Cyber Security
Beyond Lazarus: North Korean Cyber-Threat Groups Become Top-Tier, ‘Reckless’ Adversaries
Published
3 years agoon
By
GFiuui45fgCrippled by economic sanctions and isolated from the rest of the world bar China, North Korea is increasingly relying on cybercrime to keep its economy running.
Over recent years, the North Korea has evolved from a nuisance to its neighbor and rival South Korea and purveyor of ransomware and DDoS attacks to become the scourge of banks and cryptocurrency exchanges.
Threat intel experts polled by The Daily Swig said that the tactics and tradecraft of attackers deployed by North Korea have evolved to elevate the country to a top-tier cyber-adversary.
This threat extends beyond the notorious Lazarus Group, a crew of cybercriminals blamed for the destructive attack on Sony Pictures in 2014 and the audacious $81 million cyber-heist of reserves held by the Central Bank of Bangladesh in 2016, among other attacks.
How sophisticated are North Korean cyber-threat groups?
Along with state-sponsored Russian, Chinese, and Iranian threat actors, North Korean advanced persistent threat (APT) groups are considered to be among the world’s most sophisticated.
The Russian (specifically APT28, APT29, and Turla) and North Korean (specifically Lazarus) threat actors are considered to be the most advanced groups of all due to their capability of using custom toolsets, adopting the latest attack techniques, and the speed of their attacks.
According to threat intel vendor IntSights, the advanced capabilities and sophisticated techniques of North Korean groups have included: the exploitation of zero-day vulnerabilities; the development of custom, proprietary malware; the use of destructive malware and ransomware to delete or encrypt forensic evidence of their activities within compromised networks; and the compromise of high-security targets, such as banks, in order to enable large-scale fraudulent transactions.
But these skillsets and techniques are far from restricted to North Korea.
Fred Plan, senior analyst of cyber espionage at Mandiant Intelligence, told The Daily Swig that North Korean threat actors differ from other comparably sophisticated groups by being more reckless.
“One of the things that makes North Korean actors relatively more dangerous than operations from other countries is that the Pyongyang regime is isolated and disconnected from global economic trade and diplomatic engagement,” Plan explained.
“As a result, North Korea isn’t as incentivized to ‘play by the rules’ and the country continues to step over boundaries that define the acceptable behaviors of other nation-states.
“This is a key factor as to why only North Korean groups carry out state-sponsored cybercrime, such as digital bank heists, and are relatively more likely to deploy destructive wiper malware,” Plan concluded.
How are the tactics of North Korean threat groups evolving?
North Korean actors are constantly evolving their techniques, especially their evasion and persistence mechanisms, in order to evade detection by security products.
Hossein Jazi, a threat intelligence analyst at cybersecurity company Malwarebytes, commented: “Extensive use of packers, employing steganography to embed their malicious payload within images, erasing footprints from the device at run time, or constantly changing the encryption keys/algorithms (even within an hour of being detected), performing fileless attacks are examples of such anti-detection techniques used by these actors.”
Paul Prudhomme, head of threat intelligence advisory at IntSights, told The Daily Swig that North Korean attackers were making a greater effort to fly under the radar.
“North Korean attacks have evolved since the beginning of diplomatic reconciliation with the US in 2018,” Prudhomme explained.
“Previous North Korean attacks were often disruptive and ‘noisy’ in ways obvious to victims and the general public, such as the 2014 destructive malware attack on Sony Pictures and the worldwide WannaCry ransomware campaign in 2017.
“Since the beginning of reconciliation with the US in 2018, North Korean attacks in general have become more subtle and less obvious or ‘noisy’, suggesting greater efforts to avoid detection and attribution,” Prudhomme added.
But Mandiant’s Plan disagreed with this assessment.
“North Korean operators have significantly improved their TTPs [tactics, techniques, and procedures] over time, especially compared to their earliest identified incidents,” he said. “However, North Korean operations tend to demonstrate poor OPSEC and don’t put much focus on remaining undetected.”
