As Kim Jong-un speaks publicly about nuclear disarmament, North Korea’s hacker army continues to launch cyberattacks against different businesses across Asia, Europe and the U.S., according to private sector analysts and former U.S. officials.
Experts from several cybersecurity firms — Dell SecureWorks, McAfee, Symantec, FireEye and Recorded Future — all told CyberScoop that activity from North Korea has stayed steady or grown in volume since peace talks gained steam earlier this year.
The activities of these Pyongyang-linked hacking groups largely focuses on financial theft and covertly stealing digital secrets. While affected companies have quietly dealt with the onslaught in recent months, their contracted cybersecurity firms confidentially collected and studied recent malware samples that show the North Koreans are still actively developing new iterations of their toolsets.
“Similar to operations conducted prior to that date [circa January], North Korean actors have engaged in broad cyber espionage using a Destover-variant tool, developed and deployed malicious Android applications, and developed more destructive malware,” said Priscilla Moriuchi, a threat intelligence expert with Recorded Future and former NSA analyst focused on East Asia.
“We have seen a heavy concentration of targeting in Southeast Asia and the United States, with some cross over into the Middle East,” McAfee Senior Researcher Ryan Sherstobitoff said. “We have even seen an entire country’s financial sector targeted by Hidden Cobra during this period.”
Hidden Cobra is one of the nicknames assigned by the U.S. government to North Korea’s hacking activities; other names authored by the private sector include “Lazarus Group,” “Blue Nortoff” and “Red Eyes.”
On Tuesday, the Department of Homeland Security and Federal Bureau of Investigation released a joint alert about the spread of a specific malware variant that’s been widely associated with Hidden Cobra since at least 2009. It’s not clear if a recent breach prompted the new DHS-FBI alert. But experts say it wouldn’t be surprising.
“The group continues to use implants such as Bankshot and newly created hybrid Trojans based on previous notable activity,” described Sherstobitoff, referencing a type of malware that infected Turkey’s banking system. “The TTPs [Tactics Tools and Procedures] have not changed much, only to the degree that targeting appears to extend more beyond the borders of South Korea … The underlying goals have always remained the same: financial and classic data collection in support of intelligence operations.”
The findings, shared with CyberScoop, provide a stark reminder that North Korea remains highly dependent on cybercrime for both financial and geopolitical gain, so much so in that they’re willing to risk angering foreign governments amid a diplomatic push.
“During the past few months we’ve seen Lazarus conduct attacks on financial organizations, with the intention of attempting bank heists,” said Vikram Thakur of Symantec’s Security Response team. “The volume of these attacks is not massive but the trend reflects a small uptick in overall attacks and attempts of financial fraud.”
The diplomatic talks regarding North Korea involve several key countries, including China, Russia, South Korea and the U.S. A number of research teams see the U.S. and South Korea still being targeted.
“During the timeframe, North Korea had been focusing their attention to South Korean targets, specifically North Korean defectors and related organizations for intelligence gathering,” a spokesperson for SecureWorks’ Counter Threat Unit said. “Based on targeting select victims, it appears that the [North Korean] government is keen to acquire information that could affect current peace process … We have not directly observed but are aware of phishing lures containing topics concerning current peace talks.”
North Korea’s use of these diplomatically inspired phishing emails was not previously known.
How the small, resource-strapped nation will move away from this type of behavior if it is to improve foreign partnerships is an open-ended question, experts say.
The challenge is especially significant because of the decentralized nature of North Korea’s hacking units. Prior reporting by Bloomberg showed that Pyongyang was able to establish small teams of hackers in Southeast Asia in order to pursue official and unofficial criminal schemes. This loose structure would conceivable make operations difficult to suddenly wind down.
“DPRK cyber espionage operations continue to increase in scope and sophistication, developing new offensive capabilities and leveraging zero day vulnerabilities,” said Cristiana Brafman Kittner, principal security analyst at FireEye. These financially motivated intrusions have continued during the run up to a potential Kim – Trump summit.”
On Wednesday, top North Korean and U.S. government officials met in Singapore to discuss next steps in the negotiations, according to The Washington Post. Cybersecurity did not appear to be a topic of conversation.
The meeting was held to organize a potential upcoming summit between Kim and President Donald Trump. In the past, a noticeable spike in malware detections inside of North Korea have followed these types of meetings.
New Jersey-based cybersecurity firm Comodo saw an increase following a meeting between Secretary of State Mike Pompeo and Kim on May 9. Such detections could suggest one of two things: that the country is itself being hacked or that hackers inside North Korea are testing their own tools internally before operating abroad.
A Comodo employee provided CyberScoop with a company presentation that showed this activity:
“Comodo has security software (and thus malware detections) inside North Korea,” said Kenneth Geers, chief scientist at Comodo.
In early May it was also revealed that a domestic North Korean technology company had ripped off another security product, made by Japanese firm TrendMicro, to create their own national anti-virus engine.
South Korea’s Financial Security Institute, a leading player in thwarting North Korean cyber aggression, did not respond to a request for comment.