North Korea Steals Intellectual Property of Cybersecurity Pros: How It Happened
Historically, though not a country considered ethical, North Korea has not been seen by most as a cybersecurity threat. The nation is known to pop into the news every few months with empty threats, then rapidly retreat from the global arena.
Though it may look like the Kims can get their hands on pretty much anything they want, the truth is that their financial resources are quite limited. Most notably Because North Korea's national currency is one of the very few that isn't internationally traded. In other words, it's "Monopoly Money" with an arbitrary value that the dictator in power determines.
Such a lack of financial security has led the country's leaders to make some genuinely bizarre moves. For example, in the 1970s, North Korea convinced Volvo to "rent" them one thousand Volvos for use as taxis. In less than a year, North Korea promptly stole the entire fleet and still uses some of them to this day.
North Korea’s Move To The Digital Sphere
Because of its isolationism and the staggering count of economic sanctions it faces, North Korea doesn't have much technology. No person outside higher-ups in the government can access the Internet, and the country collectively has a mere 1,024 IPv4 addresses allocated to it.
Even though security researchers had long warned that the country was training its most intelligent citizens in cybersecurity and employing them, the world largely dismissed its technical capabilities. North Korea proved most of the world wrong the days surrounding Sony's debut of The Interview (2014), a comedy movie mocking the Kims and showing an on-screen assassination of the dictator.
Sony was surprised to see that North Korea fired back digitally, with a quick attack crippling Sony's internal infrastructure and stealing movies that had not yet been released. Ultimately, the attack led to four movies being prematurely released to the public for free, enough information about many Sony employees to steal their identities put online, and embarrassing communications among employees spread around.
This was the beginning of a new era of criminal strategy to keep the country running. While the Sony attacks happened in 2014, North Korea continued into the ransomware arena. Many prominent researchers and the Department of Justice believe the countries government is behind the infamous ransomware "WannaCry." Ransomware is malware that encrypts certain types of files on a user's machine. It then demands the user pay a ransom to receive the key to decrypt their files to get them back and typically has a payment deadline of around three to seven days. Though ransomware is often used to extort individual users, it's most profitable when it can hold an institution's mission-critical data hostage, such as a hospital's medical records.
North Korea’s Masquerade
Even though ransomware proved to be profitable, wealthy targets became challenging to find due to widespread public knowledge about ransomware and not being victimized by it. North Korea utilized social engineering against cybersecurity professionals to keep their coffers up in an ironic twist of events.
Using a Twitter handle that was promptly suspended, an agent of North Korea with the alias "Zhang Gou" messaged many cybersecurity researchers around the world, but primarily in the United States. The user typically asked if the researchers were interested in working with him on a novel exploit.
Some researchers immediately realized what was going on after (attempts at) verifying the individual's identity and ceased communications. Unfortunately, others didn't bother verifying the identity of the user and were eager to collaborate.
Unlike North Korea's past brash, blatant attacks, these were well-planned. The attackers took advantage of every major social media platform and even crafted a convincing security blog with original content written in perfect English. To many researchers, they just looked like another firm specializing in zero-day vulnerabilities.
How The Hack Worked
North Korea had two significant avenues of attack. The first was that their site contained what is very likely a zero-day exploit. If a user were running even the most recent versions of Windows 10 and Chrome, a Remote Access Trojan (RAT), which is a form of malware that allows a remote user to fully monitor activity, steal data, and run any command, would be silently installed in the background that even heuristics engines could not detect.
Their second attack strategy involved communicating that they had found what they believed to be an exploitable flaw in Chrome or Windows and wanted help with thoroughly crafting an exploit. They would then share a zipped Visual Studio project file with the target. Merely opening this project was enough to trigger the same silent RAT installation. However, many researchers were still not suspicious because the project was a partial solution to a zero-day exploit of a Chrome or Windows vulnerability.
Most of these contacts took place in January of 2021. However, on the popular /r/netsec subreddit, a very popular post was ultimately connected to the North Korea group sharing a new exploit on how to exploit a flaw in Visual Basic that was highly praised because it indeed worked. This was posted in October of 2020, likely harvesting thousands of potential victims in the process.
In the end, North Korea would be able to steal research from these professionals. In turn, they utilized some of their trusted sites to run drive-by attacks on visitors to increase their victim count. Disturbingly, even Google has yet to figure out how Chrome was exploited in this fashion.
The Show Ends
On January 25, 2021, Google's Threat Analysis Team published a lengthy blog post on this topic. Essentially, they said they've monitored this threat for months and identified every social media account used, have confirmed that some exploits were real and some were fake and that it was indeed from North Korea.
The blog has lots of screenshots of YouTube videos they previously posted, their Twitter and Reddit threads, and their "security research blog" that just functioned to install malware on Windows machines that visited it.
It's clear from the investment of time and technology that North Korea intended for this to be a much longer-term operation. After Google published this information, some researchers recognized social media handles that had contacted them and realized they were targeted. Had Google not acted, far more damage could have been inflicted (though we don't know the full extent of the damage done yet).
Almost immediately, hosts of the websites being used to propagate this malware terminated them. Likewise, their social media handles were quickly obliterated. However, it's almost inevitable that North Korea is still doing this with different sites and different accounts.
For professional researchers, this attack will have chilling effects for years to come, even for those it didn't directly affect. After all, the community relies on cooperation and collaboration. However, social engineering is one of the first topics taught to cybersecurity engineers. Many assumed it wouldn't happen in their circles.
Even if you aren't a professional researcher, there are some key lessons to learn from this incident. First and foremost, no amount of system hardening, patching, and updating will be a 100% guarantee that you're secure online. It's also a good reminder to verify that you're talking to the person you think you're talking to. If you are contacted by someone with a file you're interested in, use a Virtual Machine (VM) to open the file. Better yet, using any mainstream Linux flavor like Ubuntu can curb many attack attempts in itself.
Although North Korean government officials might still be sporting Volvos from 1974, it's quite clear that the country should be considered and treated as an Advanced Persistent Threat (APT); an APT refers to a group of highly skilled individuals, usually funded by a country's government, who constantly look for vulnerabilities they can exploit in their adversaries' systems.