Microsoft has recently announced that it has detected an advanced network of cyberattacks coming from North Korea hackers group called Thallium. Microsoft’s Corporate VP of Customer Security & Trust Tom Burt showed how a court order helped the company to take over 50 domain names that have been linked to malicious cyber activity.
Microsoft claims Thallium has been using a technique called spear-phishing, stealing sensitive information from a number of victims, including government employees and individuals working on nuclear proliferation issues. The technique involves emails designed to trick victims into clicking malicious links from which either their log-in details are stolen, or their system is infected with malware. The majority of targets identified were in the US, Japan or South Korea.
But, this is not the first time when North Korea has been involved in malicious cyber tactics. In fact, North Korea has been so active that attacks have exposed multiple vulnerabilities in global software systems and networks.
Let’s look at a few examples demonstrating the impact North Korean have had on the world of cybersecurity in the last decade. On November 24, 2014, a self-identified hacker group called Guardians of Peace made available personal data from Sony Pictures. This included company emails, data on executive salaries at the company, copies of then-unreleased Sony movies, plans for upcoming Sony films, screenplays and other important information.
The attackers deployed a kind of Shamoon wiper malware to then erase Sony’s computer infrastructure. During the hack, the group asked that Sony cancel the release of The Interview-, a comedy movie that depicts the killing of North Korean leader Kim Jong-un. Sony went ahead to cancel the film’s official premiere launch and public theatrical release and made the movie available in a digital release followed by a limited theatrical release the next day. United States intelligence officials, after analysing the software, techniques, and network sources used in the attack concluded that the breach was perpetrated by the North Korea government. This was a milestone case which heralded the prowess of North Korean hackers which have done things that had even bigger global implications.
Lazarus- Main Group Running North Korea Hackers
Another hacking group from North Korea, backed by the government is Lazarus. Code-named APT 38 by security firm FireEye, Lazarus is a financially motivated regime-backed group responsible for conducting destructive attacks against financial institutions, as well as some of the world’s largest cyber heists. Based on widely publicized operations alone, the group has attempted to steal more than $1.1 billion.
According to experts, APT 38 was created after the March 2013 sanctions put on North Korea and the first reported operations linked to this group took place in February 2014. These are allegedly the first known cases of a state actor using cyberattacks to steal funds, although other experts say Russia had been involved in similar cyber tactics for more than 20 years now.
Global Attacks From Lazarus That Shows Advanced Attack Capabilities
In 2015 and 2016, multiple cyber attacks utilising global banking networks came to light. The attacks were again perpetrated by a hacker group Lazarus whose cyber techniques and malicious code were found to be the same as used in Sony attacks.
The banking attacks had major implications for the North Korean regime and also demonstrated how economic sanctions isolating an economy can translate to have an impact on cybersecurity. This holds particularly true in the case of North Korea which has very little ways to make money from its activities and given its GDP is lower than most African countries.