When Russia invaded Ukraine earlier this year, the U.S. government and security experts warned about increased cyber threats related to the war. Technologists and cybersecurity pros needed to prepare for a likely increase in ransomware and other possible cybersecurity risks.
While Russia remains a significant cyber threat, security experts caution that other countries with well-developed capabilities continue to jeopardize networks, infrastructure and data of federal agencies and private businesses. Although most observers point to China as a significant foe, those same experts warn that North Korea poses its own unique set of risks—combined with a track record of carrying out such attacks.
Over the past month, security firms, media reports and U.S. government agencies have issued several warnings about North Korea and various threat groups associated with the regime in Pyongyang. These include:
- In a July 6 alert from the Cybersecurity and Infrastructure Security Agency, the FBI and the Treasury Department warned about a ransomware strain called “Maui,” which has targeted the health care sector since May 2021. While the alert did not attribute these attacks to a specific North Korean threat group, the agencies reiterated that organizations that pay ransoms are violating U.S. sanctions against the regime.
- A July 10 CNN story focused on ongoing efforts by North Korea to steal cryptocurrency, which the regime then uses to fund its activities and circumvent international sanctions.
- Finally, a July 14 report published by security firm Proofpoint examined various advanced persistent threat groups impersonating or targeting journalists. One of the APTs conducting these operations has been named “TA404.” This group has ties to the North Korean regime.
“Recent campaigns have targeted cryptocurrency and financial services institutions, in addition to traditional espionage-oriented intrusions. Additionally, there are continued reports of the [Democratic People's Republic of Korea] state-aligned actors that deploy ransomware; the diverse targeting and results of these intrusions more align with financial e-crime activity and stay below the collective radar,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.
“With the global downturn in cryptocurrency prices, which DPRK APT actors have been known to steal en masse, including the recent Axie Infinity breach, the state is looking for other ways to monetize cyber intrusion including via ransomware deployment on systems with existing access,” DeGrippo added.
A Threat to Take Seriously
While much attention has focused on Russia and China, North Korea and threat groups associated with the country’s leadership remain a threat. These risks mean tech and security pros must continue to monitor the country’s various cyber activities, experts note.
Due to sanctions imposed by the U.S. and other countries, analysts warn the country is increasingly relying on cryptocurrency heists (as the CNN story details) and ransoms collected through ransomware attacks to fund the government and its various activities. Financial firms and others that deal in large amounts of cryptocurrency need to remain vigilant about vulnerabilities within their infrastructure.
For the past two years, North Korean cybercriminals have been appearing more frequently in Russian underground chatrooms and forums and exchanging intelligence with their counterparts. As part of this, North Korean groups have used these connections to buy or rent access to banks and other financial institutions that are already compromised.
“It's just a numbers game. If you think you have infected enough organizations, at some point you're going to get an infection of a system within a bank. And so, [Russian and other cybercriminals] provided access to North Koreans,” Mark Arena, the CEO of threat intelligence firm Intel 471, who has been tracking the nexus between Russian and North Korean gangs, told Dice.
Along with other reports, Microsoft released a study on July 14 that details how one group associated with North Korea, dubbed H0lyGh0st, is using ransomware to target small and midsized firms.
“As North Korea suffers under sanctions imposed by the West, the regime looks to capitalize on cyber ‘heists’ targeting cryptocurrency digitally powered extortion using ransomware. This effectively gives them monetary instruments they can convert to U.S. dollars to fund several activities through black market transactions or countries that don’t support the western sanctions,” Andrew Barratt, vice president at security consulting firm Coalfire, told Dice.
“North Korea poses a unique threat as it is so tightly controlled with a significant investment in cyber capabilities that give it access to off-market capital sources, intellectual property and the ability to be disruptive to other nations. In a way, they’ve created a kind of cyber-sanction capability to counter the economic sanctions imposed by the west,” Barratt added.
Besides attempting to steal or extort money, North Korea-connected groups deploy phishing and other techniques to target those who write about or monitor what the regime is plotting and planning. This seems to be the primary motivation behind recent campaigns against journalists that Proofpoint uncovered.
“This demonstrates an active concern by state-sponsored actors from DPRK to not only read global media coverage about their illegal cyber activities that result in monetary theft but also to target organizations that write about it,” DeGrippo told Dice.
Countering Threats
Security experts noted that tech and security pros can (and should) remain aware of various threats associated with North Korea and that there are multiple ways to protect infrastructure, data and employees. DeGripp, for instance, suggests staying aware of malware and other techniques used by these groups, and incorporating that information into training procedures.
“It is also up to the organization to gain a clear understanding of who their most attacked people are within the organization, that way they can define and set specific levels of security to make sure potential targets are well-protected,” DeGrippo said. “We also recommend robust, comprehensive, and regular cybersecurity awareness training to give potential targets the skills to identify and correctly respond to any similar threats, as threat actors will always adapt and hone their tactics.”
Darryl MacLeod, CISO at LARES Consulting, added that organizations need to assume a breach has already happened. It’s best to identify critical assets that might have been targeted, especially if groups are using ransomware.
“Even if you think it is unlikely, plan for an attack. Start by simply identifying your critical assets and determining the impact if they were affected by a ransomware attack,” MacLeod told Dice. “This will help determine your response to any potential ransom demands and the threat of your organization's data being exposed.”
What tech and cyber professionals need to remember, however, is ransomware is simple but effective once deployed. Arena, the CEO of Intel 471, believes defenders must focus on what he calls precursors of attacks.
“This is what I talk about when I say these cybercriminals use spray and pray methods. You have Office documents coming in with macros, so you have to disable the macros—things like that,” Arena said. “That initial access might be passwords that are re-used across the system, remote desktops left open or open email server—just username and password. These are traditional initial access that threat actors use and they might not start with the North Koreans, but if Koreans deploy ransomware, it certainly finishes with them.”