Attacks on UN and NGO staff that work on DPRK

Most likely adversary: The Lazarus Group of North Korea (alias Silent Chollima, Group 123, Hidden Cobra, Zinc, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain).

The earliest known attack that the Lazarus group is held responsible for is “Operation Troy” (2009–2012), a cyber-espionage campaign that used unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul. They are also considered responsible for attacks in 2011 and 2013 and possibly also a 2007 attack targeting South Korea. A notable attack was the 2014 attack on Sony Pictures, showing more sophisticated techniques. Currently the group is thought to have two subgroups:

  • Bluenoroff, named after the tools used in attacks on financial networks. hacking into financial institutions (Unit 180), hijacking gambling sessions, selling pirated and cracked software, all of which is focused on funnelling funds to North Korea
  • Andariel, focusing on gathering intelligence from other nations, and in some cases disrupting rival states and military targets (Unit 121), and it seems like classified wartime contingency plans jointly drawn by the United States and South Korea are of interest, including the military’s “decapitation” plan (removal of Kim Jong-un), if and when war breaks out.

It may well be that Lazarus is looking for the “decapitation plan”, now also among UN staff working on DPRK.

According to the South China Morning Post, North Korea’s most promising hackers are sent to Shenyang, in China to learn how to put malware of all kinds on hosts (vulnerable endpoints). Domestic education includes the Kim Chaek University of Technology and Kim il Sung University. North Korean adversaries have left many clues in their wake and throughout the evolution of their malware arsenal.

When a malware campaign becomes less successful, it is common practice to change some of its basics such as using a different packer to bypass defences. By identifying reused code, valuable insights about “ancestral relations” can be gained. Lazarus then appears to be a collective name for many DPRK cyber operations, and there seem to be links between malware families used in different campaigns. The malwares most likely created by Unit 123 seem connected to each other but separate from those used by Lazarus. Although these are different units focusing on different areas, there seems to be a parallel structure in which they collaborate during certain campaigns.

The group is known for spear phishing attacks like emails with a fake first content and attached document, which when opened encourages the user to “enable content” to see a document they're told was created with an earlier version of Word (but really enables Visual Basic macros and allows the attackers to begin the process of implanting malware) or by hijacking sites, like apparently used in this attack.

People have been taught that one of the key steps in protecting their personal information online is to ensure that it is entered only over an encrypted connection (check for the lock symbol in the browser address bar or that the web address begins with https://). And that makes attacks using SSL certificates extremely dangerous because most users associate the presence of a valid SSL certificate with an increased level of security. In these attacks, bona fide certificate owners find that they are unwittingly providing facilities for phishing because their site has been compromised by an adversary.

The techniques used in these attacks seem typical for a first-stage dropper malware. The adversary drops these samples on victims’ machines and collects information on where they landed in the victims’ networks and which user/access rights they gained. In this specific attack, Javascript code logic on the phishing pages detects if the page is being loaded on a mobile device and delivers mobile-specific content. From there, the malware starts exfiltration over an alternative protocol or a C&C takes over for privilege escalation, lateral movement and collection (staged, from local system and input capture).

  • Last modified: 2019/11/21 14:47