North Korea’s offensive cyber-program evolved from one of power projection to one which is “dual-focused” and going after international economic targets.
Speaking at Black Hat Europe 2020, Crowdstrike researchers Jason Rivera and Josh Burgess discussed how North Korea had advanced its strategy from one of showing force, which was more prevalent under the leadership of Kim Jong-Il, to one which is now going after targets other than the US, South Korea and Japan.
At first, it had engaged in DDoS attacks and deploying wiper malware, but Rivera, director of the strategic threat advisory group at Crowdstrike, said it was not able to do “any serious damage.” However, attacks became more focused and targeted, such as data exfiltration from South Korea’s Ministry of Defense and the attacking of the Seattle subway system and the 2014 attack on Sony Pictures.
In the power protection era, Rivera said that they would often focus attacks on military targets and demonstrate its nuclear capabilities “to push back its regional adversaries” as well as the USA.
The next phase focused on generating currency, due to the economic sanctions placed on North Korea because of its nuclear program “in order to bypass some of the financial hardships brought on by these sanctions.” Rivera said Crowdstrike had observed North Korea engaging in different types of currency generation operations, including fraudulent attacks, ransomware, attacks on the SWIFT banking systems and ATM cash out schemes.
However, it’s current activity is on a dual-focused effort, where it goes after economic targets for currency generation, but also attacks critical infrastructure, international targets and even the United Nations. “Also, with currency generation, we see the targeting of non-traditional targets, such as crypto-currency exchanges, especially those located in East Asia,” Rivera said.
“We also see a lot of focus on economic growth targeting, taking a page out of China’s playbook. China engages in a lot of espionage in support of their own economy, and we’re now seeing North Korea do the same and it appears to be focused on critical infrastructure sectors where they need a lot of help.” This includes power generation and agriculture, to empower its economy.
North Korea is also targeting international organizations like the UN and Israel’s industrial base. “This demonstrates a high degree on behalf of the North Korean regime and at this point they do believe that they have succeeded and got to the point where they are at now, taking it to the next level,” he said.
Burgess, technical lead for threat intelligence at Crowdstrike, said the focus on energy production is on all forms including oil, gas and coal, and this has seen targets in the USA being hit. “It was more designed to steal than anything else, especially in a recent oil and gas campaign, as it was designed to go through and pilfer out information and throw the wiper on the end and make it seem like they could control power,” Burgess said. “Everything was designed to be more business focused and disable business.”
Looking forward, Rivera predicted an increased use of advanced ransomware, including offering ransomware-as-a-service and data extortion where data is stolen and encrypted, and the victim is blackmailed into paying up or the data is exposed.
Rivera also said North Korea is expected to follow China’s lead and carry out more economic espionage, and follow a concept of “cyber-brinkmanship” where two sides make threats and it comes down to “who calls chicken first.” He said Crowdstrike has seen North Korea “bring its adversaries to the edge and use cyber or nuclear threats to determine the effects.” As it would not survive a nuclear encounter and this would lead to international condemnation and a potential regime change, Rivera said he expected North Korea to move to the cyber-side “as this is safer for them.”
Rivera said: “The cyber-route still allows them to project power, still allows them to take swipes at their adversaries, but does so in a much safer way and has a lower risk of kinetic retaliation but also a lower risk of having the Kim dynasty replaced.”