Map of Europe in 1360.

Cyberwar, Economic Espionage, and Advanced Persistent Threats

North Korea

Analysis of North Korean behavior Analysis of North Korean Internet activity

According to a 2009 article in The Daily NK, a South Korean publication focused on the DPRK, North Korea's Moranbong University, directly managed by the Operations Department of the Workers' Party, is that country's leader in technical developments in computer warfare. Moranbong is said to have been founded in 1997 to train experts in data processing, cryptanalysis, hacking, and other skills, along with martial arts and shooting. It's a five-year university that only selects 30 freshmen per year, each of which is made a military first lieutenant. Moranbong is supposed to have taken the place of Mirim University. Moranbong is in Jung district, just across from the Number 3 Government Building housing the United Front Department, Liason Department, and Operations Department. The article has a dateline of 13 July 2009, Shenyang, China, presumably where they contacted their North Korean source by telephone.

Meanwhile, in 2012 Bloomburg reported that Fox "News" owner Rupert Murdoch was helping the North Korean government make money: "Programmers from North Korea's General Federation of Science and Technology developed a 2007 mobile-phone bowling game based on the 1998 film [The Big Lebowski], as well as Men in Black: Alien Assault, according to two executives at Nosotek Joint Venture Company, which markets software from North Korea for foreign clients. Both games were published by a unit of News Corp., the New York-based media company, a spokeswoman for the unit said."

See the North Korea Tech web site for updates on hacking from the DPRK.

March 2013 — South Korea suffered a significant cyber attack against banking and media networks, damaging tens of thousands of systems. The systems were infected with malware and files were erased. North Korea was blamed for this attack, along with similar attacks in 2009 and 2011. A New York Times article described the attack as paralyzing three major South Korean banks and the countries two largest broadcasters, shutting down ATM transactions and rendering the targeted computers unusable.

11 Sep 2013 — Kaspersky Lab reported on the Kimsuky Operation, a North Korean cyber-espionage campaign against South Koreans think tanks. It was developed in a Korean language environment but uses, a Bulgarian public email server, for command and control. It does keylogging and steals HWP (Hangul Word Processor) files, HWP being part of the Hancom Office bundle widely used in South Korea. It also does remote control access and download and execution of additional programs.

25 Sep 2013 — Kaspersky Lab reported on Icefog, a cyber-espionage campaign active at least since 2011. It targets government institutions and military contractors, maritime and ship-building industries, telecom and satellite operators, and other industry, high technology, and media mostly in South Korea and Japan. It provides an interactive backdoor for the operators, who again concentrate on the HWP files used almost exclusively in South Korea. It initially targeted both Windows and OS X. See Kaspersky's Icefog APT FAQ and their detailed report for more. CrowdStrike called the attack campaign Dagger Panda and said it was being run from China. In January a Java based variant called Javafog appeared. See the report from Kaspersky Lab and an overview from Information Week.

August 2014 — HP released a security briefing Profiling an enigma: The mystery of North Korea's cyber threat landscale. It opens by describing the DPRK as "a unique country with a military-focused society and an unconventional technology infrastructure." Their constitution states that songun, the "military-first" doctrine, defines life there. At least according to South Korea, Unit 121 is "North Korea's premier hacking unit" and is the world's third largest cyber warfare force behind Russia and the U.S. It and Lab 110 maintain technical reconnaissance teams that infiltrate computer networks to obtain intelligence and plant malware on enemy networks. Unit 35 does technical education and training of cyberwarfare personnel. Unit 204 does cyber-psychological operations. University-level training in cyber intelligence and warfare is done at Kim Il-sung University, Kim Chaek University of Technology, and the Command Automation University, traditionally called Mirim University.

As of a June 2011 report, North Korea is assigned the IP block and is the registered user of China Unicom's China Unicom is North Korea's connection to the rest of the Internet. Several of the nominally North Korean web sites known to the outside world are hosted in China.

I have installed Red Star OS, the DPRK-customized Linux distribution, on a test system and found that it expects to be able to reach IP addresses in the 10/8 block. It appears that much of North Korea is their Kwangmyong, a nationwide intranet behind NAT routers with little to no access to the outside world. Update: there is a Red Star 3.0 Server ISO image available via BitTorrent.

HP reported that North Korea is still making money from computer games (presumably still with help from Rupert Murdoch). They raise hard currency through MMORPG or massively multiplayer online role-playing games, and also use the games to infect systems and launch cyber attacks.

