North Korean Hackers Hide in Plain Sight

On the evening of the 25th January 2021, Google’s Threat Analysis Group published details of attributed by them to “a government-backed entity based in North Korea”.

Google described the attack as using a “novel social engineering method”. Social engineering usually describes attacks that target the human factors of computer security, such as by using phishing emails or phone call impersonation. Whilst highly-competent security experts may consider themselves at reduced risk to such attacks, the successful use of these techniques against eminent security researchers shows how competent and manipulative the attackers responsible are.

Alejandro Caceres, who was targeted by this attack, the attacker was vetted by a friend and was able to use a novel software vulnerability (known as a zero-day) to engage his interest. Upon finding out the attack was attributed to North Korean hackers, he wrote : “I'm mad I fell for it now.”

Kim Crawley, an information security writer, commented in the wake of Google’s blog post that , stating: “We must have humility.”

Google also documented a technically sophisticated attack whereby a researcher was compromised simply by following a link from Twitter to a malicious blog, despite the fact that the "victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions". Google stated they were “unable to confirm the mechanism of compromise” but welcomed further information and noted that vulnerabilities of their browser are “eligible for reward payout” under Chrome's Vulnerability Reward Program.

Ironically, in recent years, North Korea has made some academic contributions in computer science. One example can be found in a paper in November 2020. In a from 2017, the academic authors used North Korean star-co.net.kp email addresses whilst an author associated with PGItech Corp in Pyongyang used an email address served by Alibaba, a Chinese internet company. In the published version, the academic authors instead used Gmail and Outlook email addresses whilst the author affiliated with PGItech Corp continued to use the same Alibaba email address.

North Korea’s small internet footprint can deceive some cybersecurity researchers into underestimating it as a threat. Recorded Future reported that networks increased 300% from 2017 to 2019, but overall usage remains small. This may seem at odds to the reports that the DPRK as part of groups like Bureau 121, but great effort is taken to obfuscate hacking activity by North Korea.

Group-IB reported in 2017 that the infamous Lazarus hacker group to North Korea internet space through three layers of complex obfuscation. The group is considered an Advanced Persistent Threat and is attributed with attempting to steal $1bn from the Central Bank of Bangladesh in 2016 and the attack on Sony Pictures in 2014.

Other than technical obfuscation, research from HP in 2015 claims can be traced to a North Korean operated hotel in Shenyang, China. This corroborates , a computer science professor who defected from North Korea. Kim further stated that: "Bureau 121 began its large-scale operation in China in 2005. It was established in the late 90s."

North Korea has long obfuscated its malicious online activity through both technical measures and outposts. As the regime has increasingly had to turn cybercrime to obtain foreign currency, its online activity has become increasingly homogeneous with the broader internet. North Korean computer scientists are able to use Western webmail services like Outlook and Gmail whilst their hackers are able to manipulate and exploit eminent security researchers on social networks like Twitter. Needless to say, cyber security organisations and researchers will need to keep abreast of this increasing homogeneity to continue to monitor cyber security threats from North Korea.