By: Terresa Monroe-Hamilton
The North Koreans were involved in a suspected widespread cyberattack last month that hit Turkish banks. The attack was much broader in scope than at first thought and the data theft has hit 17 countries, including the United States and Australia. Other countries include the United Kingdom, Germany, Japan, China and Russia, among other countries. They stole information on critical infrastructure, telecommunications and entertainment organizations, researchers say.
“The campaign is extremely complicated, leveraging a number of implants to steal information from infected systems and is intricately designed to evade detection and deceive forensic investigators,” McAfee wrote in a report. The group uses hacking tools that are associated with the cyber espionage group Hidden Cobra — the name that the US government uses to describe North Korea’s state-sponsored hackers.
The campaign is called Operation GhostSecret by cyber researcher McAfee. North Korean hackers have evolved beyond their traditional focus on military secrets and cyber provocations. They have expanded their net to include sensitive information from a wide range of industries. That info includes critical infrastructure, telecommunications, healthcare, higher education and other data troves. McAfee, which released the report on Wednesday, didn’t name the affected organizations, but said most of the attacks were in the Asia-Pacific region. The hack occurred between March 14th through March 26th.
McAfee says that the attack is ongoing and active. It’s also very hard to tell exactly what was taken. Files could have been deleted, stolen or they could have studied various networks for future attacks. “They’re in your network. They’re learning about you, understanding how you operate,” said Raj Samani, McAfee’s chief scientist.
The harder that North Korea is hit with sanctions, the more dangerous their cyberwarriors get. They are definitely targeting infrastructure systems and stealing money, according to cybersecurity specialists who track the regime’s behavior. The more menacing tactics are amplified by Pyongyang’s improving coding skills and swift mobilization, these people say. Because North Korea is already isolated politically, they are unafraid of repercussions for their actions.
McAfee doesn’t officially identify nation-state cyber units as culprits. But in their report they say they have a “high confidence” that Operation GhostSecret is the work of a North Korea-linked hacking operative known as Lazarus, based on similarities in malware and infrastructure. Lazarus was to blame for last year’s WannaCry ransomware attack and the 2014 Sony Pictures hack. North Korea has denied involvement in those attacks, but the evidence of the source of the attack is solid.
In early March, McAfee identified cyberattacks on Turkish financial institutions and government groups that deployed a “Bankshot” implant that embedded malicious files in Microsoft Word documents sent to victims via an email attachment. Computers were infected if users downloaded the attachment. That was just the first stage of the attack however. The broader assault grew beyond the Bankshot implant and used other types of malware. McAfee researchers classified the various malware under a single operation because of similarities in coding and capability, as well as the attack’s timing.
One of the additional tactics was a variant of a wiper tool that had a more than 80% similarity to the one used in the Sony Pictures hack, said Christiaan Beek, McAfee’s senior principal engineer. The updated wiper tool, which can delete files on infected computers, wasn’t a direct copy of the prior version, but rather a new, hybrid variant, McAfee said. Another malware implant, observed broadly with Operation GhostSecret, helped cover the hackers’ digital footprints with encryptions, McAfee stated. They are saying that North Korea is carrying out attacks with impunity.
In January, researchers from the US cybersecurity firm Recorded Future said a hacking campaign targeting the South Korean cryptocurrency exchange Coinlink employed the same malware used in the Sony and WannaCry attacks. The attack was attributed to the Lazarus group, which has been conducting operations since at least 2009, when it launched an attack on US and South Korean websites by infecting them with a virus known as MyDoom. For those out there that want to dig into the technical facts, here is a link to McAfee.
The truth of the matter is we have been involved in a world war on the cyber battlefield for some time now. North Korea is increasing their attacks and are not to be trusted in the least. But don’t forget the Chinese, Russians and Iranians are also all attacking the US and each other. Looks like a world war to me.