TORONTO—There is a mysterious cyber-army allegedly built by North Korea that has been attacking targets in South Korea and around the world for the last several years.
That army is a little less mysterious to security researcher Ashley Shen, who gave a deep dive talk on the tactics and tools used by the North Korean hackers in a session at the SecTor security conference here on Nov. 14. Shen is an independent security researcher working with Team T5 and is the founder of HITCON GIRLS, which is the first security community for women in Taiwan.
There have been multiple publicly reported incidents in recent years—including the WannaCry ransomware attack, the attack against the Swift bank transfer system in Bangladesh and the attack against Sony Pictures—that can be tied to threat actors based in North Korea, according to Shen. What has been reported in the media is only the "tip of the iceberg" in terms of the total scope of hacking activities being conducted by the North Korean hackers, she added.
Shen said the North Korean Reconnaissance General Bureau (RGB) was first revealed in 2009 as an organized effort to conduct cyber-attacks. The group has been performing attacks as their day jobs and will not stop anytime soon, if ever, she added.
With a typical Advanced Persistent Threat (APT) hacker group, there are well-understood phases of an attack cycle. Shen said those phases include reconnaissance, weaponizing vulnerabilities, delivering attack payloads, exploiting systems, controlling systems and then maintaining persistence on systems over time. In many instances with the North Korean hackers, Shen said they have more destructive goals, aiming to disrupt operations.
There are three primary groups based in North Korea that have been active in attacks since at least 2009, Shen said. The Lazarus Group (which the U.S. Department of Homeland Security refers as HIDDEN COBRA) has a goal of creating social chaos and has been implicated in the 2014 attack against Sony Pictures. The Bluenoroff group is more focused on financial cyber-crime, while the Andariel group is tasked with information gathering.
The North Korean attacker groups make use of a common set of tactics, including software vulnerability exploitation, spear-phishing emails and watering hole attacks. The groups are also related in that they all reuse some of the same code, according to Shen's analysis.
One of the most successful methods North Koreans use to exploit systems is to take aim at update servers. In one attack analyzed by Shen, more than 3,000 hosts in South Korea were compromised, including 700 hosts associated with the South Korean military's intranet. In that attack, the attackers used IP addresses from Shenyang, China, to infect an update server, which then was able to infect the other victims, she said.
In March 2017, the North Korea-based attackers hit an ATM service provider in South Korea. Shen noted that the attackers hit an update server for antivirus, which then updated 600 ATM machines with infected remote access Trojans (RATs) and keyloggers.
Attackers have also taken specific aim at the Hangul (HWP) word processor, which is popular in South Korea, Shen said. Attackers have exploited multiple vulnerabilities in HWP, including CVE-2013-0808 and CVE-2017-0621, she said. In addition, the North Korea hackers used the CVE-2016-0808 vulnerability in Microsoft's IE web browser in an attack that was launched against a website that was providing information to North Korean defectors.
"The attackers are capable of discovering zero-day vulnerabilities and developing their own exploits," Shen warned.
Shen also warned that more attacks from Lazarus Group, Bluenoroff and Andariel are expected, so organizations need to be prepared with the latest threat intelligence. The North Koreans are not just targeting South Korea; they are going after global targets, Shen said, which is why she decided to speak at SecTor to help raise awareness.
Shen concluded her session by noting that she will be discussing more details about the cyber-crime activities of the North Korean hacker groups in December at a session at the Black Hat Europe conference.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.