In a worrying trend that has far-reaching implications for global cybersecurity, North Korea has significantly increased its cyber attacks, particularly targeting global Western cloud providers. Google's Threat Analysis Group (TAG) has been at the forefront of monitoring and mitigating these intrusions, which are becoming increasingly sophisticated. This article delves into the latest findings by Google TAG and outlines North Korea's history of cyber attacks.
Recent Developments
Google TAG recently unveiled a cyber campaign conducted by North Korean hackers that specifically targeted security researchers involved in vulnerability research and development. Since January 2021, the group has effectively identified and neutralised several campaigns orchestrated by North Korean threat actors. Within the last few weeks, TAG discovered the exploitation of at least one zero-day vulnerability, leading them to promptly report it to the affected vendor, who is now developing a fix for the security flaw.
It's worth noting that details regarding the exploited zero-day vulnerability and the name of the vulnerable software have not been disclosed, likely because the vendor is still in the process of patching the issue.
Operational Tactics
North Korean hackers typically initiate contact with security researchers through social media platforms such as X (formerly Twitter). They then transition communication to encrypted messaging apps like Signal, WhatsApp, or Wire. Once a rapport is built, the attackers distribute malicious files containing zero-day vulnerabilities within popular software packages. If successfully exploited, the malicious code performs various anti-virtual machine checks and sends collected data, including screenshots, to a command-and-control (C2) domain controlled by the attackers.
As Google TAG mentioned, this strategy closely mirrors previous North Korean cyber exploits.
“Given that the world of security research has many relationships formed over the internet, and with limited personal contact, it will be hard to police and deeply investigate all interactions,” said John Gallagher, vice president of Viakoo Labs at Viakoo.
“The best advice would be to take a ‘no exceptions’ policy to handle software or links from outside your organisation.” - John Gallagher
Expanding Arsenal
In addition to exploiting zero-day vulnerabilities, the North Korean hackers have also developed a standalone Windows tool. This tool can download debugging symbols from major symbol servers such as Microsoft, Google, Mozilla, and Citrix. Although it appears to be legitimate, the tool can execute arbitrary code from domains controlled by the attackers, putting victims' systems at further risk.
“The targeting of those involved in cybersecurity research is not rare. In fact, it has grown more frequent and sophisticated over the years,” commented Callie Guenther, cyber threat research senior manager at Critical Start.
“There have been incidents where nation-state actors, like North Korea and Russia, have specifically aimed at cybersecurity professionals and organisations. These operations are multifaceted, aiming not just to steal information but also to gain insights into defence mechanisms, refine their tactics and better evade future detection.”
The escalation of cyber attacks from North Korea presents a serious challenge for Western cloud providers and the broader cybersecurity community. As these attackers adapt and refine their methods, industry professionals must stay vigilant, continually enhancing their defensive measures to counter the growing threats.