Report hints at new Eastern cyber threat: North Korea

Experts warn of a new threat from the isolated state of North Korea

The FBI is not the most popular institution in Silicon Valley at the moment, thanks to its high profile fall-out with Apple. So it must have been surprised to receive a pat on the back from out of the blue recently when a group of tech companies effectively agreed with its findings on the devastating Sony Pictures Entertainment (SPE) hack of 2014. But while the Feds might be celebrating a small PR victory – that their attribution of the attack to North Korea was right – the implications for western IT bosses are dire.

Not only is the group now thought to have been responsible for a string of cyber-attacks across Asia and in the US, but it’s very much still operational, according to the report. Given the damage it managed to inflict on SPE, there are potentially serious ramifications.

What happened?

The report itself – compiled by a group including Kaspersky Lab, Symantec, AlienVault, ThreatConnect, Novetta and more – falls short of naming North Korea explicitly. However, analysis of the malicious code used and of the various tools, techniques and processes (TTPs) involved shows that one group (or several closely connected groups) was responsible for a string of attacks dating back seven years. This would seem to discount hacktivists and insiders from the list of potential Sony attackers.

What’s more, many of these attacks have been against South Korean entities such as the 2013 ‘DarkSeoul’ campaign which shut down TV stations and banks in the country. Researchers also claimed the SPE attackers – dubbed the ‘Lazarus Group’ – work mainly in a time zone of GMT+8 or GMT+9, which lines up with North Korea perfectly. Kaspersky Lab also claimed a high percentage of code samples contained “Korean locale or language”.

The group has not only been engaged in disruptive DDoS attacks, destructive malware campaigns, and the leaking of sensitive documents, but has also been hard at work across Asia and the US conducting covert cyber espionage campaigns in government, military, financial, and critical infrastructure sectors. Other countries where some of the group’s 45+ malware families have been spotted include India, Russia, China, Taiwan and Indonesia.

A cautionary tale

It all adds up to more bad news to keep Western CISOs awake at night. Up until now, China has always been the main nation state foe operating from the APAC region. But its aims are always to steal information and sensitive IP to further the country’s economic or geopolitical ambitions. A new Cylance report from this week seems to point to another campaign of this sort, this time focused on Japanese targets.

Confirmation – or at least a heavy hint – of a new nation state on the scene in North Korea could be a worrying development for Western governments and commercial entities, because the Lazarus Group has shown itself to be more than ready to use tactics and tools not usually associated with nation states. With SPE it combined destruction of data on massive scale with web defacement and the release of highly sensitive data. This incurred hundreds of millions in clean-up and legal costs, led to resignations and sackings right up to co-chair Amy Pascal, and damaged the entertainment giant’s reputation in the industry immeasurably.

According to Dick O'Brien, senior information developer at Symantec, Lazarus should be a “cautionary tale against complacency”.

“The frequent use of worms (which self-propagate) means that even if the organization is not the intended target, it could get caught in the crossfire,” he told me via email. “While Lazarus has been largely focused on South Korea, the SPE attack shows that organizations outside the region are not immune to danger, so there are implications for all businesses, not just those based in APAC.”

Multi-layered threat protection can mitigate the risk of attack to a certain degree, especially tools like AV and intrusion prevention which can block threats before they can be installed, O’Brien added. But what keeps CISOs awake at night is that it only takes one successful incursion to send the whole pack of cards tumbling down. And second guessing North Korea is no job for an IT guy.