ATK3

Presumed Origin: North Korea < Back

Alias: COVELLITE, Hidden Cobra, Lazarus, Lazarus Group

The International Context as a Driver of the North Korean Cyber Strategy

 

Recent history implications

 

Asia's recent geopolitics is not only structured by China's economic and informational stranglehold, via new international institutions and vassalized digital champions, but also by North Korea, whose recent policies remain difficult to pin down. North Korea's foreign policy orientations are nevertheless indexed to the confrontation with the United States.

 

It should be recalled that in February 2007 relations between the two countries were due to be normalized after a bilateral agreement was signed in Beijing to record the closure of the Yongbyon power station. However, one year after the agreement, North Korea announced the reopening of this power station before firing a Unha-2 rocket which was supposed to carry a communications satellite in April 2009. However, according to military security experts, it was a ballistic missile. Since then, relations have fluctuated between tension and calm as North Korea under embargo is caught by the throat. In order to calm its adversary, the United States is providing food aid in exchange for a restraint effort[1]. However, the aid is not enough, and North Korea has no other choice but to repeat its pressure or to resort to perilous barter. Therefore, for decades, North Korea has been exchanging arms with countries such as Syria, Iran, Congo, Myanmar, Eritrea or Yemen in exchange for food[2]. The year 2018 is interesting from this point of view, since the paradigm of relations between the United States and North Korea has taken an unexpected turn.

 

 

A new relationship with the United States?

 

After months of great tension between Donald J. Trump and Kin Jung Un, which caused the international community to fear a nuclear incident, the North Korean leader proposed to the American President a meeting to discuss his country's military nuclearization. Prior to the meeting on 12 June 2018, Kim Jung Un redesigned the North Korean army and said he wanted to maintain "the momentum of appeasement with the United States and its willingness to eventually give up its nuclear deterrent.[3]" The summit resulted in a joint statement: "Joint Statement of President Donald J. Trump of the United States of America and Chairman Kim Jong Un of the Democratic People's Republic of Korea at the Singapore Summit. Four main points emerge from this statement.

 

First, the United States and North Korea are committed to establishing a new relationship in accordance with the desire of the peoples of both countries for peace and prosperity. Second, the two countries will join efforts to establish a lasting and stable peace regime on the Korean Peninsula. Thirdly, by reaffirming the Panmunjeom Declaration of 27 April 2018[4], North Korea is committed to working towards the complete denuclearization of the Korean peninsula. Finally, the two States undertake to recover the bodies of prisoners of war and missing in action, including the immediate repatriation of those already identified[5]. The declaration also mentions that D.J. Trump undertakes to provide security guarantees to North Korea in return.

 

Cyber as a new strategic lever for North Korean ambitions

 

How can we understand this turnaround in the geopolitical situation? A potential answer: a new cyber strategy.

 

North Korea is not to be outdone in this respect. Already in December 2017, the peninsular state had already distinguished itself with the WannaCry malware affair. In a quasi-joint statement, the United States and Great Britain stated that North Korea was behind this massive attack, which affected almost 300,000 computers in 150 countries and caused billions of dollars in damage. While no hard evidence was provided, Thomas Bossert, who is assisting the US President, said that Australia, Canada and New Zealand shared the same conclusions[6]. The NCSC was more specific in its statement, saying that the North Korean piracy group Lazarus was almost certainly behind the attack. In May 2017 the contaminated computers were instantly locked down and users were asked to pay a ransom in exchange for the restoration of their data. Europol described the scale of the attack as "unprecedented". Already in 2014, North Korea had attacked Sony Pictures. Due to the scale of the damage, the U.S received help fromby Microsoft and Facebook to counter WannaCry. Microsoft in a publication confirmed the statements of the British NCSC and stated that "by working with Facebook and other members of the security community, we have taken strong measures to protect our customers and the Internet from ongoing attacks by an advanced player in the persistent threats known as ZINC also known as the Lazarus Group". The attack, while reaching known geopolitical enemies such as Britain, whose Health National Service (NHS) was hit hard, also spread to states relatively close to North Korea such as Russia. The country's postal services were also severely disrupted

 

 

A cyber tool at the service of the regime's domestic and foreign policy

 

North Korea is using its cyber capabilities for two geopolitical purposes. First, as with the Sony and WannaCry attacks, the country is very simply targeting its classic geopolitical enemies. In June 2018, for example, North Korean hackers targeted a South Korean think tank specializing in national security issues. The hackers took advantage of a zero-day[10] to compromise the organization's website and insert a backdoor for code injection. Earlier in April 2018, Chinese state-sponsored hacking groups targeted Japanese defence companies to obtain information on Tokyo's policy towards North Korea. This information was likely shared. In May it was the Google Play application that was hacked. Compromised Android applications, hosted on Google Play, were stealing information from the devices and allowing the insertion of codes stealing photos, contact lists and SMS messages.

