21 September 2018

North Korea's Hackers Play the Long Game

By Ben West

A U.S. federal investigation has shown that Pyongyang has been planning its cyberattacks far in advance, typically with the aim of stealing money rather disrupting its enemies. North Korea and others rely on invasive surveillance to increase the potency of their attacks, yet such action increases the chances that hackers will be detected ahead of time. Investigations into hacking can force assailants to alter their tactics and operations, but they are not enough to stop them outright.


In July, we noted that the Islamic republic has been playing the numbers game in the world of cyberattacks, using relatively rudimentary tactics in a shotgun approach that targets thousands of individuals in the hopes that a small percentage become victims. Now, the recent release of a U.S. Department of Justice criminal complaint depicts a similar, yet very different, threat from North Korea over the past four years.

In addition to laying out in technical detail why North Korea was the mostly likely perpetrator of attacks on Sony Pictures in 2014, Bangladesh Bank in 2016, the WannaCry attacks in 2016 and 2017, and dozens of other lower-profile attacks in between, the complaint revealed many new insights into how the North Koreans allegedly crafted their operations to conduct those attacks. The operations that North Korea and Iran are suspected of shared much in terms of targeting and tactics, but one key difference provides insight into how the two countries approach their cyber campaigns. Whereas Iran tends to play the numbers game, North Korea plays the long game, preparing attacks months — or sometimes over a year — in advance. The differences in style between the two threats highlight the relevance of the cyberattack cycle and the important role preparation and surveillance play in such attacks. But even if the investigation has lifted the lid on some of the biggest state-sponsored hacks in recent years, it is unlikely to ever stop countries such as North Korea from refining their craft and homing in on other victims.

The Big Picture

As the United States and North Korea attempt to reach a settlement to their nearly 70-year-old conflict, new details from an investigation conducted by the U.S. Department of Justice on alleged North Korean cyberattacks portray a well-organized and determined threat.

A Common Modus Operandi

The cyberattack cycle is quite similar to the criminal and terrorist attack cycles, and Iranian and North Korean operations are similar in the target selection, planning, attack and exploitation phases of the cycle. For example, both have targeted U.S. defense contractors and financial institutions (These are popular targets for most other hackers as well). Iran's distributed denial-of-service attacks on U.S. financial institutions from 2011 to 2013 cost millions of dollars in lost business, and the campaign was inexpensive for the Islamic republic. A series of North Korean attacks on financial institutions around the world reportedly earned the economically struggling regime hundreds of millions of dollars.


The tactics of both were similar, too. They relied on phishing, spear-phishing and watering-hole attacks, all of which attempt to trick their victims into downloading malware by posing as legitimate links or files. More specifically, both countries have used spear-phishing emails disguised as job applications. Iran's biggest cyber success, the 2012 Shamoon attack against Saudi Arabian Oil Co., and North Korea's $81 million theft from Bangladesh Bank both started with malware disguised as resumes and cover letters emailed to employees. And while Tehran has typically sought to create a disturbance with such attacks on financial institutions — in contrast to Pyongyang's quest to gain cash or political retribution — both have demonstrated a penchant for purely disruptive attacks. Indeed, while North Korea's 2017 WannaCry campaign was disguised as a ransomware attack, it quickly became apparent that its true intent was disruption.
Surveillance the North Korean Way

The differences between North Korea and Iran, however, emerge in their approaches to surveillance. In non-intrusive surveillance, hackers often conduct passive research on a targeted network, while in intrusive surveillance, they gain illegal access to the targeted network to monitor activity from the inside. Breaking into the network frequently represents a precursor to the main attack, whose goals might be to steal information or money or to deliver a piece of malware that wipes hard drives and renders computers worthless. Without question, Iranian hackers engage in their fair share of intrusive surveillance, and it is safe to assume that Iranian groups are currently embedded in networks around the world, seeking ways to exploit their access. The recent Department of Justice criminal complaint, however, indicates that North Korea has devoted much more time to conducting invasive surveillance in support of its attacks.

For example, North Korean operators apparently had began scanning servers associated with Sony Pictures Entertainment by September 2014, at least two months before Sony became aware of any hacking attempts. Leading up to the hack, North Korean operators operating under pseudonyms targeted multiple individuals associated with "The Interview," a controversial movie depicting the assassination of Kim Jong Un, which put Sony Pictures on Pyongyang's radar. The operators sent corrupted links to individuals on social media, as well as spear-phishing emails imitating legitimate warnings from Facebook and Google, in an attempt to steal login credentials. By early October 2014, the hackers had established a foothold in Sony's systems, and within another month, they had succeeded in stealing sensitive information and compromising networks, forcing Sony to disconnect about 8,000 workstations to prevent the spread of malware.

