The Atlanta Journal-Constitution
Report suggests North Korea preparing more cyberattacks
TOKYO — North Korea is quietly expanding both the scope and sophistication of its cyberweaponry, laying the groundwork for more devastating attacks, according to a new report published Tuesday.
Kim Jong Un’s cyberwarriors have been accused of causing huge disruption in recent years, including being blamed for the massive hack on Sony Pictures in 2014 and last year’s WannaCry ransomware worm, as well as umpteen attacks on South Korean servers.
Now it appears that North Korea has also been using previously unknown holes in the Internet to carry out cyberespionage — the kinds of activities that could easily metamorphose into fullscale attacks, according to a report from FireEye, the California-based cybersecurity company.
Although the North Korean regime bans the internet for ordinary citizens and is decidedly behind the times with most technology, it has funneled a huge amount of time and money into building a cyberarmy capable of outsmarting more technologically advanced countries such as South Korea.
“Our concern is that this could be used for a disruptive attack rather than a classic espionage mission, which we already know that the North Koreans are regularly carrying out,” said John Hultquist, director of intelligence analysis for FireEye.
FireEye said that it has “high confidence” that a cyberespionage group it has identified as APT37 is responsible for a number of “zeroday vulnerability” attacks not just in South Korea but also in Japan, Vietnam and in the Middle East. Zero-day
attacks are when hackers find and exploit flaws in software before the developers have had an opportunity to create a patch to fix it.
“It’s like your security system is a big wall but someone knows that there’s a hole somewhere in that wall and can crawl through it,” Hultquist said. “It’s fairly rare.”
It’s also a sign of sophistication as hackers are able to obtain access and defeat mature security programs, he said.
Experts say all the evidence suggests that Lazarus, the cyber-collective that launched the embarrassing attack on Sony and was behind the $81 million cyberheist of a Bangladeshi bank in 2016, has links to the North Korean regime. It is also accused of masterminding last year’s WannaCry attack, which crippled companies, banks and hospitals around the world last year.
North Korea is also accused of numerous attacks in South Korea. The most recent involved the hacking of a South Korean cryptocurrency exchange. The bitcoin exchange Youbit lost 17 percent of its total assets in the December attack, and said it would close down as a result.
But this APT37 appears to
have been operating under the radar, exploiting holes in South Korean cybersecurity since 2012 to covertly gather intelligence on issues of concern for the North Korean regime: the government, military, media and human rights groups among them. These targets, together with the times of day that attacks happen, strongly point to North Korea, FireEye said.
Last year, however, APT37 appears to have targeted a Japanese entity involved in imposing sanctions on North Korea, a Vietnamese company and one in the Middle East.
FireEye did not name any of the targets for legal reasons, but its description of the attack on the company in the Middle East perfectly describes Orascom, the Egyptian telecommunications company that had started a cellphone company in North Korea, only to have almost all its profits retained by the regime.
As well as expanding its geographical reach, APT37 also appears to be targeting a wider range of industries, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities, the report said.