As the saga of America’s reconciliation with North Korea continues to surprise, federal agencies have uncovered the latest threat posed by Pyongyang’s cyber army. The diplomatic side of this story seems to be dramatic enough. One week after abruptly canceling a meeting with North Korean leader Kim Jong Un, President Donald Trump announced the historic summit set to take place on June 12 in Singapore is back on. With the diplomacy now seemingly back on a positive course, it seems a bit ironic that U.S. government cyber analysts are just now revealing a threat posed by North Korea’s notorious hacker teams.
On March 31, the National Cybersecurity and Communications Integration Center (NCCIC) issued a joint Technical Alert (TA) produced by the Department of Homeland Security (DHS) and the FBI. The document warned of recent “malicious cyber activity by the North Korean government” as part of an ongoing operation by Pyongyang sponsored hacker teams. For the past year, these series of hacks have been dubbed by U.S. investigators as Operation Hidden Cobra. In the latest identified activities of Hidden Cobra, the NCCIC states that hackers are using two pieces of malware—until now unobserved—to gain illicit access to private networks and exfiltrate data.
The first program, called Joanap, is a Remote Access Trojan (RAT) which, if successfully delivered, allows an attacker to take control of a user’s machine and run pretty much any operation they please. RATs are usually delivered via email phishing, relying on a victim to unknowingly download a file containing the malicious software.
Joanap is suspected of being used as both a means to extract files and other data, as well as a way of harnessing large numbers of computers worldwide to take part in bigger hacks that require a broad base of participating machines (such as a Distributed Denial of Service attack, for instance). According to NCCIC, so far, Joanap has been identified on 87 compromised network nodes in 17 countries including Brazil, China, Spain, Taiwan, Sweden, India, and Iran.
A second malware type was also discovered in the form of a Server Message Block (SMB) Worm. As its name might suggest, SMB Worms work by exploiting the Server Message Block, a protocol that enables different nodes on a network to share data. This function allows the Worm to spread rapidly to many different computers, potentially all over the world. When launched, this particular SMB Worm, named Brambul, attempts to gain access to user accounts and protected files via brute-force password attacks using a list of embedded passwords.
Considering that a large percentage of all successful hacks are the result of weak passwords that almost anyone can guess, this method can be devastatingly effective. Once Brambul gains unauthorized access, the malware communicates information about the victim’s systems back to Hidden Cobra hackers using email. The information includes the IP address and hostname, as well as the username and password of each target’s system.
The TA put out by NCCIC concluded by urging users to review their system protocols and consider improving some of their security practices such as patching their applications, as many of Hidden Cobra’s methods rely on exploiting program flaws.
Pyongyang’s Cyber Army
North Korea has been investing heavily in its cyber capabilities for more than a decade. A 2014 report by the South Korean government noted that North Korea had about 6,000 “cyber warfare troops.” At the time, the U.S. Cyber Command, established by the Obama administration in 2009, has around 700 military and civilian employees. Collectively, all cyber units in the entire U.S. military have a goal of maintaining around 6,200 personnel.
North Korea has succeeded in heavily masking its activities behind mysterious hacking groups. Often these groups consist of nothing more than fictitious names invented to hide activities of the North Korean government. Many of North Korea’s hacks made the news months, sometimes years before the events were linked back to their real perpetrators.
Over the past decade, North Korea has shown their hacking capabilities should not be taken lightly by the West. DPRK started off small, building their hacking portfolio. The first incident linked to the group was back in 2007 in an operation dubbed “Flame” that used rudimentary tools to infiltrate South Korean government sites. Slowly but surely, Pyongyang’s cyber army became more efficient—and more dangerous.
In the summer of 2009, the group executed a series of highly effective coordinated cyber attacks against major government, news media, and financial websites in South Korea and the United States. The sites of eleven South Korean organizations including the presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank, Korea Exchange Bank and the country’s top Internet portal, Naver, went down or had access problems. In the United States, the Treasury Department, Secret Service, Federal Trade Commission and Transportation Department sites were all down at varying points throughout the operation.
Then in 2013, computer networks running three major South Korean banks and the country’s two largest broadcasters were paralyzed. The attacks left many South Koreans unable to withdraw money from ATMs, and news broadcasting crews were stuck staring at blank computer screens. This operation was a major milestone, as it showed the North possessed the tools to actually cause real-world disruption with a cyber attack. A year later, one of the most famous hacks in history was executed against Sony Pictures Entertainment. The company lost all control of their own network and ultimately suffered a systemwide data wipe. The attack has been widely attributed to the Lazarus Group, a known front of the North Korean government.
More recently, a hack against crypto-currency exchange Youbit resulted in the company declaring bankruptcy after seventeen percent of its assets were stolen. The WannaCry ransomware attack that devastated UK healthcare systems was a stark reminder that DPRK can wreak havoc through the digital sphere.
North Korea’s Hackers in the Age of Reconciliation
As North Korea and the West move slowly toward reconciliation, one would think that most of Pyongyang’s cyber warriors would be out of a job, or at least being a bit less active. The recent NCCIC report shows that North Korean hackers are as relentless as ever.
How should all this be taken in the context of moving forward in establishing ties with DPRK? Again, the cyber activity we are observing is not trivial. All of the signs point to long-term planning for sophisticated attacks, and the targeting of private citizens and corporations in the U.S. and around the world.
The short answer is that North Korea does not want to dispense with its leverage just yet. In the same way that Pyongyang will not give away its nukes without being fairly confident that it has achieved a diplomatic win (in the form of, say, economic packages and defense guarantees), so too, the government will not simply halt its cyber warfare without knowing it has really established a secure position for itself. Furthermore, the “vulnerability” of diplomatic talks very often triggers the development of a “contingency plan” for if/when things go south at the negotiating table.
In a way, keeping up its cyber campaign is one of the ways North Korea is hedging its bets.
Something to consider, is that despite all of the “activity” surrounding North Korea over the past year, no substantial changes have actually occurred in terms of U.S. policy. American sanctions against North Korea from the Obama era are still in place. Trump himself added to these economic restrictions in an Executive Order he signed last September. The Order allows the United States to cut from its financial system and/or freeze the assets of any companies, businesses, organizations and individuals trading in goods, services or technology with North Korea.
This was followed by yet another round of restrictions aimed at closing the “China loophole” that had allowed North Korea to soften the effects of sanctions until that point. Thus from North Korea’s perspective, they are far from being in the clear. Hidden Cobra will almost certainly continue until an accord strongly in North Korea’s favor begins to actually foment.