That North Korean state-sponsored hacker groups have been particularly active in carrying out successful and highly lucrative cyber attacks against a variety of organisations around the world should come as no surprise. In a reclusive country ruled by an oppressive regime, these skilled hackers have been charged both with stealing commercial or military information of use to Pyongyang, and with breaching financial institutions as a means of accruing funds to assist with alleviating the impact of economic sanctions imposed on the country.
The hacker group most usually associated with North Korea is commonly known as Lazarus, though other names given to it include HiddenCobra, GuardiansOfPeace, Unit121, LabyrinthChollima, Bureau121 and Group77. It is thought to have been around since 2009 and responsible for the development of more than 45 families of malware. Its most notorious attacks include the breach of Sony in 2014 when personal and business data was stolen, the theft of 81 million dollars from Bangladesh Central Bank in 2016, the compromise of Polish banks in 2016, and the Wannacry ransomware infections in 2017.
Lazarus has also been linked with attacks on cryptocurrency exchanges. Between 2017 and 2018 it is believed to have hacked Yapizon, Coinis, YouBit, Coincheck and Bithumb, stealing a total of some $571 million.
Various other North Korean hacker groups have been discovered in recent years, and are often described as sub-groups of Lazarus.
For example, FireEye researchers identified APT38 in 2018; interestingly, it was claimed that this group was actually responsible for some attacks that had previously been attributed to Lazarus, such as the Bangladesh Central Bank heist mentioned above. The analysts also listed other specific incidents that the group was involved in. They included the SWIFT banking system attacks against Vietnam’s TP Bank in 2015, Taiwan’s Far Eastern International Bank in 2017, Bancomext in Mexico and Banco de Chile in 2018.
Other sub-groups of Lazarus include Bluenoroff, which also focuses on targeting foreign financial institutions, and Andariel, which concentrates more on cyber espionage activities via attacks on South Korean defence contractors and government organisations.
Various other state-sponsored hacker groups are also active: whether or not they are working under the umbrella of Lazarus is not clear.
APT37, for example, has been around since at least 2012. Also known as Reaper, RedEyes, RicochetChollima and Geumseong121, it is closely aligned with ScarCruft and Group123, and aims to gather intelligence. While it usually focuses on South Korean targets, organisations have also been hit in Japan, Vietnam and Middle Eastern countries, mainly in the aerospace and defence sectors.
In 2016 ScarCruft was noted to be using zero-day exploits to carry out attacks against organisations located in Russia, Nepal, South Korea, China, India, Kuwait, the US and Romania. More recently, the group members appear to have refocused their efforts on attacking high-profile political entities in South Korea.
Venus121 also concentrates on South Korea; its spear-phishing campaign in 2018 used a spyware-laced app and was aimed at North Korean defectors or their relatives.
StolenPencil has been active since at least May 2018 and primarily targets academic institutions, sending spear-phishing emails to potential victims involved in the field of biomedical engineering.
SectorA05 is believed to be behind two recent operations. The first, in January 2019, concerns the targeting of South Korean journalists with malspam, as well as South Korean government employees from central government and the ministries of unification, diplomacy and defence, while the second campaign is dedicated to cryptocurrency-related attacks.
Kimsuky has been operating since at least 2013, originally carrying out spear-phishing attacks on universities involved in research into defence policies, and organisations supporting Korean unification. Most recently, in March 2019, the group was found to be targeting delegates for the North American Summit, by sending emails purporting to come from the South Korean Ministry of Unification.
There is no doubt that these and other state-sponsored North Korean hacker groups are well organised and have highly developed capabilities allowing them to carry out sophisticated and very damaging cyber attacks – whether for financial or intelligence reasons.
They also attempt to deflect suspicion onto other hacker groups in other countries. In a report published in January 2018, Trend Micro researchers noted that Lazarus plants ‘false flags’ inside their tools as a misdirection technique. They highlighted the example of the KLIPOD backdoor, where transliterated Russian words have been used in the commands. These do not appear to be written by a native speaker, suggesting an effort has been made to divert attentions elsewhere.
In a similar vein, research published in January 2019 claimed that the Ryuk ransomware was probably the creation of financially-motivated Russian cyber criminals, rather than North Korean state-sponsored hackers who were originally identified as responsible for it. In an interesting analysis, Crowdstrike documents how the ransomware was developed from the Hermes ransomware kit, which was used by APT38 in the 2017 Taiwan attack mentioned above. Researchers believe the North Korean APT actually bought Hermes from the Russian GrimSpider hacking group – possibly in an attempt to dupe investigators into concentrating their enquiries away from Pyongyang and towards Moscow.
What is clear is that North Korean hacker groups are highly skilled and viewed as an extremely valuable resource by the ruling regime: they will continue to develop their techniques and pose ever greater threats to businesses and governments worldwide.