The operation against Bangladesh Bank lasted even longer. North Korean hackers started conducting surveillance against the financial institution 16 months before absconding with $81 million from its accounts in February 2016. As part of its non-intrusive surveillance, North Korean cyberattack teams began researching banks in Bangladesh in October 2014. By February 2015, the hackers had moved to intrusive surveillance by successfully spear-phishing at least two accounts at the bank, allowing them to establish a backdoor to the lender's network the following month.

During the 11 months that the North Korean hackers had access to Bangladesh Bank's servers, they presumably watched and took note of processes. They studied how the bank printed copies of each message pertaining to wire transfers using SWIFT; they were also mindful of who directed the transactions and when they sent the transfers, as well as the language they used. And thanks to the 11 months of invasive surveillance, the North Korean operators identified vulnerabilities in Bangladesh Bank's internal workings, leading them to develop a plan to direct $951 million in transfers from the lender to accounts they opened elsewhere in Asia. To do so, they developed code that would prevent the printing of any SWIFT messages in the bank's office that might alert employees about unauthorized transfers and delete itself once the operation was completed. Then, just days before the transactions, the hackers moved laterally through the network to gain access to the bank's SWIFT account. The operatives conducted the transfers just ahead of the Chinese New Year, when banks and businesses across the Asia-Pacific typically close.


Cutting Corners

In the end, the operators only managed to steal $81 million, but they would have stolen much more if not for some elementary failures. A typo in one transfer order blocked the theft of $20 million, while the hackers accidentally used credentials stolen from a bank in South America several times before realizing their mistake and entering the correct credentials to enter the Bangladesh Bank accounts. This helped investigators connect the perpetrators of the Bangladesh Bank robbery to the attack on the South American bank (among others).

In conducting their numerous attacks, the North Korean hackers did what any organization would do to cut costs and increase efficiency: They repurposed and reused infrastructure across attacks. Naturally, the operatives obfuscated their identities through multiple layers of additional email addresses and proxy servers such as virtual private networks (VPNs) or other compromised computers, but the hackers essentially used the same handful of email accounts, social media handles, devices and IP addresses linked to China and North Korea in multiple attacks. The charges brought against North Korean hackers ultimately relied on these similarities to connect the attacks and link them back to North Korea, making it harder for Pyongyang to deny its involvement. Just like criminals and terrorists, hackers also make mistakes and cut corners. And just how understanding criminal and terrorist attack cycles can increase awareness of a pending attack — and, ideally, thwart it before it causes damage — understanding how that cycle applies to cyberattacks can help individuals, companies and state institutions remain safe online.

With invasive surveillance, the stakes are high for the malefactor and potential victim alike.

With invasive surveillance, the stakes are high for the malefactor and potential victim alike: The longer prospective assailants have to conduct invasive surveillance on a target, the more damaging the attack can be — even as the length of such surveillance increases the likelihood of detection. In terms of cyberattacks, a software update, virus scan or even a machine reboot can identify a threat or cause it to lose access. Accordingly, hackers must always weigh the advantage of conducting more surveillance against the risk of detection, which rises the longer they linger in a network.
The Upshot

The good news for potential targets is that they can deprive hackers of the luxury of prolonged, invasive surveillance if they monitor their networks vigilantly. The bad news is that hackers from countries such as North Korea (as well as Iran, China and Russia) will continue to pose a threat — either through the numbers game or the long game. Because many of the underlying accounts, IP addresses and devices linked to previous attacks are now public information, North Korean hackers will have to rebuild their capabilities if they wish to continue operating anonymously.

However, none of the state-backed foreign individuals or groups facing U.S. charges is ever likely to face prosecution given the protection they receive from their governments, meaning they will go on to restructure their operations and improve their craft. As it is, $13.5 million was stolen from an Indian bank through a combination of fraudulent SWIFT transfers and unauthorized ATM withdrawals just last month. The heist, a highly complex and organized attack that was a long time in the making, has been linked to Pyongyang — suggesting that North Korean hackers are already back in business and busy working on their next project.

No comments: