North Korea hacking threat still looms despite summit

Times may be changing for diplomatic relations between North Korea and the U.S., but the threat of North Korean hacking still looms.

This week's summit between President Donald Trump and North Korean leader Kim Jong Un could lead to improved relations between the two countries and a possible denuclearization plan for North Korea. However, it's unclear what impact, if any, the summit may have on nation-state cyberattacks coming from the country. According to various reports from the summit, the talks between Kim and Trump did not include any provisions concerning cyberattacks, and several cybersecurity companies have said there is evidence that North Korean hacking attacks may be ramping up this year.

Several notable cyberattacks have been attributed to the North Korean government in recent years, including the 2014 breach of Sony Pictures and last summer's global WannayCry ransomware attacks. In addition, the FBI and the Department of Homeland Security recently issued a security advisory tying two well-known malware campaigns, Joanap and Brambul, to the North Korea hacking group Hidden Cobra, also known as Lazarus Group.

Priscilla Moriuchi, director of strategic threat development at Recorded Future, a threat intelligence provider based in Somerville, Mass., told SearchSecurity that while Kim's regime wants to increase the country's role in the international community, there's no indication the government has curbed its hacking efforts.

In fact, she said there are signs that the opposite may be occurring.

"What we can say from looking at the data is that there are two stories: the data story, which shows us that North Korea increasingly cares about being monitored and watched, and that they are taking measures to hide their activity online; and the diplomacy story, where it's telling the rest of the world that it's ready to denuclearize and be more transparent," Moriuchi said. "And the two stories just don't match up."

Recorded Future published research in April that showed a massive increase in anonymization of North Korean internet activity. "We conducted the research back in July, and we saw, for example, that less than 1% of all web browsing activity was anonymized -- they didn't even use HTTPS most of the time, let alone [virtual private networks (VPNs)]," she said, either because they didn't care about hiding activity or because they didn't know they could anonymize traffic. "But six months later, it was a completely different story -- there was about a 12,000% increase in anonymization services and technology."

Recorded Future issued another report last week detailing an increasingly large presence of U.S. technology in North Korean networks and usage by North Korean leadership, despite economic sanctions that prevent such trade. Moriuchi said North Korea has "professionalized sanctions evasion" over the last three-plus decades and found various ways to exploit weaknesses in U.S. export controls.

"We think this is a problem for two reasons. First, there are gaping holes in U.S. export control regime, and they're being exploiting by this rogue nation," she said. "Second, the U.S. government doesn't want U.S. technology being used in cyberattacks from North Korea to harm businesses and government agencies."

If Kim agrees to a denuclearization plan, there may be less incentive for the government to drops its hacking operations. Ross Rustici, senior director of intelligence services at Boston-based threat detection vendor Cybereason, believes North Korea's hacking operations are a crucial bargaining chip for Kim and also present a unique threat to the Trump administration.

"North Korea currently lacks many options to force the U.S. into working inside a START [Strategic Arms Reduction Treaty] framework. Almost all of its military and foreign policy capabilities are defensive at this point," Rustici wrote in a research post last month, prior to the summit. "The one exception is its cyberprogram. And, unfortunately, this is one domain where North Korea can impact the Trump brand in a way that it could not against any other President."

Several vendors have reported increased sophistication and capabilities from suspected North Korean hacking groups this year. For example, Dragos Inc., a security firm based in Hanover, Md., that specializes in industrial control systems (ICS), published a threat report on a group it calls Covellite, which the company said uses malware and infrastructure similar to Hidden Cobra.

Dragos noted that Covellite, which had targeted U.S. organizations in the past, had recently abandoned North American companies and focused its attacks on European and Asian companies. Dragos also said that while Covellite lacks ICS-specific capabilities at this time, the group's "rapidly improving capabilities, and history of aggressive targeting" made it a primary threat to the ICS industry.  

In addition to Hidden Cobra, FireEye earlier this year reported that another North Korean hacking group known as APT37 had demonstrated increased capabilities, including the use of an Adobe Flash zero-day vulnerability in attacks on South Korean targets. "Our analysis of APT37's recent activity reveals that the group's operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware," FireEye wrote, adding it has "high confidence" that the group is working on behalf of the North Korean government.