Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/1/2020
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Inside North Korea's Rapid Evolution to Cyber Superpower

Researchers examine North Korea's rapid evolution from destructive campaigns to complex and efficient cyber operations.

It took only a few years for North Korea to advance its cyber capabilities from solely destructive campaigns to sophisticated technical operations. This shift puts North Korea in competition with top nation-state groups and reveals strategic changes in how it plans to support its regime.

Related Content:

Alexa, Disarm the Victim's Home Security System

The Changing Face of Threat Intelligence

New on The Edge: SASE 101: Why All the Buzz?

"[To say] I'm intrigued is an understatement by what they've done over the years," says Josh Burgess, technical lead and threat intelligence adviser at CrowdStrike. "I've been watching them at least six to seven years, personally, as they progress through their malware campaigns: how they've grown, how they've evolved, how they've done what they've done."

Its financial motivation sets North Korea apart from other nation-state groups, especially the "Big Four" -- Russia, China, Iran, and North Korea, Burgess notes.   

Most other nation-state actors are motivated by national security objectives or national economic objectives, with their activity primarily focused on the nation's overall well-being, adds Jason Rivera, director of CrowdStrike's global strategic advisory group, of the differences.

"What North Korea appears to be doing is really around the well-being of the regime, engaging in financially motivated operations for the regime to continue with certain illicit activities," he says. 

But financial gain isn't its only differentiating factor, Burgess points out. While its attacks have grown more sophisticated, North Korea has a history of incorporating destruction into cyber activity from attacks dating back to 2007. This isn't often seen in other nation-states or attack groups.

"Everything has a destructive side to it," he explains. "There's a lot of reasons for that. One of the reasons is sabotage -- smashing stuff to smash stuff. And another part is complicating forensics, making it more difficult to recover. The other side is misattribution -- the idea that it's harder to attribute where the attack is coming from if everything is broken."

A More Intentional Nation-State
North Korea began to shift away from purely damaging cyberattacks after its 2014 attack on Sony and transitioned toward a "dual-pronged approach" that prioritizes both maintaining control for the current regime, along with attacks to boost its economy. Its attack techniques changed alongside its motivation, which has shifted due to economic sanctions and pressures.

"A lot of that came back to the sanctions and a lot of the economic pressure that the United States started putting on North Korea … and the more sanctions you put on them, the harder it is for them to engage in legitimate trade operations, which is, of course, designed to really force them into better international behavior," Rivera explains. 

In response, North Korea doubled down on cybercrime. In 2015 and 2016, it began to target financial institutions such as Bangladesh Bank and the SWIFT international interbank messaging system for financial gain. This summer, US law enforcement and government agencies warned of a North Korean government campaign stealing millions in a broad ATM cash-out scheme.

These attacks highlight North Korea's intentionality in targeting, another trait that researchers say differentiates its attackers. Each attack is meant to achieve a specific goal. For example, attacks targeting financial institutions are less bound by geography; however, those meant for national security objectives may target the US, South Korea, or other regional adversaries. 

North Korea's cyber capabilities accelerated quickly relative to other nation-state attackers. "The ramp-up period was fairly short. It indicates a lot of focus on their part," Rivera says.

To illustrate this, the researchers point to "breakout time," or the amount of time it takes an attacker to move laterally once inside the network. Data shows North Korea took two hours and 20 minutes to achieve breakout, second only to Russia, which took roughly 19 minutes. In comparison, it took China an average of four hours, and Iran five, to achieve the same goal.

"I would say that really the evolution and the complexity of their attacks evolved along with the motive of their attacks," says Burgess, "which brings us to where we are at today, this dual-pronged approach -- not only the financial element, but also economic espionage, also national security espionage." 

To engage in these kinds of espionage, it's not just a "snatch and grab," he continues. Attackers must maintain persistence and return over a period of time, which requires sophistication.

Looking Ahead: What's Next for North Korea?
Burgess and Rivera, who will present their research in an upcoming Black Hat Europe briefing on Dec. 9, say North Korea will leverage its expertise in "cyber brinksmanship," a term used in deterrence strategy: How do you get your opponent to do something without attacking them? How do you take something to the very edge -- to "the very line of all-out war?" as Burgess says.

"I think, in many ways, one of North Korea's primary objectives is to influence the behavior of the US and the rest of the international community," Rivera says of its future activity. 

The researchers also anticipate North Korea will continue to focus on its economic objectives and engage in espionage to support those plans. They speculate its attackers may engage in more advanced ransomware operations. While there is no evidence yet to confirm this, it would align with objectives North Korea has tried to achieve in the past.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23351
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...