Technical Alert Highlights Signs of Compromise Across Sectors
The U.S. government on Wednesday issued its most direct and technically detailed advisory about North Korea’s hacking activity to date, warning that the country continues to target U.S. media, aerospace, financial and critical infrastructure sectors.
See Also: Balancing Fraud Detection & the Consumer Banking Experience
The technical alert, distributed by the U.S. Computer Emergency Readiness Team, with analysis from the FBI and the Department of Homeland Security, intends to help organizations “enable network defense activities and reduce exposure” to Hidden Cobra, its nickname for North Korean hackers.
Since 2009, U.S. CERT says, North Korea has “leveraged their capabilities to target and compromise a range of victims.”
“DHS and FBI assess that Hidden Cobra actors will continue to use cyber operations to advance their government’s military and strategic objectives,” the alert says.
One Group, Many Names
Security companies have long suspected North Korea may have been behind disruptive and espionage-related attacks on South Korea stretching back to 2009. The North Korean hacker group has various monikers, including DarkSeoul, Lazarus Group, the Guardians of Peace, Silent Chollima and Bureau 121.
But intense study of more recent attacks by the U.S. government and researchers have contributed to a belief that North Korea has developed a potent cyber capability.
In November 2014, Sony Pictures Entertainment experienced perhaps the worst-ever cyberattack against a company to become publicly known. Attackers released stolen emails and sensitive documents. They also used malware to render the company’s computers unusable. Sony’s recovery took weeks.
It was speculated the attack was engineered by North Korea, which was displeased by the planned release of a film, “The Interview,” that mocked its leader, Kim Jong Un. Shortly after the attack, the U.S. government, indeed, blamed North Korea.
The conclusion was met with skepticism due to the lack of technical detail and the thorny uncertainties in computer forensics that make definitive attribution difficult. Later, former FBI director James Comey said that the FBI investigators had uncovered North Korean IP addresses linked to the attack (see FBI Attributes Sony Hack to North Korea).
North Korea is also suspected of being behind the shocking theft of $81 million from Bangladesh Bank’s at the Federal Reserve Bank of New York. Hackers infiltrated the bank’s network, creating fraudulent wire transfers using the SWIFT interbank messaging system. Mistakes in some of the requests raised suspicions, and some transfers were halted. The attackers sought $951 million (see Report: DOJ Sees Bangladesh Heist Tie to North Korea).
The SWIFT attacks continued in Europe earlier this year. Two Russian security companies, Kaspersky Lab and Group-IB, say they found North Korean IP addresses connected with the attacks (see Russian Company Pins European Bank Attacks on North Korea).
It has also been suggested North Korea may have had a hand in WannaCry, the virulent ransomware that infected at least 200,000 computers worldwide in early May. That speculation came about after researchers found code similarities between WannaCry and suspected North Korean malware. But experts warn that hackers often share code, which clouds attribution (see WannaCry ‘Link’ to North Korea Remains Tenuous).
Targets Older Microsoft OSes
The technical alert wraps together a laundry list of tools used by North Korea, which includes a botnet for staging DDoS attacks using a tool called DeltaCharlie, keyloggers, remote access tools and “wiper” malware, which is designed to cripple computers.
North Korea has occasionally used zero-day vulnerabilities, which are those in which there are no patches, for attacks. But most of its methods for infecting computers rely on exploiting already known vulnerabilities in applications such as Adobe’s Flash Player and Microsoft’s Silverlight, the advisory says.
The country’s hackers commonly target “systems running older, unsupported versions of Microsoft operating systems. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation.”
On Tuesday, Microsoft took the exceptional step of issuing patches for older versions of its operating systems that it no longer supports, including XP, Server 2003 and Vista. It was the second time in a span of a month that Microsoft veered from its policy of not providing security updates for retired operating systems (see Microsoft Issues Another Emergency Windows XP Patch).
Microsoft said it believe there was a potential risk of nation-state attackers exploiting 15 specific vulnerabilities, three of which are seven or more years old. A senior Microsoft official said the most was made in part to avoid a repeat of WannaCrypt or WannaCry.