US outlines the North Korea cybersecurity threat

In a joint statement, US Government agencies have outlined the cybersecurity threats which have been attributed to North Korea.

With the days of James Bond espionage increasingly becoming a thing of the past, cyber criminals are becoming more common and organised. On one side of the coin, this could be private criminals, think of a digital Mafia, but state-sponsored campaigns and attacks are just as, if not more, common.

Russia and China might hit the headlines frequently, but North Korea is a long-time enemy of the US and it appears the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) hasn’t forgotten about it.

All state-sponsored cybersecurity activity tied to North Korea is code-named Hidden Cobra, and thus far, seven malware variants have been publicly announced.

  • Hoplight – proxy applications that mask traffic between the malware and the remote operators
  • Bistromath – performs simple XOR network encoding and are capable of many features including conducting system surveys, file upload/download, process and command execution, and monitoring the microphone, clipboard, and the screen.
  • Slickshoes – a Themida-packed dropper that decodes and drops a file “C:\Windows\Web\taskenc.exe” which is a Themida-packed beaconing implant
  • Hotcroissant – custom XOR network encoding and is capable of many features including conducting system surveys, file upload/download, process and command execution, and performing screen captures
  • Artfulpie – performs downloading and in-memory loading and execution of a DLL from a hardcoded url
  • Buffetline – sample uses PolarSSL for session authentication, but then utilizes a FakeTLS scheme for network encoding using a modified RC4 algorithm. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration
  • Crowdedflounder – a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory

While the concept of a state-sponsored cyber attack is far from new, the frequency of these incidents are becoming much more common. And worryingly, these are only the incidents which the general public is made aware of.

In November, New Zealand’s National Cyber Security Centre (NCSC) suggested that 38% of the incidents it had to respond to were most likely state-sponsored. These are only a small proportion of the total cyber incidents, though the NCSC is tasked with tackling the most serious. The Five Eyes intelligence alliance, of which New Zealand is a member, has attributed the WannaCry incident to North Korea and NotPetya to Russia in recent years.

Looking at December 2019 alone, the Center for Strategic and International Studies suggests there were attacks from a Chinese state-sponsored group on multiple nations, a Cambodian Government agency was targeted, login credentials from government agencies in 22 nations across North America, Europe, and Asia were stolen by unknown hackers, a suspected Vietnamese state-sponsored hacking group attacked BMW and Hyundai, while Russian government hackers targeted Ukrainian diplomats, officials, military officers, journalists, and non-governmental organizations in a spear phishing campaign.

State-sponsored cyber incidents are most certainly on the rise, but the worrying element of this trend is that no-one genuinely knows. The likelihood of being able to attribute these incidents back to a particular regime with absolute certainly, and free from political bias, is incredibly low.

Huawei suspected of decade long relations with North Korea – report

The Washington Post has obtained internal documents showing the Chinese vendor and its partners have been working with North Korea’s national mobile operator for over a decade.

A former Huawei employee turned whistle-blower has passed on the documents to the newspaper, which has had them translated into English and shared on GitHub. The two spreadsheets are project logs of Huawei’s business in the China region, which covers North Korea (codenamed A9 inside Huawei). Details include project name, project status, account, country, internal business units, etc.

Huawei and its partners (for example Panda (Beijing) International Tech Limited, Xiamen Baoxin Supply China Co) are shown to have undertaken multiple projects for Koryolink, North Korea’s only mobile operator. The files recorded the latest initiated project with Koryolink took place in 2016, and the latest uninitiated project with the North Korean operator was logged in 2017.

The Washington Post reported that North Korea started building the mobile operator after the late Kim Jong Il (father of current leader Kim Jong Un and son of the country’s founder Kim Il Sung) visited Huawei in 2006. The operator was then set-up as a joint-venture between the Egyptian company Orascom Telecom Holding and North Korea’s Post and Telecommunications Corp. The newspaper claims it has also obtained additional files, not shared externally, that corroborate the case, with Huawei’s internal social network discussion records. Huawei is also allegedly to have developed a special encryption system for “special users” in North Korea.

At the time of writing Huawei has not responded to Telecoms.com’s request for comment, but its spokesperson denied to The Washington Post the company has any business presence in North Korea, though he does not deny the authenticity of the files. The spokesperson also claimed that “Huawei is fully committed to comply with all applicable laws and regulations in the countries and regions where we operate, including all export control and sanction laws and regulations”.

The timing of the report can be tricky for multiple parties. For Huawei, while the litigation in the US related to its business in Iran is still ongoing, the exposure of its long-term business relations with North Korea could become another roadblock to its efforts to be de-listed from the US Entity List. However, if Huawei had used other Chinese companies to ship equipment to North Korea, as was reported, it might have a case to argue that it has not dealt with a country under US sanction directly, which is different from the Iran case, where it is accused to have used its own subsidiary. But there are also cases, in particular system integration and software development projects, where Huawei has direct links. It would potentially need detailed investigation to determine whether American technology has been involved.

For the US it is also a precarious period. President Trump met CEOs from seven US technology companies on Monday, when he promised that the Department of Commerce would respond promptly to the license requests for Huawei sales. Afterwards, when asked about the North Korea report, the President said he will need to explore the issue. A further twist is the President has repeatedly claimed that he and the North Korean leader Kim are good friends.

For the UK and the European Union, the rather concrete case of Huawei’s link to North Korea would undoubtedly lend more weight to the argument that the company should be excluded from the construction of 5G networks, citing security concerns.

Russian telco strengthens North Korea connection to the world wide web

The door of the internet is opening wider for North Korea as TransTeleCom starts routing traffic from the secretive state.

The news was spotted by 38 North, a research institute based out of Johns Hopkins University in Maryland. Spotted late on Sunday evening, Russian telco TransTeleCom opened up the connection providing greater access for the North Koreans to the digital world. Up until now, China Unicom managed the only connection between the country and the rest of the internet.

It certainly comes at an interesting time, and will test the patience of an already eventful Presidency. In recent months, officials in the US have been stepping up the pressure on the Chinese government into ending ties with North Korea, though the Russian intervention has the potential to generate a bit of friction in a relationship which is already turbulent.

Aside from the telco space, TransTeleCom also has ties to the transport game, being a subsidiary of the Russian railway operator. Fibre cables are laid alongside the railway lines throughout the country, and it is believed the connection crosses the Friendship Bridge, which links Khasan in Russia with Tumangang in North Korea. It’s the only physical connection between the two nations.

While this might come as a shock to some, it turns out the global sensation which is the internet is quite popular with senior leadership within the North Korean government. Research from Insikt Group, revealed there are actually around 4 million smartphones in the country, though many of these which are dished out to the general public will have restricted services. However, a small number of people at the top have access to the world wide web which we know and love.

The research shows a couple of interesting things as well. Those who are deemed senior enough to access the internet, spend much of their time online checking social media accounts, searching the web, and browsing Amazon and Alibaba. Insikt also believes Facebook is the most popular social media site, despite reports that it (and many other popular social media platforms) are banned in the country.

While this is certainly a bit of interesting news, headache might start appearing across the US as official are reportedly trying to close the door between North Korea and the rest of the world. With experts believing cyber-attacks around the world could have originating in the country, the Washington Post has said the US government has been shackling the old Chinese connection with denial of service attacks to hamper the service in and out of North Korea.