In a joint statement, US Government agencies have outlined the cybersecurity threats which have been attributed to North Korea.
With the days of James Bond espionage increasingly becoming a thing of the past, cyber criminals are becoming more common and organised. On one side of the coin, this could be private criminals, think of a digital Mafia, but state-sponsored campaigns and attacks are just as, if not more, common.
Russia and China might hit the headlines frequently, but North Korea is a long-time enemy of the US and it appears the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) hasn’t forgotten about it.
All state-sponsored cybersecurity activity tied to North Korea is code-named Hidden Cobra, and thus far, seven malware variants have been publicly announced.
- Hoplight – proxy applications that mask traffic between the malware and the remote operators
- Bistromath – performs simple XOR network encoding and are capable of many features including conducting system surveys, file upload/download, process and command execution, and monitoring the microphone, clipboard, and the screen.
- Slickshoes – a Themida-packed dropper that decodes and drops a file “C:\Windows\Web\taskenc.exe” which is a Themida-packed beaconing implant
- Hotcroissant – custom XOR network encoding and is capable of many features including conducting system surveys, file upload/download, process and command execution, and performing screen captures
- Artfulpie – performs downloading and in-memory loading and execution of a DLL from a hardcoded url
- Buffetline – sample uses PolarSSL for session authentication, but then utilizes a FakeTLS scheme for network encoding using a modified RC4 algorithm. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration
- Crowdedflounder – a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory
While the concept of a state-sponsored cyber attack is far from new, the frequency of these incidents are becoming much more common. And worryingly, these are only the incidents which the general public is made aware of.
In November, New Zealand’s National Cyber Security Centre (NCSC) suggested that 38% of the incidents it had to respond to were most likely state-sponsored. These are only a small proportion of the total cyber incidents, though the NCSC is tasked with tackling the most serious. The Five Eyes intelligence alliance, of which New Zealand is a member, has attributed the WannaCry incident to North Korea and NotPetya to Russia in recent years.
Looking at December 2019 alone, the Center for Strategic and International Studies suggests there were attacks from a Chinese state-sponsored group on multiple nations, a Cambodian Government agency was targeted, login credentials from government agencies in 22 nations across North America, Europe, and Asia were stolen by unknown hackers, a suspected Vietnamese state-sponsored hacking group attacked BMW and Hyundai, while Russian government hackers targeted Ukrainian diplomats, officials, military officers, journalists, and non-governmental organizations in a spear phishing campaign.
State-sponsored cyber incidents are most certainly on the rise, but the worrying element of this trend is that no-one genuinely knows. The likelihood of being able to attribute these incidents back to a particular regime with absolute certainly, and free from political bias, is incredibly low.