North Korea is quietly expanding both the scope and sophistication of its cyberweaponry, laying the groundwork for more devastating attacks, according to a new report published Tuesday.
Kim Jong Un’s cyberwarriors have been accused of causing huge disruption in recent years, including being blamed for the massive hack on Sony Pictures in 2014 and last year’s WannaCry ransomware worm, as well as umpteen attacks on South Korean servers.
Now it appears that North Korea has also been using previously-unknown holes in the internet to carry out cyberespionage – the kinds of activities that could easily metamorphose into full-scale attacks, according to a report from FireEye, the California-based cybersecurity company.
Although the North Korean regime bans the internet for ordinary citizens and is decidedly behind the times with most technology, it has funneled a huge amount of time and money into building a cyberarmy capable of outsmarting more technologically advanced countries like South Korea.
“Our concern is that this could be used for a disruptive attack rather than a classic espionage mission, which we already know that the North Koreans are regularly carrying out,” said John Hultquist, director of intelligence analysis for FireEye.
FireEye said that it has “high confidence” that a cyberespionage group it has identified as APT37 is responsible for a number of “zero-day vulnerability” attacks not just in South Korea but also in Japan, Vietnam and in the Middle East. Zero-day attacks are when hackers find and exploit flaws in software before the developers have had an opportunity to create a patch to fix it.
“It’s like your security system is a big wall but someone knows that there’s a hole somewhere in that wall and can crawl through it,” Hultquist said. “It’s fairly rare.”
It’s also a sign of sophistication as hackers are able to obtain access and defeat mature security programs, he said.
Experts say all the evidence suggests that Lazarus, the cyber-collective that launched the embarrassing attack on Sony and was behind the $81 million cyberheist of a Bangladeshi bank in 2016, has links to the North Korean regime. It is also accused of masterminding last year’s WannaCry attack, which crippled companies, banks and hospitals around the world last year.
North Korea is also accused of numerous attacks in South Korea. The most recent involved the hacking of South Korean cryptocurrency exchange. The bitcoin exchange Youbit lost 17 percent of its total assets in the December attack, and said it would close down as a result.
But this APT37 appears to have been operating under the radar, exploiting holes in South Korean cyber security since 2012 to covertly gather intelligence on issues of concern for the North Korean regime: the government, military, media and human rights groups among them. These targets, together with the times of day that attacks happen, strongly point to North Korea, FireEye said.
Last year, however, APT37 appears to have targeted a Japanese entity involved in imposing sanctions on North Korea, a Vietnamese company and one in the Middle East.
FireEye did not name any of the targets for legal reasons, but its description of the attack on the company in the Middle East perfectly describes Orascom, the Egyptian telecommunications company that had started a cell phone company in North Korea, only to have almost all its profits retained by the regime.
As well as expanding its geographical reach, APT37 also appears to be targeting a wider range of industries, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities, the report said.
While the damage is currently much lower than that caused by the huge cyberattacks blamed on North Korea, it suggests the regime is looking for new ways to launched stealthy attacks when it wants to.
The Worldwide Threat Assessment published by the U.S. intelligence community last week forecast the potential for surprise attacks in the cyber realm would increase over the next year.
Intelligence agencies expect North Korea to use cyber operations to gather intelligence or launch attacks on South Korea and the United States. “Pyongyang probably has a number of techniques and tools it can use to achieve a range of offensive effects with little or no warning, including distributed denial of service attacks, data deletion, and deployment of ransomware,” the assessment said.
Hultquist said that APT37 was just the kind of tool North Korea could use for a surprise attack, partly because it has been operating at a relatively low level.
“Lazarus and the other actors that are well known all started as espionage. That’s the classic story again and again,” he said, adding that the Kim regime didn’t seem to care about consequences.
“North Korea has flaunted global norms and taboos. They are not necessarily concerned about retribution. They have adopted this criminal M.O. which flies in the face of just about any kind of international norm.”