 

In addition to these direct attacks or cyber-espionage actions of geopolitical origin, North Korea uses cyber-espionage as a repercussion of geopolitical situations. As we mentioned, the country has to use barter to support itself and to circumvent the Western embargo. Cyber-attacks have become the new tool of this North Korean policy of survival. In August 2018, the Indian bank Cosmos was robbed of 13.5 million dollars by North Korean hackers who, after penetrating the structure's banking system and making thousands of unauthorized ATM withdrawals, made several illegal money transfers via the SWIFT financial network. The same technique was used, and the same consequences were seen in April 2018 at a Central American online casino with the aim of siphoning off funds. Finally, although there are many examples, as early as March 2018 the group of hackers in question targeted several major Turkish banks and government funding agencies[11].

 

What Lazarus really mean? [12]

 

The North Korean cyber threat structure is unique. Several high-level groups exist with the characteristic of being dedicated to a specific function. However, all of these groups are linked to the North Korean military apparatus, in particular to Bureau 121 of the Reconnaissance General Bureau, which leads most sources to amalgamate them under a devoted name, Lazarus. Nevertheless, this concentration is detrimental to the analysis insofar as the "Lazarus" prism leads us to consider that only one group pursues the motivations of APT, cybercriminal, terrorist and hacktivist at the same time. We try as much as possible to specify the Lazarus sub-groups for adequate intelligence.

 

AKT3 or Lazarus is not a single Threat Group. It represents the Bureau 121 which is one of the eight Bureaus associated to the Reconnaissance General Bureau. The Bureau 121 is the primary office tasked with cyber operations. It was reorganized in September 2016 and it is now composed of:

  • Lab 110: It is the key cyber unit under the RGB; it applies cyberattack techniques to conduct intelligence operations
    • Office 98: Primarily collects information on North Korean defectors, organizations that support them, overseas research institutes related to North Korea, and university professors in South Korea.
    • Office 414: Gathers information on overseas government agencies, public agencies, and private companies.
    • Office 35: Office concentrated on developing malware, researching and analyzing vulnerabilities, exploits, and hacking tools.
  • Unit 180: Unit specialized in conducting cyber operations to steal foreign money from outside North Korea.
  • Unit 91 (or ATK4 – APT37):
    • focuses on cyberattack missions targeting isolated networks, particularly on South Korea’s critical national infrastructure such as KHNP and the ROK Ministry of National Defense.
    • stealing confidential information and technology to develop weapons of mass destruction.
  • 128 and 413 Liaison Office: Responsible of hacking foreign intelligence websites and train cyber experts.
  •  

The Bureau 121 conducted three main types of operations:

  • Cyber espionage: The Lazarus Units conducted multiple cyber espionage operations such as the Kimsuki campaign and the Operation KHNP. These espionage operations have different objectives like the tracking of North Korean dissidents, the collect of intellectual properties helping the development of weapons of mass destruction or political espionage.
  • Cyber Terrorism: in 2013 North Korea conducted disruptive attacks on South Korean media and financial companies (Operation DarkSeoul) and was responsible for the Sony hack link to the movie "The Interview" in November 2014. These attacks occur before the 2016 reorganization of the Bureau 121 that's why we can't tell which Unit is currently responsible of disruptive operations.
  • Money theft: On of the mission of the Bureau 121 is the collect of liquidity to finance these cyber activities and the DPKR itself. It is done by spreading ransomware like the infamous WannaCry which collected $91.000 and through bank robbery. The cyber bank robbery is done by infiltration the banking network to steal the SWIFT credentials and use these credentials to initiate transaction to an account controlled by the attacker. The most known is Bangladesh Central Bank Heist in February 2016 allowing the theft of $81m. This activity is carried on by the Unit 180, which has similar objectives than the North Korean threat group APT38 aka Stardust Chollima or BlueNoroff.

 

The Bureau 121 is supported by other Units from the General Staff Department:

  • The Operation Bureau: tacked to define cyber strategies and plan operations
  • The Command Automation Bureau, composed of three units:
    • Unit 31: responsible for malware development (seems redundant with the Office 35)
    • Unit 32: responsible for military software development
    • Unit 56: responsible for command and control software development
  • The Enemy Collapse Sabotage Bureau: tasked with information and psychological warfare.

 

A cyber operation involves the interaction of these different teams. For example, the Operation Bureau define an objective, the Office 35 find a useable exploit, the Unit 31 develop the backdoor and the lure documents with the help of the Enemy Collapse Sabotage Bureau to create efficient spear-phishing document. The Unit 56 develop C2 software and maintains a C2 infrastructure which will be used by the Lab 110, Unit 180 or Unit 91 to achieve the objective. Due to this configuration, it is expected to find tools and infrastructure overlap between the different operation units.

