Why North Korean Cyberwarfare is Likely to Intensify

Despite a parade of issues battling for headlines today, the impending negotiations between the United States and the Democratic People's Republic of North Korea (DPRK) have been widely covered, with diplomacy experts weighing in across the globe.

 

A recent article by CrowdStrike VP of Intelligence Adam Meyers titled, “Negotiations With North Korea May Have Cyber Consequences,” offers a view of the unprecedented negotiations from a different angle — one that examines the cyber consequences of these talks. The article appeared in the online magazine 38North, which is published by the Korean Institute of Johns Hopkins School of Advanced International Studies (SAIS). Meyers’ analysis is based on years of working in cyber threat intelligence (CTI), investigating and analyzing adversaries, including nation-state sponsored threat actors. He begins by asserting that “While the North Koreans have reportedly agreed to a moratorium on missile and nuclear tests during inter-Korean and U.S.-DPRK talks, they are likely to see clandestine offensive cyber operations as a potential response to continued debilitating sanctions, as well as for further intelligence gathering.” In other words, agreeing to stop physical shows of military force is not likely to stop their pursuit of cyberwarfare.

A History of Cyberattacks

Drawing from a history of observing DPRK adversaries, Meyers points to their breach of Sony Pictures Entertainment in 2014 as a watershed moment that captured global headlines for weeks. One could argue the reverberations from that breach are still being felt today. As Meyers explains, analysis of the tools, techniques and procedures (TTPs) employed in the Sony attack allowed investigators to tie its source code to other attacks that had been occurring for years. He writes, “In addition to similarities in code base, the tool chain used to build that source code into a program that was capable of running on the victim machines left a fingerprint unique enough to link it to previous attacks against financial, media, government and defense targets.” In the Sony case, the data was “weaponized,” as embarrassing emails and unreleased movies were leaked by the attackers, while Sony systems and infrastructure were temporarily disabled, leaving the organization

 

unable to respond to the devastating publicity.

DPRK Sends Ominous Warning

Now, in light of the announced negotiations, Meyers argues that the DPRK may be poised to launch new attacks with weapons that, unlike their nuclear arsenal, have proven capable of completing their missions. He cites a recent quote from a DPRK foreign ministry spokesman who said, “We define this ‘sanctions resolution’ rigged by the U.S. and its followers as a grave infringement upon the sovereignty of our republic and as an act of war violating peace and stability in the Korean Peninsula and the region.” Meyers contends that this should put the world on notice that the Kim regime may view cyberwarfare as their only recourse.

How an Attack Might Unfold

In the latter half of the article, Meyers outlines what new cyberattacks launched by North Korean operators might look like and how the phases of an attack might unfold:
  • Targets: Over the past several months, DPRK targets have included defense contractors and financial institutions. An initial penetration into one of these targets could serve as a jumping off point to find high-value assets where North Korean operators could inflict damage as a show of force.
  • Tactics:

     

    Although some targets may already be compromised, Meyers writes, “If a suitable penetration is not present, a new one would be targeted, likely using spear-phishing emails or a ‘watering hole’ attack (compromising a legitimate website likely to attract targets of interest, who would then be infected with malware). Both techniques have been leveraged by DPRK cyber operators successfully in the past.”
  • Operations: Once DPRK adversaries have gained access without being detected, they will need to escalate their security privileges so they can move around the network. During this stage, operators may steal data or plant “logic bombs” set to detonate and cause damage. Ironically, these actions also render the attackers more vulnerable, as Meyers explains. “This is the phase where they will be most exposed, because data exfiltration can consume large amounts of bandwidth and administrative account activities may attract the attention of a diligent system manager.”
  • Consequences: If such an attack is successful, the victim may be confronted with catastrophic consequences, such as a network full of non-functioning computers. When realization of the attack sets in, law enforcement and incident response personnel will be engaged to investigate. As the Sony incident demonstrates, information may be leaked, including personal emails or proprietary data.

What the Future May Hold

Meyers concludes by writing that targeting financial and government institutions could seem like a proportional response for North Korea, though they may also be interested in other targets, such as the media or military, or even critical infrastructure. He cites as evidence the attack on the Ukraine power grid conducted by the Russian Federation in December of 2015 and again in 2016. A similar attack against U.S. critical infrastructure could cause fear and disruption that would be of great interest to North Korea — they might even choose to leverage such an attack to include other targets. Meyers writes. “In addition to intrusion activity including destructive or disruptive elements, distributed denial of service (DDoS) attacks may be leveraged by DPRK actors to further enhance the effects of other attacks by knocking online media or response websites offline, compounding the potential disruptive effect.” Read the entire

 

38North article
Learn how CrowdStrike Falcon® Intelligence can help you know and outsmart your adversaries. Download the CrowdStrike 2020 Global Threat Report.
Breaches Stop Here