The hacking of the AP-HP hospital group in Paris, in the midst of the coronavirus outbreak, is reminiscent of one of the most bitter cybercrime laws: as in nature, cyberattackers always favour the weakest or most fragile link. While these crimes fuel the imagination of the hooded cyber offender, our political leaders would do well to remember that some nations have become specialists in cyberattacks with a specific financial goal in mind.
With one of the world’s most antiquated network architectures and Internet access limited to a select few, North Korea does not spontaneously come to the general public’s mind as a cyber-offensive military power. However, since the cyberattacks of Sony, WannaCry and the Dark Seoul operation, the West can no longer reasonably ignore Pyongyang’s weight on the international stage.
Having a coherent military doctrine in cyberspace, the ‘country of secrecy’ has thus developed a strategy based on three pillars: cyberattacks for financial gain; cyber espionage against enemy countries, with South Korea on top of the list, but also against countries with which North Korea has commercial contracts; and finally sabotage and digital activism.
Far from the French sphere of influence, North Korea nevertheless remains a potential threat for financial reasons, or simply as an opportunistic aggressor in a massive cyberattack.
Lazarus: Three Groups in One
The first records of Lazarus’ activity date back to 2007. For years, the group, operating under different names, has been perpetrating increasing acts of vandalism and ‘cyberterrorism’, a mixture of attacks through denial of service, hacking and data destruction. But it wasn’t until 2016 that this group would be clearly identified by the Novetta report, revealing the details of Operation Blockbuster – named after the hacking of Sony in retaliation for the release of the parodic film about Kim Jung-Un, ‘The Interview’.
The Novetta report, helped identify signatures and modus operandi specific to the North Korean regime. In total, more than 45 domestic malware programs developed by Pyongyang were identified. Far from the sole activity of vandalism and cyberterrorism, these programs inform us about the wide range of activities of this APT. Lazarus actually constitutes the ‘heart’ of the group, which in charge of the cyberattacks. It is also supported by two other sub-groups: Andariel, mainly carrying out espionage activities, and Bluenoroff, focusing on large-scale financial crime. Their goal? Fighting economic sanctions through cyberspace.
Follow the Malware
For North Korea is now well established in the shady business of hacking banking and financial data. Since the introduction of the sanctions in 2016, some sub-groups previously devoted to cyber intelligence have even changed targets. For example, Andariel now carries out attacks against ATMs, while Bluenoroff generally targets banks and commit high-profile crimes, instead of mostly attacking defence companies previously. Over the last five years, Bluenoroff has in fact taken control of almost twenty Polish banks. At the same time, credit card hacking (or ‘skimming’) is also one of the techniques favoured by Lazarus, which successfully stole more than 230,000 unique bank account details in 2015.
It is sometimes difficult to trace these activities back to North Korea. Like illegal capital in tax havens, Lazarus hides his attacks behind numerous technical smoke screens, but also behind ‘false flags’, markers designed to attribute its attacks to others. By integrating bits of Russian code or using malware that is popular with Russian cybercriminals, Pyongyang is deliberately trying to frame Russia, which is often the ideal suspect in large-scale hacking operations.
North Korea is also frequently confused with Chinese hackers, as the ‘country of secrecy’ has largely copied its infrastructure from its neighbour.
However, these attempts (at times, ill-conceived) to cover up their tracks have ended up giving the North Korean attacks a particular signature – a mixture of Chinese and Russian cyberweapons. Moreover, while attempting to pose as Russians, North Korean hackers use sentences translated into approximate Russian that do not stand up to the scrutiny of a native speaker. The working hours, attack methods (spear phishing, watering holes) and targets generally point in the direction of North Korean attackers.
For all these reasons, it is possible, as in financial investigations, to ‘follow the malware’ to the point of attributing with a good percentage of certainty the attack to North Korea.
Threats to Western Countries
It would be tempting for our corporate and political leaders to think of North Korea as a distant threat. While North Korea is not part of our ‘strategic sphere’ (which traditionally stretches from West Africa to the Middle East), it remains an ever-present danger. The tracking of these ‘home-made’ malware programs shows that the cyberattacks carried out by the Pyongyang regime are driven less by mere geopolitical logic than opportunism – be it financial or strategic – and make light of borders. The United Nations itself estimates that North Korea’s annual income from these cyberattacks amounts to more than two billion dollars.
Which takes us back to the law of the weakest link. This law, which has long been integrated by cybersecurity professionals, now applies to all actors, private or public, without discrimination of any kind. The political and health crisis into which the Covid-19 pandemic is pushing us is not only a revelation of our democracy’s weaknesses, it is also an accelerator of vulnerabilities that can be exploited by individuals with malicious intentions. The explosion of cybercrime and the hacking of the Paris hospitals demonstrate this. It has been established that North Korea has already used the coronavirus pandemic as a pretext to try to hack South Korean officials. It would be naive to think that it would stop there.
You can find the report on Lazarus APT cyberweapons on Lexfo’s blog.