A timeline in the HP report includes:

November-December 2014 — A group calling itself the "Guardians of Peace" or "GOP" released a large collection of data stolen from Sony Pictures Entertainment, including e-mails between employees, personally identifiable information about employees and dependants, copies of unreleased films, and other data. They claim to have taken over 100 terabytes of data, a claim that was largely accepted despite the unlikelihood of moving that much data unnoticed. See this great step-by-step detailed analysis.

Yes, this is the same Sony that included deceptive, illegal, and harmful rootkits on about 22 million CDs in 2005–2007. See the excellent detailed analysis by Mark Russinovich for background on this.

The data was released on November 24. After media reports kept speculating about some connection to the upcoming comedy film The Interview, featuring an assassination plot against North Korea's leader, only on December 16 did GOP mention that film for the first time. They threatened terrorist action against theatres showing the film, and Sony pulled the film from release.

Many security researchers and analysts have commented (for example, Bruce Schneier, Marc Rogers, and in a Wired article) that the episode seems very unlikely to be the act of a national government. To begin with, the taunting messages from a group with a catchy name scolding the victim for having bad security. Then a e-mail from the attackers to Sony executives sent on November 21, three days before the public release, was signed not "GOP" but "God'sApstls". National governments, even insane ones like North Korea, don't usually behave this way.

Going deeper, the use of language seems like an English speaker pretending to be bad at English. More specifically, not someone actually from North Korea. See analyses of North Korean language use characteristics and its diversion from the language of South Korea here, here, here, and here. Also see the adept use of social media. The people doing the communicating aren't North Koreans.

The motive is clearly revenge against Sony. The information could have been used to directly extract money from Sony's accounts, or to extort enormous payments. But the data was simply released to embarrass Sony and greatly reduce the value of some products. Sony only helped that by (at least initially) entirely discarding a finished movie. This looks like the work of disgruntled insiders.

On December 21-22 North Korea's very limited connection to the Internet was down. North Korea has only 1024 routable IP addresses, the CIDR block. Those four /8 networks are run by Star Joint Ventures, the state-run Internet provider, and most of them are routed through China Unicom, China's state-owned telecommunications company. It might have been DDoS on North Korea's border routers, or it might simply be that China Unicom disconnected them.

Also see:

February 2016 — An analysis was released by the "Operation Blockbuster group," was led by Novetta and also including Kaspersky Lab, AlienVault, Symantec, Invincea, ThreatConnect, Volexity, and PunchCyber. They discovered 47 different malware families and matched the malware and MO to Operation Troy in 2009. That used the hacktivist DDOS and data-wiping attack on South Korean banks and media outlets as distraction while quietly exfiltrating South Korean and U.S. military secrets. Another round of this in 2013 was called Operation DarkSeoul. The analysts have named the attackers the Lazarus Group and remain unsure of the size and structure of the group.

2015-2017 — The Lazarus Group used vulnerabilities in bank server systems to steal the banks' credentials in SWIFT, an international banking network. They issued transfer requests to other banks, sending the funds to accounts controlled by the hackers. $101 million was stolen from the Bangladesh central bank, and other thefts began to be reported.

May 2017 — The WannaCry ransomware attack spread worldwide, hitting healthcare and major corporations. It used an exploit developed by the NSA and published by the Shadow Brokers group a month before. Microsoft had issued a patch to the vulnerabilities in Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016, presumably after being informed by the NSA, who had seen earlier releases of NSA code by the Shadow Brokers. Microsoft released patches for Windows XP and Windows Server 2003 the day after the attack started spreading.

June 2017 — US-CERT Alert TA17-164A was based on analysis by FBI and the Department of Homeland Security. It describes software called DeltaCharlie, used to manage North Korea's destributed denial-of-service infrastructure. The U.S. Government refers to malicious cyber activity by North Korea as HIDDEN COBRA. The report mentions that earlier commercial analysis referred to the activity as the Lazarus Group and Guardians of Peace.

The report describes HIDDEN COBRA activity taking advantage of rather old systems widely spread across the Internet: unpatched and now unsupported older versions of Windows, unpatched Adobe Flash software, and systems running the antiquated CHARGEN protocol. It also takes advantage of poorly configured DNS and NTP servers as traffic amplifiers.