. Most small and mid-sized US businesses do not have adequate cybersecurity measures in place to defend against this type of attack, and 60 percent of SMBs go out of business within six months of a data breach. Even though fewer attacks have been reported, the increased sophistication of North Korean malware poses a significant risk to the US Economy.
A backdoor attack negates authentication procedures, granting remote access to applications and giving threat actors the ability to remotely issue cyber commands and update or deploy malware. Once backdoor files are installed, they are very difficult to remove. Traditional detection methods use scanners to search for known malware signatures in a server file system, but backdoor files are typically masked behind alias names and code obfuscation. HIDDEN COBRA, APT37, and other North Korean hacker groups increasingly include backdoor files in malware, making infected endpoints and networks more vulnerable to future attacks, even after the original malicious files are removed.
Motivations for North Korean Hacking Campaigns
North Korea relies on offensive cyber campaigns for financial stability and uses them as a method of international disruption. Increasingly, retaliation against adversaries has also become a motivation. North Korea is almost completely insular, which limits their ability to wield power through economic, political, or military means. Instead, they use cyber warfare to generate income and exert power while maintaining plausible deniability and limiting military altercations.
The weak state of the North Korean economy can be attributed partly to sanctions enacted by the U.S. and UN to restrict nuclear development. North Korean exports are reported to have decreased by 30% in 2017 after being struck with economic sanctions. Despite the intensity of these sanctions, the North Korean nuclear program has continued, and many speculate that it is funded primarily by their cyber operations.
Cryptocurrency exchanges are largely unregulated, making them an ideal target for financially-motivated hackers. South Korean intelligence officials recently accused North Korea of being responsible for the January 2018 attack of the Japanese cryptocurrency exchange, Coincheck, and making off with over $500 million. This attack is one of many cryptocurrency thefts of which North Korea has been accused, alongside a February 2016 Bangladesh cyber bank heist, a South Korean bitcoin exchange attack in June 2017, and currency thefts targeting banks in the US, Costa Rica, and Poland. The money acquired through these types of attacks has likely helped to fund the severely sanctioned North Korean nuclear program.
North Korean-sponsored hackers have launched several malware attacks similar to TYPEFRAME that are designed to disrupt businesses, infrastructure, media, finance, and defense institutions globally. These attacks are less financially motivated than the crypto-heists, though North Korea may achieve some monetary gain. Instead, these types of attacks are used as assertions of power. The WannaCry attack of last year, which was attributed to North Korean hackers, affected many international institutions including hospitals, businesses, and sea ports. In addition to wreaking havoc, disruptive attacks give hacking teams like HIDDEN COBRA the experience they need to attempt more sophisticated attacks against larger businesses and governments.
North Korean global reconnaissance attacks, such as Operation GhostSecret and the hacking of South Korean computer networks during a U.S. and South Korean military exercise in 2016, are becoming more prevalent. Though these types of attacks are fairly new for North Korea, retaliation is emerging as a significant motivator for state-sponsored cyber attacks, suggesting that severe attacks will be more likely as North Korea experiences tensions with other countries.
North Korean Economy
Even if the United States reduces the economic sanctions placed on North Korea and attempts to help invigorate the North Korean economy, it will take time for North Korea to recover. International bank and cryptocurrency theft, in addition to attacks targeting international companies, will continue to be a source of income for North Korea, and it is unlikely that the cryptocurrency exchange hacks and other cryptocurrency thefts will cease completely unless the crypto market crashes or becomes intensely regulated.
Because many North Korean cyber attacks are conducted to influence international perceptions of North Korea, global political tensions are a significant risk factor for future attacks. The TYPEFRAME attack came immediately after the peace summit in Singapore, where US President Donald Trump and North Korean Leader Kim Jong-un had what were considered successful talks about peaceful denuclearization. The attacks were conducted despite the outcome of the talks, and the scope and intensity of the attacks indicate that they had been long-planned. Therefore, the TYPEFRAME malware attack can be interpreted as a statement of North Korean power: “We’re here, and we won’t go down easily.”
Going forward, North Korea will continue to leverage cyber warfare in reaction to international politics and negotiations with the US. Kim Jong-un does not want to appear weak, and an international malware attack is a safe assertion of power to make during negotiations with more powerful countries. It indicates that North Korea has the capabilities and the will to deploy attacks, but it does not warrant war—something the DPRK wants to avoid.
The biggest risk factor for escalation of North Korean cyber attacks would be failed negotiations and a souring of relations between the DPRK and the US. If the US builds a relationship with North Korea, only to have that relationship ultimately degenerate, a disruptive cyber attack aimed at United States infrastructure, healthcare, entertainment or economic institutions could be expected. Disrespectful dialogue or swift reinstitution of economic sanctions after some basis of trust has been established would put North Korea in a vulnerable position, and the combination of vulnerability, betrayal, and economic stress has the potential to motivate North Korea to take more extreme actions. US banks and businesses would be an ideal target in this scenario because they fulfill North Korea's desire for both financial gain and retaliation.
The most likely scenario between the United States and North Korea is a continued, long-term, diplomatic engagement. However, disruptive attacks like the TYPEFRAME malware attack are not likely to go away any time soon—and neither will the attacks on cryptocurrency markets. North Korea will still need funds, and denuclearization is likely to involve sanctions and increased international tension. Because stealing cryptocurrencies is a legally ambiguous practice with plausible deniability, North Korea will likely rely on cryptocurrency theft as a reliable source of income during negotiations.
Should North Korea move towards denuclearization, it is likely that they will seek to prove themselves as powerful and influential in other ways, making cyber-attacks from HIDDEN COBRA, APT37 and other North Korean hacking groups a continued threat.
Current events in the United States may also present as a potential target to the DPRK. Interference with the approaching midterm elections has been anticipated, not just from North Korea, but from other nations and malicious actors as well. By staging a cyber-attack against the U.S. during midterm elections, North Korea could make a statement about exposure, shame, and power.
Up to this point, there has been minimal retaliation against the North Korean hacking groups following their attacks. This may change, as President Trump's administration recently granted increased power to the U.S. Cyber Command. Cyber Command will now be able to place more emphasis on offensive attacks against international parties to dismantle cyber weapons before they can be used. This presents an opportunity for the U.S. to strike North Korean hackers either as retaliation against attacks like TYPEFRAME or WannaCry, or to dismantle any planned attacks before they can be enacted.
It is also worth noting that North Korea is now receiving its Internet connection from both China's Unicom and Russia's TransTeleCom. Changes to that connection, whether through political affairs or cyber attacks, could greatly impact North Korea's offensive and defensive capabilities.
North Korea is unpredictable, and it has invested considerably in developing advanced cyber warfare capabilities. The regime depends on revenue from cyber crime to prop up its otherwise weak economy, and until other viable industries develop, state-sponsored cyber attacks will be necessary to maintain a source of income. HIDDEN COBRA will likely continue to operate covertly, even as US/North Korean relations improve.
At Bluestone Analytics, it is our goal to protect the information and infrastructure that keeps your business functioning. If you would like to learn how we can help you defend your data from even the most advanced cyber threats, contact us.