Background:
North Korean advanced persistent threat (APT) actors are responsible for not only cyber-espionage operations against North Korea’s rivals, but an increasing amount of financially motivated attacks (Source). These attacks indicate the growing reliance on cybercrime to maintain a broken economy, crippled by economic sanctions and isolation. This necessity has escalated North Korean APTs to a level of sophistication inconsistent with their standing in the world. The Reconnaissance General Bureau (RGB), established in 2009, is the primary foreign intelligence service, overseeing the clandestine operations involving foreign targets. Experts believe it is highly likely that the RGB are also overseeing the major cyber-attacks initiating from North Korea, through what has been labelled ‘Unit 180’. US intelligence services identified potential links with the global WannaCry ransomware attacks in 2017 to the RGB, based in Pyongyang (Source). It is certain that the sophistication of North Korean APTs have grown exponentially since 2009, however, attribution to specific groups can at times be extremely complicated due to shared hacking tools leveraged. Grey Dynamics launches a deeper dive into the malicious activities of North Korean APT groups at large.
Hidden Cobra:
Hidden Cobra, which is also known as The Lazarus Group or APT38, are among the most well-known North Korea APTs, operating in consistence with North Korean state-aligned objectives, which includes financially motivated attacks. The term Lazarus Group is an umbrella term for multiple subgroups actively involved in extensive operations. The US Department of Justice indicted three North Korean men linked to the group for involvement in the long campaign that has exfiltrated hundreds of millions from targeted organisations (Source). Park Jin Hyok, Jon Chang Hyok, and Kim Il were also indicted for the WannaCry ransomware worm, which has caused an additional $4 billion in damages worldwide. The indictment also included responsibility for the 2014 Sony hack, crippling the company as retaliation for the movie “The Interview”, which involved the North Korean leader Kim Jong-Un (Source). The group has been active since 2009 and shows no signs of slowing down. The group have also been linked to the recent Poly Network hack, which resulted in $600 million stolen, becoming the largest cryptocurrency heist ever recorded.
The group have recently been observed targeting engineering job candidates for classified roles in the US and Europe, consistent with the objective of stealing intellectual property for the state (Source). Malicious documents were used to compromise targets, which was also used in spear phishing attacks against defence contractors during the same time period (Spring 2020). The dominant malware and tools leveraged by the North Korean APT was WannaCry, Destover, Duuzer, and Hangman. Tactics, techniques, and procedures (TTPs) utilised are consistent with most of the known groups. This includes malicious Microsoft Office documents laden with malicious code, delivered through targeted phishing campaigns. If successful, this provides the ability to compromise third-party software, and establish a command-and-control server, which allows the operators to gain complete control of a device and even install additional malware to potentially compromise an entire network.
APT37/ ScarCruft:
Active since 2012, APT37 primarily targets South Korean entities, but has also expanded to target Japan, Vietnam, Russia, Nepal, China, India, Romania and multiple Middle Eastern countries. As seen in the Hidden Cobra umbrella TTPs, APT37 use spear phishing campaigns as an initial attack vector to infect devices through malicious documents. In December 2019, Microsoft seized 50 websites leveraged by the North Korean APT for phishing attacks. In 2020, the group returned in “Operation Sky Cloud”, which leveraged cloud services in phishing attacks that used North Korean refugees as a lure for victims. In an attempt to avoid security solutions from detecting malicious attachments in emails, the operators chose to attach links instead to remain undetected. This allowed the attackers to leverage obfuscation and increase the likelihood of successful infection.
The primary industry the group targets focus on military, electronics, chemical, aerospace, automotive, healthcare, and manufacturing sectors. This lesser known North Korean APT has used zero-day vulnerabilities within an organisations infrastructure for intelligence gathering and data theft (Source). Following a business deal that went wrong with a Middle Eastern organisation, the group created a phishing email which contained the code for a software vulnerability that had only been disclosed a month prior to the attack. Once the email attachment was executed, the compromised website being leveraged by the group was connected to the device, installing a ‘Backdoor’ malware that allowed collection of system information, screen captures, and the capability of installing additional malware. POORAIM and KARAE malware are strains most used in the observed operations. The obscurity of this North Korean APT is an ideal tool for state-aligned activities, as many networks may not include the indicators of compromise (IOCs) associated with the group in their cyber security solutions.
Andariel:
Andariel, which has been active since at least 2016, is part of an umbrella group that is linked to a sub group of Hidden Cobra. The group are equipped to target critical infrastructure, mainly in South Korea as past operations have shown. The North Korean APT targets manufacturing, media, construction, and home-network service systems. In September 2019, the sub-group was sanctioned by the US Treasury Department for attacks on critical infrastructure (Source). Andariel displays similar TTPs to previously mentioned North Korean APTs, while serving as a good example of financially motivated attacks. If the initial phishing attack is successful, Andariel has also delivered file-encryption ransomware on its victims, which counterattacks the objective of remaining undetected if espionage was the sole purpose. Andariel has also stolen bank details in the past to sell on the black-market forums, generating an additional source of revenue. ATMs have been hacked to exfiltrate this information, while at times also using the details to withdraw cash themselves. This is an example of North Korean APTs balancing traditional espionage operations with the necessity for black market income generated through cybercrime.
Kimsuky:
Proficient in reconnaissance, persistence, and exfiltration, Kimsuky, also known as Black Banshee, has been targeting government organisations as part of a global intelligence gathering mission since at least 2012. Malware leveraged by the North Korean APT includes BabyShark, GREASE, and Win7Elevate. Social engineering tactics and phising operations are consistently leveraged TTPs, while watering hole attacks are also utilised (Source). A watering hole attack involves identifying a website that is accessed regularly by targeted users, such as a government domain, identifying the weakness in the domains security and compromising this with malware that will be distributed to visiting targets. This group is another particularly dangerous actor due to its constant development, as Senior Cyber Threat Intel Analyst Sean Nikkel explains: “Targeting various government and associated entities seems to be Kimsuky’s forte, and they are not a threat to be underestimated, especially given how long they’ve been active. Observed spoofed domains and pages look reasonably sophisticated at a glance, and once on the objective, these threat actors are very capable of making themselves at home on a network”.
Conclusion:
North Korean APTs continue to be a threat across a wide range of sectors aligned with the North Korean strategic objectives. While the vast majority of the cyber operations orchestrated by the RGB are focused on South Korea, sub-groups also target global networks in increasingly sophisticated and malicious techniques. While IOCs can aid the construction of a full picture of the associated groups, the clandestine nature of these activities, as well as shared tools obfuscate the accuracy of APT profiles. The large-scale digital heists initiated by North Korean APTs serve the purpose of outmanoeuvring sanctions placed on the regime. This has become one of North Korea’s most lucrative forms of circumventing the sanctions, as well as providing funding for its nuclear weapons programme.