How are North Korean threat actors organized?
North Korean cyber-threat actors differ significantly from those of other countries in that any malicious cyber operations are almost certainly explicitly allowed or even directed by the government.
Mandiant’s Plan commented: “The regime maintains tight control over any internet access in the country, so any cyber operators are probably those selected from North Korea’s military and/or its technical universities. This includes those individuals who are sent overseas to carry out campaigns on behalf of the North Korean government.”
Christos Betsios, cyber operations officer at Obrela Security Industries, commented: “What is interesting about how North Korea builds their hacking teams is their recruitment process, as they select their next-generation of hackers from the age of 11, offering them various benefits such as spacious apartments and exemptions from the mandatory military service.”
North Korean groups tend to share code, infrastructure, and even complete malware tools with each other – a factor that complicates the classification of individual groups.
Morgan Wright, SentinelOne chief security advisor and a former US State Department special advisor, said: “North Korea’s Reconnaissance General Bureau is the primary arm of their intelligence apparatus that focuses on hostile cyber activity.
“Through their proxy, the Lazarus Group, the Bureau is heavily focused on mitigating the impact of economic sanctions through theft and supporting their development of nuclear weapons. This includes cryptocurrency (KuCoin for US$275m), banks (Bangladesh Central Bank for US$81m), and ransomware (WannaCry and VHD).”
In December 2020, the US Department of Justice filed an indictment against three North Korean hackers for stealing $1.3 billion in cash and cryptocurrency. “This particular activity has become widespread for North Korea and has allowed them to help neutralise the economic impact of sanctions and continue financing their military and governmental objectives,” according to Tyler Baker, threat intelligence manager at Bitdefender.
North Korean operators are also reportedly responsible for raising money for their own expenses in addition to bringing in funds for the benefit of the regime.
Some security vendors track financially motivated activity under the moniker ‘Bluenoroff’, and attacks targeting South Korean organizations under ‘Andariel’, while others have ascribed cyber-espionage activity to ‘APT37’ and ‘APT38’ groups.
“Regardless of their names, reporting into the insights of the Korean’s People’s Army of the DPRK have connected Lazarus Group, Bluenoroff, and Andariel to the DPRK’s cyber-warfare guidance unit ‘Bureau 121’,” according to Xueyin Peh, senior cyber threat intelligence analyst at Digital Shadows.
What organizations are North Korean attackers targeting?
North Korean cyber operations are most strongly focused on South Korea and the US, and typically target government offices, diplomatic organizations, the military, financial institutions, industrial conglomerates, and most recently, pharmaceuticals and healthcare research.
Meanwhile, financially motivated North Korean cybercrime is more global in nature and includes direct targeting of banks, cryptocurrency-focused campaigns, and even web-skimming operations, according to Mandiant.
Yana Blachman, a former Israeli intelligence operative turned threat intelligence specialist at Vanafi, told The Daily Swig that North Korean APT groups collectively target an enormous range of sectors.
However, “each APT group is designed to target one specific sector,” Blachman explained. “For instance, Lazarus primarily focuses on the South Korean and US governments and financial organisations in those countries, whereas Bureau 325 is known to target major biotechnology companies, research institutions, and government bodies.
“Alongside these groups, others such as APT38 focus primarily on banks, financial institutions, and cryptocurrency exchanges,” Blachman added.
Recently, the Lazarus Group performed a highly sophisticated targeted spear phishing campaign in which the attackers spent almost a year before the attack creating security blogs and Twitter accounts and generally interacting with security researchers in attempts to gain their trust.
North Korean groups also have a tendency to shift targeting abruptly (most likely in response to sudden edicts from Pyongyang).
In mid 2020, for instance, there was a reorientation towards targeting biotech companies and universities involved in Covid-19 research despite little prior activity of this kind.
“We identified similar shifts in 2015 as North Korean actors began carrying out financially-motivated cybercrime campaigns, in 2016 again as this expanded to targeting banks directly via long-term intrusions, and so on,” Mandiant’s Plan concluded.