The Daily Beast has an interesting article discussing how North Korea may be developing malware capable of shutting down portions of the US power grid:

But in September, Dragos picked up a new adversary, code-named “Covellite,” that appears to be trying to join that club. Covellite has been targeting electric utilities in the U.S., Europe, and parts of East Asia with spear-phishing attacks that employ code and infrastructure eerily similar to that used by the so-called Lazarus Group, the most destructive and outright criminal of the state-sponsored hacking gangs. Dragos doesn’t link attacks to specific nation-states, but the U.S. government has publicly identified the Lazarus Group as North Korea.

If Kim Jong Un is trying to duplicate Russia’s electricity-killing capability, he’s in an early reconnaissance stage—Covellite hasn’t shown any particular expertise in the arcana of industrial-control systems. But Dragos’ Joe Slowik says it’s a worrying development. “From a risk standpoint, that actor could be really interesting,” says Slowik. “Particularly if things on the Korean Peninsula get worse.”

It should come as no surprise to see North Korea attempting to develop the same type of cyber weaponry other major nation state players are leveraging. The recently semi-cozy relationship between Russia and North Korea could be a factor in a focal change for the country.

Generally North Korea conducts cyber attacks primarily for financial gain due to the global sanctions imposed against the nation, as well as the country having been cut off from the world banking system. Additionally, the tensions between Trump and Kim Jong Un are likely pieces of a strategic puzzle being developed in Pyongyang, leading North Korea to pursue more destructive cyber weapons than mere ransomware and other forms of financial generation.

The Telegraph is reporting the US has been preparing to launch a wide ranging, potentially devastating cyber attack against North Korea:

In the last six months, the US has been covertly laying the groundwork for cyber attacks that would be routed through South Korea and Japan, where the US has extensive military facilities. The preparations include installing fibre cables into the region and setting up remote bases and listening posts from where hackers will attempt to gain access to North Korea’s version of the Internet, which is walled off from the rest of the world.

Another official told the magazine that a large part of the US spying and cyber warfare capability is being refocused on North Korea, including analysis of signals intelligence, overhead imagery and geospatial intelligence.

Analysts with expertise in other areas – such as the war on narcotics or monitoring geo-political issues in Africa – are also being reassigned to the new Korea Mission Centre at the CIA’s headquarters in Langley, Virginia.

News about impending US perpetrated cyber attacks are highly unusual. This makes me wonder about the truth of this story. If it is true, to what extent there is an actual future plan as opposed to North Korean network assets already having been infiltrated.

There is far more to this story than being reported, and it will likely not be something mentioned for quite some time.

WIRED has an in-depth article on the recently revealed North Korean hacker group known as APT37 aka ScarCruft aka Group123:

In its analysis of APT37, FireEye provides a rare breakdown of the hacker group’s entire known toolset, from initial infection to final payload. Earlier this month, security firms tracked the group using a zero-day vulnerability in Adobe Flash to spread malware via websites, an unusual use of a still-secret and unpatched software flaw. But in the past, the group has also exploited non-zero-day Flash vulnerabilities that victims have been slow to patch, lingering flaws in the popular Korean Hangul word processor to infect computers via malicious attachments, and even BitTorrent, indiscriminately uploading malware-infected software to piracy sites to trick unwitting users into downloading and installing it.

Once it finds an initial foothold on a victim’s machine, APT37 has a diverse grab bag of spy tools at its disposal. It has installed malware that FireEye calls DogCall, ShutterSpeed, and PoorAim, all of which have the capability of stealing screenshots of a victim’s computer, logging keystrokes, or digging through their files. Another malware sample, ZumKong, is designed to steal credentials out of browser memory. A tool called CoralDeck compresses files and extracts them to the attacker’s remote server. And a piece of spyware FireEye calls SoundWave takes over a victim’s PC microphone to silently record and store eavesdropped audio logs.

Perhaps most disturbing, Hultquist notes, is that APT37 has in some cases also dropped a tool that FireEye calls RUHappy, which has the potential to destroy systems. That wiper malware deletes a portion of the computer’s master boot record and restarts the computer so that it’s left fully paralyzed, displaying only the words “Are You Happy?” on the screen. FireEye notes that it’s never actually seen that malware triggered on a victim’s network—only installed and left as a threat. But Cisco’s Talos researchers noted in their own detailed report on APT37 last month that a 2014 attack on a Korean power plant had indeed left that three-word message on wiped machines, though they weren’t able to otherwise tie that attack to APT37.

It is fascinating how the different groups of hackers within nation state backed organizations use different tactics, techniques, and procedures, thus making it relatively easy for foreign intelligence agencies to track their operations so well. While there is no definitive proof APT37 is who FireEye says they are, there is a good chance this is the real deal. Attribution used to be difficult, but has come a long way in the recent years.

This is one group to watch, especially since they have already targeted Japan. This means there is a possibility they may leverage Tokyo 2020 as a jumping point into Japanese networks.

