Increasingly brazen North Korean hackers growing capable

North Korea’s army of hackers has grown more brazen and capable over the course of several months, broadcasting a growing willingness to launch attacks on international targets.

Hackers linked to Pyongyang have deployed new tools and escalated operations against financial targets and global organizations. Over the past two years, security professionals have observed a continuous improvement in North Korea’s technical capabilities.

{mosads}North Korea’s cyber capabilities are still considered inferior to those in other nations, like Russia, China and Israel. But some say North Korea’s evolution on cyber — coupled with the country’s willingness to execute attacks when motivated by geopolitical events — make Pyongyang one of the more threatening adversaries in cyberspace. 

“They have demonstrated that when they have the intention they will deploy the capability,” said Adam Meyers, vice president of intelligence at CrowdStrike. “I would say that it is a formidable cyber adversary for us.”

North Korea’s increased hacking activity comes against the backdrop of an anticipated historic summit between President Trump and North Korean leader Kim Jong Un that offers the prospect of North Korean denuclearization.

The result of that meeting — whether good or bad — is likely to have an impact on North Korea’s activity in cyberspace against the U.S. going forward. 

“The North Koreans carry out their attacks to fit a larger political agenda,” said Jim Lewis, a former State Department official and cybersecurity expert at the Center for Strategic and International Studies. “If the talks don’t go very well, then I think we will see a resurgence of North Korean activity.” 

The latest evidence of North Korea’s expanded activity came late last month, when researchers at cybersecurity firm McAfee revealed that a hacking campaign they had been tracking had widened to critical infrastructure, financial and telecommunications targets in 17 different countries.

The hacking campaign, which McAfee dubbed “Operation GhostSecret,” initially focused only on targets in Turkey’s financial sector. But after security researchers identified it publicly in March, the hackers immediately ramped up the operation and began to use new, more sophisticated hacking tools against targets in the Asia-Pacific, Europe and the United States.

“The threat actors appeared to carry on with impunity,” said Raj Samani, chief scientist at McAfee. “They just escalated.” 

The campaign has the hallmarks of the cyber espionage group known as “Hidden Cobra,” a term the U.S. government has used to describe North Korean state-sponsored hackers.

North Korea has cultivated its cyber skills over more than two decades, targeting South Korea with intelligence operations and other attacks — often using their neighbor as a testing ground for future hacks against international victims.

“They’re demonstrating that they’ve built up this capability,” said Fred Plan, a senior analyst at FireEye. “It’s kind of like a missile test.” 

The reclusive nation’s hacking capabilities were thrust into the public spotlight in late 2014, when a brazen attack on Sony Pictures resulted in a massive trove of confidential data being posted online.

The United States pointed the finger at North Korea — marking the first time that the government formally blamed a foreign nation for a cyberattack. The motivation: retaliation over a comedy depicting an assassination plot against Kim.

Since then, security researchers say North Korean-linked hackers have developed new tools and expanded operations to international targets and global organizations.

“It’s a level of capability that is improving continuously,” said Samani. “What we’re seeing is attacks against global organizations.” 

In order to relieve pressure of international sanctions imposed over the country’s nuclear program, Pyongyang has set its sights on financial targets. North Korea has been linked to the 2016 heist on Bangladesh’s central bank, in which hackers targeted the bank’s Society for Worldwide Interbank Financial Telecommunication transactions system to siphon off $81 million.

There is also more recent evidence of North Korean hackers launching attacks to steal computing power to mine Bitcoin and other forms of digital currency.

But North Korea has also demonstrated a relatively new interest in targeting critical infrastructure, both in South Korea and more broadly. FireEye said last October that it had detected and blocked Pyongyang-linked hackers from sending spear-phishing emails to U.S. electric companies.

FireEye suspects that the attacks were carried out for reconnaissance purposes, rather than in preparation for a destructive attack. Researchers say that the activity was blatant, and that the hackers didn’t try to cover their tracks.

“They wanted to let us know they did this,” said Plan. “It’s kind of a gradual escalation, and they were being explicit about it.” 

Experts note that North Korea is still behind in capability when compared to the United States, Russia and China. Some also suggest that the threat from North Korea has been exaggerated, pointing to a lack of high-profile successful attacks on U.S. targets.

“North Korean cyberattacks on the U.S. is overhyped, because it would be suicide,” Lewis said. 

In the immediate term, the focus worldwide is on reducing the nuclear threat from North Korea. Trump said Friday that his administration had set a time and location for the meeting with Kim, although experts have been skeptical about the prospects for denuclearization.

Lewis argued that it would be “wasted ground” for Trump to raise the issue of North Korea’s cyberattacks at the summit. “Hacking is not the problem with North Korea. The problem with North Korea is the missiles and the nukes,” he said.

Still, others see the rapid evolution of Pyongyang’s abilities as an indication of their potential to increasingly challenge the United States in cyberspace, especially if tensions between North Korea and the U.S. continue to rise.

“They’re more willing to conduct destructive attacks,” Plan said. “They’re more willing to step over the line.”