29 March 2020

An Elite Spy Group Used 5 Zero-Days to Hack North Koreans

by Andy Greenberg


MOST NORTH KOREANS don’t spend much of their lives in front of a computer. But some of the lucky few who do, it seems, have been hit with a remarkable arsenal of hacking techniques over the last year—a sophisticated spying spree that some researchers suspect South Korea may have pulled off.

Cybersecurity researchers at Google’s Threat Analysis Group today revealed that an unnamed group of hackers used no fewer than five zero-day vulnerabilities, secret hackable flaws in software, to target North Koreans and North Korea-focused professionals in 2019. The hacking operations exploited flaws in Internet Explorer, Chrome, and Windows with phishing emails that carried malicious attachments or links to malicious sites, as well as so-called watering hole attacks that planted malware on victims’ machines when they visited certain websites that had been hacked to infect visitors via their browsers.

Google declined to comment on who might be responsible for the attacks, but Russian security firm Kaspersky tells WIRED it has linked Google’s findings with DarkHotel, a group that has targeted North Koreans in the past and is suspected of working on behalf of the South Korean government.

“It’s really impressive. It shows a level of operational polish.”

Dave Aitel, Infiltrate

South Koreans spying on a northern adversary that frequently threatens to launch missiles across the border is not unexpected. But the country’s ability to use five zero days in a single spy campaign within a year represents a surprising level of sophistication and resources. “Finding this many zero-day exploits from the same actor in a relatively short time frame is rare,” writes Google TAG researcher Toni Gidwani in the company’s blog post. “The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues,” In a followup email, Google clarified that a subset of the victims were not merely from North Korea, but in the country, suggesting that these targets weren’t North Korean defectors, whom the North Korean regime frequently targets.

Within hours of Google linking the zero-day vulnerabilities to attacks targeting North Koreans, Kaspersky was able to match two of the vulnerabilities—one in Windows, one in Internet Explorer—with those it has specifically tied to DarkHotel. The security firm had previously seen those bugs exploited to plant known DarkHotel malware on their customers’ computers. (Those DarkHotel-linked attacks occurred before Microsoft patched its flaws, Raiu says, suggesting that DarkHotel wasn’t merely reusing another group’s vulnerabilities.) Since Google attributed all five zero-days to a single hacker group, “it’s quite likely that all of them are related to DarkHotel,” Raiu says.

Raiu points out that DarkHotel has a long history of hacking North Korean and Chinese victims, with a focus on espionage. “They’re interested in getting information such as documents, emails, pretty much any bit of data they can from these targets,” he says. Raiu declined to speculate on what country’s government might be behind the group. But DarkHotel is widely suspected of working on behalf of the South Korean government, and the Council on Foreign Relations names DarkHotel’s suspected state sponsor as the Republic of Korea.

DarkHotel’s hackers are believed to have been active since at least 2007, but Kaspersky gave the group its name in 2014 when it discovered that the group was compromising hotel Wi-Fi networks to carry out highly targeted attacks against specific hotel guests based on their room numbers. In just the last three years, Raiu says Kaspersky has found DarkHotel using three zero-day vulnerabilities beyond the five now linked to the group based on Google’s blog post. “They’re probably one of the actors that’s the most resourceful in the world when it comes to deploying zero days,” Raiu says. “They seem to be doing all this stuff in-house, not using code from other sources. It says a lot about their technical skills. They’re very good.”

While most of the zero-day vulnerabilities Google linked with the North Korean-targeted attacks were found in Internet Explorer, the hackers found creative ways to use those bugs in Microsoft’s browser code against victims who used more popular software, points out Dave Aitel, a former NSA hacker and the founder of the offense-focused security conference Infiltrate. In one case, an Internet Explorer bug was exploited in a Microsoft Office document that merely summoned up the web browser code to launch an online video embedded in the document. In another case, the hackers adapted a bug in Internet Explorer’s sandbox, the security feature that quarantines code in the browser from the rest of the computer, to bypass FireFox’s sandbox instead.

“They’re able to take the vulnerabilities and do the engineering to fit them into their own framework,” Aitel says. “It’s really impressive. It shows a level of operational polish.”

Aitel argues that the group’s sophistication should serve as a reminder that countries considered “second-tier” in their hacking resources—i.e. countries other than Russia, China, and the US—may have surprising capabilities. “People underestimate the risk. If you have this level of capability in a second-tier cyberpower, you have to assume all second-tier cyberpowers have these capabilities,” Aitel says. “If you think ‘I’m not being targeted by the Chinese, I’m ok,’ you have a strategic problem.”


No comments: