Archive for North Korea

The North Koreans Have A New Cyberespionage Campaign Say ESET

Posted in Commentary with tags on August 17, 2022 by itnerd

You might recall that I posted a story on North Koreans posing to get IT jobs in the US. I have a follow up on that story with a bit of a twist. ESET researchers sent a series of tweets outlining a cyberespionage campaign by North Korean APT group Lazarus that is targeting Apple and Intel chip systems via a fake engineering job post supposedly from Coinbase.

Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi had this to say:

“The North Korean APT group Lazarus has made a real name for itself with its cyberespionage campaigns, and this attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals. Our research shows that the proceeds of cybercriminal activities from North Korean APT groups are being used to circumvent international sanctions and gather intelligence. The money from such attacks is being funnelled directly into the DPRK’s weapons programmes, and any intel gathered could also be used against its enemies.”

“A key component of the attack is the use of a signed executable disguised as a job description. Code signing certificates has become the modus operandi for many North Korean APT groups, as these digital certificates are the keys to the castle, securing communication between machines of all kinds, from servers to applications, Kubernetes clusters and microservices. We’ve seen countless times how North Korean hackers use signed certificates to access networks, passing malicious software off as legitimate and enabling them to launch devastating supply chain attacks. Incidents such as the 2014 Sony Hack, or the $101 million heist of the Bangladesh Bank via the SWIFT banking system, have demonstrated North Korea’s long-standing interest in the malicious use of machine identities. This attack makes use of a similar technique so could deal similar damage as Lazarus understands machine identity and exploits it so effectively, whilst it’s still such a blind spot for many organizations.”

The North Koreans are clearly looking for new angles to get whatever it is they are looking for. Which of course is bad for all of us. Thus businesses everywhere have to be on guard for whatever they have planned next.

The UN Says That North Korea Is About To Escalate Their Cybercrime Activities To Power Their Nuclear Program

Posted in Commentary with tags on August 5, 2022 by itnerd

Reuters is reporting on a new confidential UN report outlining fresh preparations for nuclear weapons testing in North Korea. The report cites previous concerns from the UN around cybercrime being a key revenue stream for North Korea’s weapons program:

The U.N. monitors also said investigations had shown Pyongyang was to blame for stealing hundreds of millions of dollars worth of crypto assets in at least one major hack. The monitors have previously accused North Korea of carrying out cyber attacks to fund its nuclear and missile programs.

“Other cyber activity focusing on stealing information and more traditional means of obtaining information and materials of value to DPRK’s prohibited programmes, including WMD (weapons of mass destruction), continued,” the monitors wrote.

Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi had this comment:

“The latest report from the United Nations on North Korean nuclear tests should sound the klaxon of alarm for Western businesses, especially as it specifically mentions cyberattacks being a key source of funding. Our research shows that the proceeds of cybercriminal activities from infamous groups such as Lazarus and APT38 are being used to circumvent international sanctions in North Korea. This money is being funnelled directly into weapons programs. And because developing nuclear weapons is expensive, especially in the face of rising inflation and the cryptocurrency crash, companies should be on high alert that the DPRK will be looking to cash in now and help feed their weapons programs and fund ongoing weapon development.” 

“A key component of North Korean nation state attacks are code signing machine identities, which have become the modus operandi for many of its cybercrime groups. These digital certificates are the keys to the castle, securing communication between machines of all kinds, from servers to applications, Kubernetes clusters and microservices. We’ve seen countless times how North Korean hackers use stolen certificates to access networks, passing malicious software off as legitimate and enabling them to launch devastating supply chain attacks. Incidents such as the 2014 Sony Hack, or the $101 million heist of the Bangladesh Bank via the SWIFT banking system, have demonstrated North Korea’s long standing interest in the malicious use of machine identities. While the latest UN report is an important step in broadcasting this issue to the world, we still need to see governments and businesses act together and share intelligence on these attacks. This will be key to building knowledge on the importance of machine identities in security. If not, we’ll continue to see North Korean threat actors thrive.”

I think it’s safe to say that businesses have a new reason to make sure that their cyber defences are on point. The North Koreans have been extremely active threat actors in the past. And based on this report, they’re about to get a whole lot more active. Which is bad news for the rest of us.

U.S. Warns Businesses Against Inadvertently Hiring IT Staff From North Korea

Posted in Commentary with tags on May 19, 2022 by itnerd

I have to admit that reading this story from The Guardian was not on my bingo card when I woke up this morning. U.S. officials have warned businesses against inadvertently hiring IT staff from North Korea, claiming that rogue freelancers were taking advantage of remote work opportunities to hide their true identities with the intent of earning money for Pyongyang.

An advisory issued by the state and treasury departments and the FBI said the effort was intended to circumvent US and UN sanctions, and bring in money for North Korea’s nuclear weapons and ballistic missile programs. The officials said companies who hired and paid such workers may be exposing themselves to legal consequences for sanctions violations.

“There are thousands of DPRK IT workers both dispatched overseas and located within the DPRK, generating revenue that is remitted back to the North Korean government.

“These IT workers take advantage of existing demands for specific IT skills, such as software and mobile application development, to obtain freelance employment contracts from clients around the world, including in North America, Europe, and east Asia.”

North Korean workers pretended to be from South Korea, Japan, or other Asian countries, the advisory said. It laid out a series of red flags that employers should watch for, including a refusal to participate in video calls and requests to receive payments in virtual currency.

Kevin Bocek, VP, Security Strategy and Threat Intelligence for Venafi had this comment:

“Defending against North Korean nation-state actors is difficult, particularly when these threats are now coming from both outside and inside organisations. They are often well funded, highly sophisticated, and – as we’re seeing with this FBI warning – capable of thinking outside the box to find new ways to attack networks, as we’re now seeing with rogue freelancers hacking from within. Our recent research shows that cybercrime has become a primary means of revenue generation in North Korea, and APT groups are helping it to work outside of international sanctions, funding political and military gains. In fact, it’s estimated that up to $2bn makes its way directly into North Korea’s weapons program each year as a result of nation state cybercrime.

“Ultimately, there’s no telling what these rogue freelancers are after. The targets that spring to mind are data theft or potentially funds, but we’ve seen in the past that North Korean APT groups have made use of stolen code signing identities in devastating nation state attacks, so they’re likely to be on the table as well. The problem is that there’s currently not enough awareness and security around the importance of machine identities. This lack of focus allows North Korean cybercriminals to take advantage of a serious blind spot in software supply chain attacks.

“Organizations must now be proactive, not reactive in their security defenses. It’s clear that recruitment processes have to be robust to prevent hiring a rogue freelancer. For companies looking to protect against the impact these threat actors could have if armed with stolen code signing certificates, machine identity management remains the best defense. Businesses must have visibility over their environments in order to spot changes and react fast, both from a human identity and a machine identity perspective. Without the effective management of both machines and humans, we’ll continue to see APT groups thrive, and high-profile nation-state attacks will continue to affect businesses and government. The automation of machine identity management can help to take this element of security out of already overstretched security teams hands.”

It does beg the question if other countries with dodgy reputations like Russia and China are doing something similar. I’d be interested in knowing that answer as it likely would influence how safe we all are.

Update Google Chrome ASAP To Avoid A Zero Day That Has Been In Exploited By North Koreans Hackers For Weeks

Posted in Commentary with tags , , on March 28, 2022 by itnerd

Now would be a very good time to update Google Chrome to version 98.0.4758.102 for Windows, Mac, and Linux because North Korean Hackers have been using this exploit for weeks to do semi-targeted attacks:

The flaw, tracked as CVE-2022-0609, was exploited by two separate North Korean hacking groups. Both groups deployed the same exploit kit on websites that either belonged to legitimate organizations and were hacked or were set up for the express purpose of serving attack code on unsuspecting visitors. One group was dubbed Operation Dream Job, and it targeted more than 250 people working for 10 different companies. The other group, known as AppleJeus, targeted 85 users.

This is bad. And fortunately it’s patched. Marcus Fowler, SVP Strategic Engagements and Threats at Darktrace had this comment:  

“Hackers backed by North Korea’s government exploited a critical zero-day, attempting to infect hundreds of computers. We should be very cautious about assuming this is tied to rising geopolitical tensions. While North Korea may be trying to take advantage of the US turning its attention to mainly focus on Russia, the two separate North Korean hacking groups who exploited the flaw seem to go back much further. Both Operation Dream Job and AppleJeus have focused on monetary gain — frequently the top priority with North Korean cyber operations.

Previously, Operation Dream Job used spearphishing emails to target specific employees with fake job offers from high-profile organizations. This timing is fascinating given the “Great Resignation” context and employees seeking more flexible jobs and leaving the workforce in droves. The other group, AppleJeus, targeted a cryptocurrency exchange. We have observed an increase in crypto mining attacks over the last few years, so this is also in line with broader hacking trends, not geopolitical happenings.” 

I would run and update your copy of Chrome ASAP to make sure that other threat actors don’t exploit this now that it is public.

US Holds North Korea Responsible For WannaCry

Posted in Commentary with tags , on December 20, 2017 by itnerd

You might recall that there was an epic cyberattack where a piece of ransomware pretty much pwned the entire planet including the UK’s National Health Service. Well, that was WannaCry and as far as the US is concerned, North Korea is behind it:

“The [WannaCry] attack was widespread and cost billions, and North Korea is directly responsible,” Thomas P. Bossert, Trump’s homeland security adviser, said in an op-ed published in the Wall Street Journal on Monday. “We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either.”

At the White House on Tuesday, Bossert called the WannaCry attack “a defining moment,” saying it affected individuals, businesses and governments worldwide, and put money as well as lives at risk.

“This was a reckless attack and it was meant to cause havoc and destruction,” he said at a news conference. Drawing a connection between North Korea’s alleged cyber activities and its development of nuclear weapons, he added, “I think, at this point, North Korea has demonstrated that they want to hold the entire world at risk, whether it be through its nuclear program or cyberattacks.”

Assuming that the North Koreans are behind it, I am not sure that they care that they’ve been called out by the US. After all, it’s not as if these two are on great terms at present. I am also dubious that this will alter their behavior if they are the ones behind it. So other than grabbing some headlines, I am not sure what this declaration really accomplishes other than to state what we already know. Which is that North Korea and those who act on their behalf do this sort of thing.

Hey IT Nerd! Do You Think That North Korea Is Behind The Sony Hack?

Posted in Commentary with tags , , on December 23, 2014 by itnerd

I got this in my inbox last night:

IT Nerd, let me get straight to the point. Do you think North Korea is behind the Sony hack or someone else is responsible? 

Thanks for the question.

I have nothing but a gut feeling on this…. Well, a bit more than a gut feeling… But I would say that I don’t believe that North Korea is behind the Sony hack. I will admit that North Korea does have the ability to do this sort of thing, plus they have people at arms length that are capable of doing this sort of thing as well (they’re arms length so that it gives North Korea plausible deniability). I don’t see either being responsible as this doesn’t quite fit the usual modus operandi from either of these groups. From what I do understand about North Korea and the hackers that do their bidding, they’re more of the hit and run sort. In other words, they get in, get what they are looking for and get out. They’re also in it for economic gain or to disrupt some project or goal the target has. Regardless of the end goal, they don’t broadcast what they’ve done, nor do they have fancy names for themselves. If we look at this hack, we have the “Guardians Of Peace” which is a group nobody has ever heard of. Not computer security experts, not intelligence agencies (at least not that they admit to), nobody. They’ve not only hacked Sony, they’ve released data that has embarrassed Sony and made threats of “9/11 style attacks” that their ability to pull off is dubious at best. A government who is behind a hack of this sort would not want to do any of that because it draws way too much attention to their covert hacking activities. Thus, that really casts doubt on North Korea being responsible.

So, who could be responsible? It could be hackers who are using “The Interview” and the North Korean connection as cover. After all, Sony is a company that hackers have targeted for years. So quite literally, anybody could be responsible for this. Alternately it could be a disgruntled ex-employee, though they would need the skills to pull this off. A deskside support guy isn’t going to have those skills. But maybe a network admin who has some friends with the required skill could pull this off as long as they know enough about the Sony Pictures infrastructure to make this a viable attack. What makes the latter plausible is the fact that there were significant layoffs at Sony Pictures recently. It isn’t too much of a stretch to think that someone who got separated from their job was looking for a bit of revenge. You could come up with all sorts of plausible theories on this front that would make sense. Thus it further casts doubt on the whole North Korea angle.

Now the FBI did lay out their reasoning in their press release on the subject. Here’s the key points:

  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

Here’s where the reasoning that’s printed above falls apart. Reusing malware code and the tools to make this attack on Sony happen is a great way for hackers to cover their tracks and they do this all the time. Just because malware “x” was used in one particular attack doesn’t mean that the same people are using it in another attack. Plus, another way for hackers to cover their tracks is to make it look like the attack is coming from someplace else. This is called spoofing and it’s not just hackers who do this. People in Canada who get access to the shows on the US version of Netflix or those who get access to BBC iPlayer from Canada make use spoofing to make themselves appear to be in the US or the UK respectively and it doesn’t take a whole lot of skill to pull that off. Thus none of this is a smoking gun that points definitively at North Korea.

While it is possible that North Korea is behind this hack, I don’t think that there’s enough evidence here to say so definitively. I think when cooler heads prevail, it will be discovered that someone else not even remotely associated with North Korea was behind this. It will be interesting to see what happens if and when that day comes.



Twitter Has Exploded With Jokes About No Internet In North Korea

Posted in Commentary with tags , on December 22, 2014 by itnerd

I love Twitter because I can not only find out when something bad happens in the world far faster than with conventional news outlets, but people will make fun of it as well. I cite the following as examples that are related to the great North Korean Internet outage:

Clearly, people on Twitter are delighting in the fact that North Korea has Internet issues right now.

North Korea’s Internet Is Down…. Did They Forget To Pay Their Bill?

Posted in Commentary with tags , on December 22, 2014 by itnerd

It appears that as I type this, North Korea is experiencing an nationwide outage of their Internet service. Yes, North Korea is on the Internet and has been for a few years now. Here’s what The New York Times has to say about this:

Doug Madory, the director of Internet analysis at Dyn Research, an Internet performance management company, said that North Korean Internet access first became unstable late Friday. The situation worsened over the weekend, and by Monday, North Korea’s Internet was completely offline.

“Their networks are under duress,” Mr. Madory said. “This is consistent with a DDoS attack on their routers,” he said, referring to a distributed denial of service attack, in which attackers flood a network with traffic until it collapses under the load.

The hermit kingdom as North Korea is also known as has four connections into the country (by contrast, the US has about 150,000) that route mostly through China. So it would be somewhat easy for a targeted attack to take the entire country offline. Now, the average citizen in North Korea doesn’t have access to the Internet. However, the elite of this country will likely not be able to watch cat videos on YouTube and will plead to their supreme leader Kim Jong Un to get them hooked up as quickly as possible.

Could it be payback for the Sony hack? That’s a very good question we may not get an answer to. But it will be interesting to see how North Korea responds to this.

North Korea Wants To Be Your Friend On Twitter And YouTube …. WTF?

Posted in Commentary with tags , , on August 22, 2010 by itnerd

The regime that everybody loves to hate wants friends. North Korea now has a Twitter account, and a YouTube Account. I guess that social networking is now a priority in that corner of the universe. The funny thing is that they’ve gained a ton of followers (10,943 as I type this) on Twitter, and a number of subscribers on YouTube (1617 as I type this). Some of the postings that are in English are funny, but some are clearly propaganda. Perhaps someone who reads Korean can tell me what the rest of the postings say.

So, here’s my question. Does the fact that this repressive regime has entered the social networking universe make you think differently about them?