 

Referennces :

[1] https://www.liberation.fr/planete/2012/03/28/les-usa-privent-la-coree-du-nord-d-aide-alimentaire_806501

[2] https://www.rtl.fr/actu/international/la-coree-du-nord-troque-des-armes-contre-de-la-nourriture-7763234416

[3] https://www.lemonde.fr/asie-pacifique/article/2018/06/06/avant-le-sommet-avec-donald-trump-kim-jong-un-purge-son-armee_5310429_3216.html

[4] Commitments between the two Koreas regarding cooperation and mutual peace. In particular, the two Koreas undertake to work towards the denuclearization of the Korean Peninsula, both on the southern side (under the protection of US nuclear weapons) and on the northern side.

[5] https://www.cnbc.com/2018/06/12/trump-and-kim-sign-agreement-document-after-summit-in-singapore.html

[6] https://www.bbc.com/news/world-us-canada-42407488

[7] Ibid.

[8] Ibid.

[9] Ibid.

[10] A computer vulnerability that has not been published or has no known patches.

[11] https://www.csis.org/programs/technology-policy-program/significant-cyber-incidents

[12] https://ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf

REFERENCES

Target sector

  • Aerospace
  • Energy
  • Financial Services
  • Government and administration agencies
  • Healthcare
  • Manufacturing
  • Media
  • Military

Target countries

  • Korea, Republic of
  • United States Of America

Attack pattern

  • T1002 - Data Compressed
  • T1003 - Credential Dumping
  • T1005 - Data from Local System
  • T1008 - Fallback Channels
  • T1010 - Application Window Discovery
  • T1012 - Query Registry
  • T1013 - Port Monitors
  • T1016 - System Network Configuration Discovery
  • T1022 - Data Encrypted
  • T1023 - Shortcut Modification
  • T1024 - Custom Cryptographic Protocol
  • T1025 - Data from Removable Media
  • T1026 - Multiband Communication
  • T1027 - Obfuscated Files or Information
  • T1032 - Standard Cryptographic Protocol
  • T1033 - System Owner/User Discovery
  • T1036.004 - Masquerade Task or Service
  • T1041 - Exfiltration Over C2 Channel
  • T1041 - Exfiltration Over Command and Control Channel
  • T1043 - Commonly Used Port
  • T1045 - Software Packing
  • T1047 - Windows Management Instrumentation
  • T1048 - Exfiltration Over Alternative Protocol
  • T1050 - New Service
  • T1055 - Process Injection
  • T1056 - Input Capture
  • T1057 - Process Discovery
  • T1059 - Command-Line Interface
  • T1060 - Registry Run Keys / Startup Folder
  • T1064 - Scripting
  • T1065 - Uncommonly Used Port
  • T1067 - Bootkit
  • T1070 - Indicator Removal on Host
  • T1070.006 - Timestomp
  • T1071 - Standard Application Layer Protocol
  • T1074 - Data Staged
  • T1076 - Remote Desktop Protocol
  • T1077 - Windows Admin Shares
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1089 - Disabling Security Tools
  • T1090 - Connection Proxy
  • T1098 - Account Manipulation
  • T1099 - Timestomp
  • T1105 - Remote File Copy
  • T1106 - Native API
  • T1107 - File Deletion
  • T1110 - Brute Force
  • T1112 - Modify Registry
  • T1115 - Clipboard Data
  • T1124 - System Time Discovery
  • T1132 - Data Encoding
  • T1134 - Access Token Manipulation
  • T1140 - Deobfuscate/Decode Files or Information
  • T1158 - Hidden Files and Directories
  • T1189 - Drive-by Compromise
  • T1193 - Spearphishing Attachment
  • T1203 - Exploitation for Client Execution
  • T1204 - User Execution
  • T1223 - Compiled HTML File
  • T1485 - Data Destruction
  • T1486 - Data Encrypted for Impact
  • T1487 - Disk Structure Wipe
  • T1488 - Disk Content Wipe
  • T1489 - Service Stop
  • T1492 - Stored Data Manipulation
  • T1493 - Transmitted Data Manipulation
  • T1494 - Runtime Data Manipulation
  • T1496 - Resource Hijacking
  • T1543.003 - Windows Service
  • T1560.002 - Archive via Library
  • T1569.002 - Service Execution
  • T1573.001 - Symmetric Cryptography
  • T1573.002 - Asymmetric Cryptography

Motivation

Malwares

  • CRAT
  • Dacls
  • MATA
  • TFlower
  • ThreatNeedle
  • Vyveva

Vulnerabilities

  • CVE-2016-0034
  • CVE-2017-7269