Anyone Want Some North Korean Cybersecurity Protection?

North Korea needs money. They are not the economic powerhouse they had tried to be. In fact, the Dear Leader admitted in January that the economy was a total failure, despite posters showing the contrary.

Other nation-states may hack primarily for information, but North Korea hacks primarily for money. The North Koreans may be short on economic savvy, but they are among the big players in their hacking abilities. This has been proved numerous times and nothing can prove it more than the U.S. Justice Department issuing charges against three North Korean intelligence officials in February. “Simply put, the regime has become a criminal syndicate with a flag, which harnesses its state resources to steal hundreds of millions of dollars.” These words from John C. Demers, the head of the Justice Department’s National Security Division, may seem a bit harsh, but they are absolutely on point.

The list of  North Korean cyber attacks is too long to go into any detail here, but they have bilked a Bangladesh bank out of $81 million. They have used cryptocurrency attacks and used the WannaCry ransomware to steal millions of dollars. They have tricked banks into transferring billions of dollars into their accounts, and invented a fake cryptocurrency to get money from hopeful investors. The Justice Department realizes they will never get access to the three men named in the charges, but they wanted North Korea to know that they were being watched.

But North Korea just shrugged these charges off. What choice do they have? They’ve been backed into a corner. Without the money they get through hacking, the sanctions placed upon them would be crippling. In fact, one could say that their economy is heavily dependent on criminal hacking. This is why they are always looking for new ways to use their hacking skills to make money. So, since this is the case, they understand that the more knowledge of cybersecurity they can gather, the better their hacking skills will be and, by extension, the better their economy will be. Then, why not try to steal the secrets from the best cybersecurity firms? After all, knowing such secrets would help them improve their own hacking techniques. But there’s a problem. These companies, as you’d expect, are very hard to hack. But, if there’s a will, there’s a way.

In January, Google’s Threat Analysis Group (TAG) warned cybersecurity researchers that they were being targeted by North Korean, state-supported, hackers. They warned that these hackers had set up fake Twitter profiles to lure cybersecurity researchers to visit legitimate-looking but infected blogs.

Visiting the blogs would immediately install malware on devices, even if the researcher’s operating systems and browsers were updated, hinting strongly that these North Korean hackers had found some zero-day vulnerability. Another trick they used was to ask researchers if they would like to work on a project with them. Of course, the people asked did not know the request came from North Korea. But, if the victim agreed, they would send them a Visual Studio Project complete with hidden malicious code that would result in their ‘partner’s’ computer being compromised.

In addition to Twitter, the criminals set up profiles on LinkedIn, Telegram, Discord, Keybase and regular email. For a complete list of all compromised sites, see the Target Analysis Group post.

Recently, TAG updated their earlier post. It seems the North Koreans had found a new angle. They set up a website purporting to be a legitimate cybersecurity firm. The firm, called, SecuriElite, promotes itself as “Cutting Edge Offensive Security For More Secure World”. They offer pentests (let us onto your network), assessment (send us any new software you’ve developed), and exploits (we’ll help you hack yourself).

The company is said to exist at this location in Istanbul, which doesn’t add much to their credibility.

No wonder they were quickly blacklisted by Google’s search engine.

This time, the North Koreans were quickly found out and their accounts on Twitter and LinkedIn were removed before they could do any damage. As a campaign, it was a total failure and a waste of the Dear Leader’s money. Heads will roll… literally.

However, North Korea hasn’t given up on this idea of posing as a cybersecurity service. A few days ago, Issue Makers Lab released a tweet claiming that the Korea Internet & Security Agency has put up fake apps on Google Play that are masquerading as cybersecurity apps. They even go so far as to tell potential users to disregard any Google Play Protect warnings. So far, these apps have only targeted South Korea, but it seems only a matter of time before they move westward.

According to a recent report released by the South Korean government, North Korea has increased its hacking force to 6,800 workers. A defector who worked with this group claims that Kim Jong Un has made it clear that hacking is a priority and has made this cyber force part of the regular military establishment. This division has a number of specialized units within it. The article lists three of the primary units as,

Bureau 121  – Destroy the intelligence computer systems of enemies

Unit 91 –  Steal the latest defense technology from foreign nations

Unit 180 – Steal foreign and cryptocurrency.

Quite likely, there is now a unit that targets cybersecurity firms. But, as the defector reported, “the most important thing for Kim Jong Un is money.” Other defectors have claimed that potential government hackers are sent to China and Russia for further training. Are we looking at a possible cyber army coalition? I have only two words to say in this regard: solar winds. You can figure this one out for yourselves.

One thought on “Anyone Want Some North Korean Cybersecurity Protection?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s