Reuters discusses a White House Council of Economic Advisors report stipulating malicious cyber activity could potentially have cost the US economy between $57 and $109 billion in 2016:

The report quoted the U.S. intelligence community as saying the main foreign culprits responsible for much cyber activity against U.S. targets are Russia, China, Iran and North Korea.

But it also said malicious cyber activity is not limited to foreign actors. Corporate competitors, activists seeking to advance a political agenda and organized crime are also responsible, it said.

The report said effective public and private-sector efforts to combat the illicit activity would contribute to gross domestic product growth.

Those numbers are huge. I am genuinely curious how they arrived both at those specific dollar figures, and that large gap between the lower and upper threshold. Quantifying malicious cyber activity is so ambiguous I find it almost hard to believe those are realistic amounts.

ZDNET reports about new Lazarus attack activity designed to steal bitcoins from global banking organizations:

Now Lazarus has resurfaced once again, with a phishing campaign which aims to plant malware on the systems of global financial organisations and bitcoin users for both short-term and long-term gain.

Dubbed ‘HaoBao’, the campaign has been uncovered by MacAfee [sic] Labs. It’s different to other phishing operations by the Lazarus group and uses novel code to infect machines.

The latest Lazarus campaign was first spotted in mid-January, when researchers discovered a malicious document being distributed via a Dropbox link, which claimed to be a job advert for a business development executive located in Hong Kong for a large multi-national bank.

The author is listed as ‘Windows User’ and the document was created in Korean, with additional similar documents appearing in the days which followed.

Attackers pose as a job recruiter, and send the target a spear-phishing email with a fake job advert, which when opened encourages the user to ‘enable content’ to see a document they’re told was created with an earlier version of Word.

The entire campaign does not appear to be all that sophisticated despite the techniques not having been previously witnessed. North Korea seems to be laser focused on stealing money rather than disruption or destruction. Now is an interesting time to focus on stealing bitcoin considering its recent major devaluation, but if Lazarus is in it for the long-term then it may prove lucrative.

Dark Reading on North Korea’s surprising use of a recent Adobe Flash zero-day exploit even though they rarely employ such techniques in their cyber operations:

The recent attack campaign against South Korean diplomatic targets appears to have concluded on January 31, according to Kaspersky’s telemetry. That’s the same day that South Korea’s Computer Emergency Response Team (KrCERT/CC) first issued an advisory on the zero-day vulnerability in Flash Player ActiveX and earlier versions. The bug (CVE-2018-4878) abused in the attacks is a use-after-free vulnerability that allows remote code execution, according to Adobe’s advisory.

Researchers at Cisco Talos found that the attack came via a rigged Microsoft Excel document that, once opened, downloaded the ROKRAT, a popular remote administration tool (RAT) used by advanced cybercrime gangs.

Raiu believes the attack group most likely purchased the Flash exploit and didn’t discover the vulnerability itself. “I don’t believe they could develop a zero day by themselves. My suspicion is that more likely, they were able to purchase it,” he says. “They have access to cryptocurrency, which allows them to purchase zero days on the dark market.”

He and other researchers say ScarCruft is not part of the infamous and prolific Lazarus Group, which was behind the destructive Sony attack and WannaCry. A spinoff group of Lazarus that Kaspersky Lab calls Bluenoroff is believed to be behind the SWIFT banking attacks. “Lazarus Group has hundreds of different malware variants, and they are incredibly resourceful,” he says. “These guys [ScarCruft] are high-school level. I’m surprised they were able to acquire a zero day.”

It should really come as no surprise to see North Korea purchasing zero-day vulnerabilities for use in their cyber attack operations. ScarCruft is not a well known attack group outside security circles, and often times even within them. There may have been some motivation to conduct an attack for publicity involved in this operation rather than for standard North Korean incentives.

The Sacramento Bee reports about how North Korea was able turn itself into a global cyber power despite having such little internet access:

Initially, the most promising hackers were sent overseas, specifically to Shenyang, the largest city in northeast China and a one-hour bullet train ride from the North Korean border.

It was there, ensconced at the Chilbosan Hotel, a facility that is North Korea’s largest overseas investment, where early hackers practiced their skills. Shenyang has always been a hub of North Korean illicit activity, including trafficking in counterfeit products.

Over the years, the best hackers would fan out to other countries where North Koreans were permitted to live, Moriuchi said, sometimes associated with legitimate businesses like restaurants but also engaged in other activities. Seven countries known to have a physical presence of North Koreans, in addition to China, are India, Indonesia, Kenya, Malaysia, Mozambique, Nepal, and New Zealand. It is in those countries, perhaps behind legitimate businesses, that hackers may be operating.

Today, North Korea is believed to have “between 3,000 and 6,000 hackers trained in cyber operations,” says a report by the Congressional Research Service, titled North Korean Cyber Capabilities, dated Aug. 3.

