FireEye’s analysis of the North Korean financial hacking group it has dubbed APT38 is an important reminder that the Hermit Kingdom’s cyber skills should not be underestimated.
APT38 is the first specialised cyber unit dedicated to making money for a nation-state government. The associated money laundering operations are run, as Bloomberg has reported, through dodgy gambling activities in at least three countries.
“In some sense, you could say that North Korea might be the biggest threat right now to the majority of global nations,” said FireEye chief executive officer Kevin Mandia in a briefing for journalists at the company’s Cyber Defence Summit in Washington DC this week.
It’s hard to rank North Korea’s cyber capabilities in relation to Russia or China or the Five Eyes nations. Each has their specialities. But he said North Korea is more dangerous because it’s unpredictable.
Some nation-state malware has “guard-rails” to prevent collateral damage. It might have an expiry date, or only activate in specific locations or environments. The “gentlemen hackers” of China try to do as little damage to target systems as possible, preferring to keep them operating for long-term access.
Not so with DPRK.
“North Korea is not only not guard-railing their malware, a backdoor we were analysing had six different checks to see if was being disassembled. And if disassembly was detected, whether it detected it was running in a virtual machine, if a debugger was running … delete the hard drive at the physical level,” Mandia said.
“That’s a policy decision by North Korea to give you the cyber equivalent of this,” he said, holding up the middle finger of each hand in a very well-known gesture.
“Destroy it. Who cares? Scorched earth. Doesn’t matter.”
North Korea is also cybering in every possible way, he said. Cyber espionage, cyber sabotage, cyber crime, cyber disruption, and disinformation operations.
In the last 12 years, North Korea has developed “a broad range of custom tools”, according to Jacqueline O’Leary, a senior analyst on FireEye Intelligence’s Advanced Analysis team.
“They have 26, which is a fair amount of tools for an advanced persistent threat (APT) group,” O’Leary told ZDNet on Thursday.
“They really balance a lot of different evasion and anti-forensic techniques. They’re using wipers, they might be doing some sort of false flag, they have a secure deletion utility. They’re really using multiple techniques at once, which I think is pretty interesting,” she said.
“They kind of want to cover their bases in multiple ways.”
APT38 also tries to cover its tracks. It tries to distract investigators by planting commodity ransomware tools such as Hermes onto target systems, even though it’s not after a ransom.
“After they conducted fraudulent transactions, so after they deployed DYEPACK [a suite of tools to manipulate data in the SWIFT banking transfer system], before they initiated the disk-wiping malware, they would actually deploy Dark Comet, which is a publicly available backdoor that a bunch of different groups use,” O’Leary said.
FireEye believes APT38 did that to deliberately trigger anti-virus software, so that investigators would be distracted by that backdoor, rather than all the custom tools it deployed into the target environment.
Another false-flag distraction was adding poorly translated Russian character strings to its malware NACHOCHEESE.
North Korean hackers have been implicated in attacks on cryptocurrency exchanges, but FireEye does not attribute those attacks to APT38. The toolsets used to attack the exchanges are similar to those used by APT38, but there are differences.
“The one instance that we saw, specific to APT38, was like a cryptocurrency media outlet. That was actually part of their watering hole campaign,” O’Leary said, referring to an attack on a specific group of people by targeting websites where they congregate.
“That was probably targeted because of its proximity to bank. We think that occurred around an initial coin offering (ICO), so there may have been substantial traffic banks of financial institutions to that media outlet.”