In its ongoing cat-and-mouse game with state-sponsored hackers from North Korea looking to steal state secrets, conduct corporate espionage and find backdoors into the nation’s critical infrastructure, the U.S. government has a new strategy: publicly outing these hackers on public forums. The U.S. Cyber Command, which is a unit of the U.S. Department Defense that works alongside the National Security Agency in guarding against foreign cyberspace threats, is now posting malware samples from North Korean hackers on an information-sharing platform known as VirusTotal.
Tactics of the North Korean hackers
According to the U.S. Cyber Command, North Korean hackers are constantly adapting their tactics. On one hand, these cyber actors are engaged in corporate espionage attacks, such as those that involve remote access, backdoors and other forms of malware designed to infiltrate a computer network and then exfiltrate data to another server within North Korea. On the other hand, North Korean hackers are engaged in smash-and-grab bank heist-style operations, in which the end goal is “fund generation” for the North Korean state. In one infamous attack, a group of North Korean hackers known as APT38 launched a malware attack against the SWIFT interbank messaging system.
As the U.S. Cyber Command points out, both of these types of attacks are dangerous in their own way. The corporate espionage attacks, for example, represent a theft of U.S. intellectual property, and are clearly designed to bolster the North Korean economy and military. The bank heist operations are also of significant concern because all of the funds acquired in this manner can be used to fund even more nefarious programs, such as weapons of mass destruction programs. According to a recent UN report, for example, the North Korean regime has stolen more than $2 billion, much of which has been diverted to fund weapons programs for different military units.
Malware samples posted by the US Cyber Command
To illustrate both of these tactics used by North Korean hackers, the U.S. Cyber Command uploaded a total of 7 new malware samples so that “white hat” hackers will have a much better idea of what North Korean malware looks like in the wild, and be better prepared to defend against it. According to the U.S. Cyber Command, all of the malware samples are “custom, complicated and well written.” These include Remote Access Trojans (RATS), as well as backdoors to steal credentials and capture keystrokes.
One malware sample, for example, is known as “Electric Fish” and is designed to help hackers tunnel into computer networks in order to exfiltrate data. According to the U.S. Cyber Command, Electric Fish has been deployed as part of different financial heist schemes of the North Korean state. By examining Electric Fish, security researchers will be better able to understand how the malware from the North Korean hackers works. They will better understand the tactics and strategies of different groups of North Korean hackers.
The conventional wisdom is that all North Korean hackers are working directly for the North Korean government on the same sorts of hacking projects. But the reality is that different groups deploy different tactics for different purposes. The group APT38, for example, appears to be primarily focused on financial heists and corporate espionage. Other groups of North Korean hackers focus on intelligence-gathering operations and diplomatic espionage. And still other groups of North Korean hackers, such as the infamous Lazarus group, have been linked to cyber attacks such as the 2016 hack of Sony Enterprises and Wannacry ransomware attacks.
Growing sophistication of North Korean hackers
When posting the new malware samples from the North Korean hackers, the U.S. Cyber Command also alluded to the fact that these hacking groups are becoming more sophisticated in their tactics. In the case of financial heists, for example, North Korean hackers are becoming much more patient once they infiltrate a network, probing it for weaknesses and learning all of the techniques used to monitor it – meaning they might be lurking for weeks or even months before using all of this reconnaissance to pull off a major heist. In the case of corporate espionage attacks, the North Korean hackers are finding new ways to obfuscate their tracks, even going to certain lengths to make it appear as if other groups of hackers might be responsible for the malware attacks.
The role of transparency in thwarting future cyber attacks
The big question, of course, is whether publicly exposing malware will actually help prevent future cyber attacks against U.S. assets. The Cyber Command obviously thinks it will, and has even created a public Twitter account in order to tweet out every time a new malware sample has been posted to a platform such as Virus Total.
Certainly, transparency has a role to play in helping to stop future cyber hacking attempts. So much of the world of cybersecurity is shrouded in secrecy, and any attempt to bring these efforts into the open will help to diminish their effectiveness in the future.
Where transparency has an especially important role to play is the coordination of the U.S. Cyber Command and the private sector. Cybersecurity firms working hand-in-hand with the Department of Defense and the Department of Homeland Security can go a long way. In order to stop North Korean hackers from carrying out their nefarious objectives, “white hat” hackers at corporations and government entities need to combine their forces and reduce any duplication of efforts. For example, consider the Electric Fish malware sample. By posting a sample of this online, the U.S. Cyber Command has given a huge boost to private sector corporations, many of which are pushed to the limit in terms of resources that they can allocate to fighting hackers. It is, in essence, a free bug bounty program brought to you by the U.S. Cyber Command.
The U.S. government has been at the forefront of changing the strategic thinking around modern cybersecurity. Once viewed as a “defense only” unit, the U.S. Cyber Command and other U.S. government entities are showing that a variety of proactive and offensively minded strategies are available as well. Posting malware samples to a publicly available platform is yet one more weapon in the arsenal of the U.S. Cyber Command.