North Korea is conducting a wide-ranging malicious campaign against the U.S. and global targets, according to several reports.
Last month, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Defense released three reports on malware variants used by the North Korean government.
This was preceded by an advisory in April from the State Department, the Treasury, and Homeland Security, and FBI on the North Korean cyber threat.
“[It is] essentially a taxonomy of everything the [North Koreans] have been caught doing,” Mike Hamilton, chief information security officer of CI Security, told Fox News, referring to the May Malware Analysis reports.
“Trying to summarize tactics, techniques, and procedures that everyone can watch out for,” added Hamilton, who also served previously as the chief information security officer for the city of Seattle.
One of the driving forces is North Korea’s need to fund its weapons of mass destruction and ballistic missile programs, the government’s April advisory said. The campaigns are insidious because they often appear as ordinary cybercrime.
“The North Koreans are pioneers in the organized-crime false flag business,” Hamilton explained. “They are running ransomware extortion groups, which most people just assume comes from organized crime, not a nation-state.”
Hamilton said the aim is cryptomining and financial targets, among other aims.
“They show up as commodity, ‘shotgun blast’ types of untargeted attacks to scoop up CPUs [central processing units] for cryptomining,” he said, referring to the mining of digital currencies.
“They also use research and targeting against the finance sector, and non-commodity malware that AV [anti-virus] vendors have never seen,” Hamilton added.
North Korea-sponsored cyber actors include hackers, cryptologists and software developers who are engaged in espionage, theft from financial institutions and digital currency exchanges, and in politically motivated attacks against foreign media companies, according to the April advisory.
For example, an investigation into dozens of suspected North Korean cyber-enabled heists revealed that as of late 2019, North Korea had attempted to steal as much as $2 billion worldwide.
Then there are extortion and ransomware campaigns.
“In some instances, DPRK [North Korea] cyber actors have demanded payment from victims under the guise of long-term paid consulting arrangements in order to ensure that no such future malicious cyber activity takes place,” the advisory said.
The advisory cited examples of North Korea-state-sponsored malicious cyber activity including:
- Sony Pictures: In November 2014, North Korea cyber actors allegedly hacked into Sony Pictures Entertainment’s network to steal confidential data, threatened SPE executives and employees, and damaged thousands of computers.
- Bangladesh Bank Heist: In February 2016, North Korea state-sponsored cyber actors allegedly attempted to steal at least $1 billion from financial institutions in various countries and allegedly stole $81 million from the Bangladesh Bank. North Korea cyber actors sent fraudulently authenticated messages directing the Federal Reserve Bank of New York to transfer funds out of the Bangladesh Bank’s Federal Reserve account to accounts controlled by the conspirators.
- WannaCry 2.0: North Korea state-sponsored cyber actors developed this notorious ransomware and two prior versions of the ransomware. In May 2017, WannaCry 2.0 ransomware infected hundreds of thousands of computers in hospitals, schools, businesses, and homes in over 150 countries.
“We, as a country, have few tools to deal with rogue behavior like this,” Hamilton said. “Our naming and shaming strategy is effective at letting them know we see them, but it doesn’t create accountability or change behavior. So they’ll keep stealing money from banks and other organizations with little to fear.”