North Korea targeted cybersecurity researchers using a blend of hacking and espionage

 

Connecting state and local government leaders

The North Korean operation highlights three important trends: stealing cyberweapons from industry, social media as a weapon and the blurring of cyber and information warfare.

The Conversation

North Korean hackers have staged an audacious attack targeting cybersecurity researchers, many of whom work to counter hackers from places like North Korea, Russia, China and Iran. The attack involved sophisticated efforts to deceive specific people, which raises the level of social engineering, or phishing attacks, and enters the realm of spy tradecraft.

The attack, reported by Google researchers, centered on fake social media accounts on platforms including Twitter. The fake personas, posing as ethical hackers, contacted security researchers with offers to collaborate on research. The social media accounts included content about cybersecurity and faked videos purporting to show new cybersecurity vulnerabilities.

The hackers enticed the researchers to click links to shared code projects -- repositories of software related to cybersecurity research – that contained malicious code designed to give the hackers access to the researchers’ computers. Several cybersecurity researchers reported that they fell victim to the attack.

From phishing to espionage

The lowest level of social engineering hack is a typical phishing attack: impersonal messages sent to many people in the hopes that someone will be duped into clicking on a malicious link. Phishing attacks have generally been on the rise since early 2020 – a side effect of the pandemic-driven work-from-home environment in which people are sometimes less vigilant. This is also why ransomware has become prevalent.

The next level of sophistication is spear-phishing. Here people are targeted with messages that include information that is specific to them or their organizations, which increases the likelihood that someone will click a malicious link.

The North Korean operation is at a higher level than spear-phishing because it targeted people who are security-minded by the nature of their occupation. This required the hackers to create convincing social media accounts complete with content about cybersecurity, including videos, that could fool cybersecurity researchers.

The North Korean operation highlights three important trends: stealing cyberweapons from industry, social media as a weapon, and the blurring of cyber and information warfare.

1. Theft of cyberweapons from industry

Before the North Korean operation, the theft of cyberweapons made headlines at the end of 2020. In particular, December’s FireEye breach resulted in the theft of tools used by ethical hackers. These tools were used to crack the security of corporate clients to show the clients their vulnerabilities.

This prior incident, attributed to Russia, illustrates how hackers attempted to augment their arsenals of cyberweapons by stealing from a commercial cybersecurity firm. The North Korean action against security researchers shows that they’ve adopted a similar strategy, though with a different tactic.

Back in the fall, the National Security Agency disclosed a list of vulnerabilities -- ways that software and networks can be hacked -- that were exploited by Chinese state-sponsored hackers. Despite these warnings the vulnerabilities have persisted, and information about how to exploit them could be found on social media and the dark web. This information was clear and detailed enough that my company, CYR3CON, was able to use machine learning to predict the use of these vulnerabilities.

2. The weaponization of social media

Information operations -- collecting information and disseminating disinformation -- on social media have become abundant in recent years, especially those conducted by Russia. This includes using “social bots” to spread false information. This “pathogenic social media” has been used by national intelligence operatives and ordinary hackers alike.

Traditionally, this type of targeting has been designed to either spread disinformation or entice an executive or high-ranking government employee to click on a malicious link. In contrast, the North Korean operation was aimed at stealing cyberweapons and information about vulnerabilities. 

3. The confluence of cyber and information warfare

Outside of the United States -- especially in China and Russia -- cyberoperations are considered part of a broader concept of information warfare. The Russians, in particular, have proved very adept at combining information operations and cyberoperations. Information warfare includes using traditional spy tradecraft -- operatives with false identities attempting to gain the trust of their targets -- to collect and disseminate information.

The attack against cybersecurity researchers could indicate that North Korea is taking cues from these other powers. The low-cost ability of a second-tier authoritarian regime like North Korea to weaponize social media provides it an advantage against the much greater technical capabilities of the U.S.

In addition, the North Koreans appear to have used one of their most valuable cyberweapons in this operation. Google reported that it appeared the hackers used a means of exploiting a zero-day vulnerability -- a software flaw that is not widely known -- in Google’s Chrome browser in the attack on the cybersecurity researchers. Once such an exploit is used, people are alerted to defend against it and becomes much less effective.

Setting the stage for something bigger?

In cybersecurity, big news items tend to be events like the Sunburst operation by Russian hackers in December -- large-scale cyberattacks that cause a great deal of damage. In the Sunburst attack, Russian hackers booby-trapped widely used software, which gave them access to the networks of numerous corporations and government agencies.

These large events are often proceeded by smaller events in which new techniques are experimented with -- often without making a large impact. While time will tell if this is true of the North Korean operation, the three current trends -- stealing cyberweapons from industry, social media as a weapon, and the blurring of cyber and information warfare -- are harbingers of things to come.

This article was first posted on The Conversation.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.