Microsoft has recently announced that it has detected an advanced network of cyberattacks coming from North Korea hackers group called Thallium. Microsoft’s Corporate VP of Customer Security & Trust Tom Burt showed how a court order helped the company to take over 50 domain names that have been linked to malicious cyber activity.
Microsoft claims Thallium has been using a technique called spear-phishing, stealing sensitive information from a number of victims, including government employees and individuals working on nuclear proliferation issues. The technique involves emails designed to trick victims into clicking malicious links from which either their log-in details are stolen, or their system is infected with malware. The majority of targets identified were in the US, Japan or South Korea.
But, this is not the first time when North Korea has been involved in malicious cyber tactics. In fact, North Korea has been so active that attacks have exposed multiple vulnerabilities in global software systems and networks.
Let’s look at a few examples demonstrating the impact North Korean have had on the world of cybersecurity in the last decade. On November 24, 2014, a self-identified hacker group called Guardians of Peace made available personal data from Sony Pictures. This included company emails, data on executive salaries at the company, copies of then-unreleased Sony movies, plans for upcoming Sony films, screenplays and other important information.
The attackers deployed a kind of Shamoon wiper malware to then erase Sony’s computer infrastructure. During the hack, the group asked that Sony cancel the release of The Interview-, a comedy movie that depicts the killing of North Korean leader Kim Jong-un. Sony went ahead to cancel the film’s official premiere launch and public theatrical release and made the movie available in a digital release followed by a limited theatrical release the next day. United States intelligence officials, after analysing the software, techniques, and network sources used in the attack concluded that the breach was perpetrated by the North Korea government. This was a milestone case which heralded the prowess of North Korean hackers which have done things that had even bigger global implications.
Lazarus- Main Group Running North Korea Hackers
Another hacking group from North Korea, backed by the government is Lazarus. Code-named APT 38 by security firm FireEye, Lazarus is a financially motivated regime-backed group responsible for conducting destructive attacks against financial institutions, as well as some of the world’s largest cyber heists. Based on widely publicized operations alone, the group has attempted to steal more than $1.1 billion.
According to experts, APT 38 was created after the March 2013 sanctions put on North Korea and the first reported operations linked to this group took place in February 2014. These are allegedly the first known cases of a state actor using cyberattacks to steal funds, although other experts say Russia had been involved in similar cyber tactics for more than 20 years now.
Global Attacks From Lazarus That Shows Advanced Attack Capabilities
In 2015 and 2016, multiple cyber attacks utilising the SWIFT banking network came to light. The attacks were again perpetrated by a hacker group Lazarus whose cyber techniques and malicious code were found to be the same as used in Sony attacks. A $101 million theft from the Bangladesh central bank via its account at the New York Federal Reserve Bank was traced to hacker penetration of SWIFT’s Alliance Access software. According to analysts, the Lazarus’ malware was designed to retrieve a payload from a remote server and then execute it in the targeted machine’s memory in a way which was not even detected by security systems.
The SWIFT attacks had major implications for the North Korean regime and also demonstrated how economic sanctions isolating an economy can translate to have an impact on cybersecurity. This holds particularly true in the case of North Korea which has very little ways to make money from its activities and given its GDP is lower than most African countries.
North Korea Hackers Also Targeted Indian Banks & ATMs In Recent Years
India too has been one of the victim countries of North Korean hackers. For example, Nuclear Power Corporation of India’s Kudankulam nuclear plant said there was a cyberattack on its systems, which was traced to North Korea. The malware had the capability to access files and upload the entire data into a remote network outside of India.
A major incident involving North Korean hackers was the Cosmos heist. After Pune based Cosmos bank lost $11.5 million in unauthorised withdrawals, a panel was set up to study various UN sanctions breached by North Korea. The report found that North Korean hackers allegedly withdrew the funds from ATMs in 28 countries.
Lazarus hackers used multiple attack techniques including malware infection, ATM switch compromise, and the bank’s SWIFT environment compromise. The exploit involved multiple targeted malware infections followed by leveraging a set of malicious ISO8583 libraries and process code injections to stand up a malicious ATM/POS switch in parallel with the existing Central and then selectively breaking the connection between the Central and the backend/Core Banking System (CBS). The malicious threat actor then was also able to authorize specific primary account number (PANs) transactions to implement ATM withdrawals for over US $11.5 million in 2849 domestic (Rupay) and 12,000 international (Visa) transactions using 450 cloned (non-EMV) debit cards in 28 countries.
The Kaspersky researchers reported they tied the malware back to the Lazarus Group by analysing the malware samples and decrypting the malicious payload. The researchers discovered similarities between Dtrack and some of the malicious code used during the so-called DarkSeoul campaign of 2013 when South Korea experienced a major cyberattack from Lazarus.