Many of them are believed to be overseas. Successive U.S. administrations have sought to pressure allies to end trade and diplomatic relations with Pyongyang.

A short, but good, history of North Korean cyber operations and their major intrusions.

Dark Reading reports on the most active threat actor groups from the calendar year 2017:

The busiest threat actor groups of 2017 were Sofacy (otherwise known as Fancy Bear or APT28) and the Lazarus Group, security experts report. As these groups ramped up activity, threat actors operating out of China became quiet.

Analysts at AlienVault leveraged data from its Open Threat Exchange (OTX) threat intelligence sharing platform to take a broad look at threat patterns from last year. They found the most frequently referenced threat group in 2017 was Sofacy.

Ten years ago, Sofacy primarily targeted NATO and defense ministries. Over the past three years its operations have expanded to target businesses, individuals, and elections in the United States and France. Leaked information from the US government, and an official report from the German government, indicate the threat group is associated with Russian military intelligence.

The second most active group was Lazarus, which is believed to operate out of North Korea (or Democratic People’s Republic of Korea, DPRK).

It really is striking how quiet China was in 2017 compared to previous years. It could potentially be that Russian and North Korean threat actors are creating so much noise, that China is merely slipping under the radar.

It is hard to believe China has slowed down their cyber operations to the degree they are almost irrelevant for an entire calendar year. I suspect they have grown more sophisticated, and their exploits have yet to be discovered. In due time we will know.

Fortune has an outstanding in-depth look into the Sony hack, ostensibly perpetrated by North Korea and this is only part 1:

Before Sony’s IT staff could pull the plug, the hackers’ malware had leaped from machine to machine throughout the lot and across continents, wiping out half of Sony’s global network. It erased everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers. To make sure nothing could be recovered, the attackers had even added a little extra poison: a special deleting algorithm that overwrote the data seven different ways. When that was done, the code zapped each computer’s startup software, rendering the machines brain-dead.

From the moment the malware was launched—months after the hackers first broke in—it took just one hour to throw Sony Pictures back into the era of the Betamax. The studio was reduced to using fax machines, communicating through posted messages, and paying its 7,000 employees with paper checks.

That was only the beginning of Sony’s horror story. Before destroying the company’s data, the hackers had stolen it. Over the next three weeks they dumped nine batches of confidential files onto public file-sharing sites: everything from unfinished movie scripts and mortifying emails to salary lists and more than 47,000 Social Security numbers. Five Sony films, four of them unreleased, were leaked to piracy websites for free viewing. Then the hackers threatened a 9/11-style attack against theaters, prompting Sony to abandon The Interview’s Christmas release. A week later, after an uproar, the studio announced it would make the movie available, after all, through video on demand and in a few hundred theaters.

Read the entire article. It is worth your time.

Yonhapnews Agency on the new PACOM Commander pulling no punches about the unpredictability of North Korea (emphasis added):

On March 26, 2010, the 1,200-ton naval corvette sank in the Yellow Sea, killing 46 South Koreans. An international investigation found that Pyongyang had torpedoed the ship, though the belligerent regime has denied responsibility. The hull of the vessel is on display at the fleet’s headquarters.

I believe North Korea is dangerous, it’s unpredictable, and it’s led by the leader (Kim Jong-un) who is arrogant. I consider North Korea a rogue nation discredited by the entire world,” Harris said, pointing out that Pyongyang has expressed its “willingness to use military provocations to achieve its national goals.”

In a saber-rattling move against South Korea and the U.S., the North has continued to build up its asymmetric capabilities and launch provocative actions. Last month alone, the North carried out live-fire drills twice near the Northern Limit Line, the de facto inter-Korean maritime border in the Yellow Sea.

“So I have to tell you that the U.S. remains vigil in the face of North Korea’s continued provocations and steadfast in our alliance’s commitment to the ROK. It is no accident that the first country that I visited as the Pacific Command commander in the bilateral sense was Korea,” he added, referring to South Korea by its official name, the Republic of Korea.

PC World on North Korea threatening increased cyber attacks against the US:

In an article published in the country’s largest daily newspaper on Tuesday, North Korea said it would wage a cyber war against the U.S. to hasten its ruin. Such bellicose threats are fairly common in North Korean media and aren’t always followed by action, but when it comes to cyber attacks, the country has been blamed for several large attacks in the past.

Most have been against South Korea, but the country was also publicly accused by the U.S. government of being behind last year’s devastating attack against Sony Pictures.

“The DPRK can react to any forms of wars, operations and battles sought by the U.S. imperialists,” the article said, using the acronym for the country’s official name, the Democratic People’s Republic of Korea.

“It is the firm determination of the DPRK to wage Korean-style cyber war to hasten the final ruin of the U.S. and the forces following it, who attempted to bring down the former with the cyber war,” it said.

North Korea is just trying to act like a bully even though it has almost nothing in its arsenal to scare the world other than being highly irrational.