U.S. Issues Timely Alert on Another North Korean Hacking Group

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United States Cyber Command Cyber National Mission Force (CNMF) issued a joint alert on Tuesday about North Korean hacking unit Kimsuky’s cyber operations. Although the alert focuses predominantly on the group’s role in cyber espionage, recent reporting about Kimsuky suggests these hackers may also be conducting cybercrime and financially motivated attacks to prop up the Kim regime amid North Korea’s current economic crisis.

According to the alert, the Kim regime tasked Kimsuky with “global intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.” Kimsuky is most likely a unit within North Korea’s intelligence agency, the Reconnaissance General Bureau (RGB), which oversees North Korea’s cyber operations. Researchers at Korea University found that the RGB has at least five units dedicated to cyber-related operations.

Kimsuky targeted foreign policy and national security experts and think tanks in the United States, South Korea, and Japan as well as South Korean government agencies, the alert explained. The purpose of these attacks was to “gain intelligence on various topics of interest to the North Korean government.”

South Korean cyber security company Issue Makers Lab has also detailed numerous other similarly motivated campaigns by Kimsuky. For instance, in 2019, Kimsuky hackers attempted to infiltrate nuclear research facilities in Belgium and India in order to steal scientific studies regarding thorium-based nuclear energy, which Pyongyang could then use to fuel nuclear reactors.

Although there are no active thorium-based reactors anywhere in the world, North Korean hackers targeted researchers who have studied this emerging scientific topic, because thorium is likely to be a safer and cheaper alternative to plutonium and uranium as a fuel source for nuclear reactors. Kimsuky also attacked defense companies in South Korea, Ukraine, Russia, Slovakia, and Turkey to extract information on armored vehicles and artillery munitions.

Issue Makers Lab also reported that Kimsuky sent spear phishing emails to several pharmaceutical companies researching COVID-19 vaccines. The attacks, which targeted companies based in South Korea, the U.S., and Belgium, occurred between August and October of this year. Coincidentally – or perhaps not – the regime’s State Commission of Science and Technology announced in July that it would join the global race to develop a COVID-19 vaccine. In recent months, both Russian and Chinese hackers have also been reportedly attempting to steal vaccine data.

While the primary motivation for all of these attacks appears to be espionage, North Korea is a unique country in that it generates revenue though state-sponsored cyber activity, said Assistant Attorney General National Security John Demers. Furthermore, UK-based private cybersecurity firm ClearSky concluded that North Korean hackers simultaneously engage in espionage and financially motivated attacks, because the regime needs both money and intellectual capital for its nuclear weapons and missile programs. North Korean hackers have attacked banks, financial institutions, and virtual currency exchanges across 35 countries. Kimsuky itself has targeted South Korean cryptocurrency exchanges on several occasions.

Kimsuky’s attacks on pharmaceutical companies could be the first step in an effort to generate funds. The unit’s hackers could try to sell the stolen vaccine research to buyers in Russia or China, where there is high demand for this knowledge.

In fact, Pyongyang’s cyber operatives regularly cooperate with partners in Russia and China. Specifically, in September, Intel 741, a private cybersecurity company, reported that Russian cyber-criminal groups allegedly provided North Korea with access to bank computer networks in order for North Korean hackers to deploy viruses and malware. Also, Chinese currency traders helped North Korean hackers launder stolen cryptocurrencies into fiat currency between 2018 and April 2019.

Another way Pyongyang could profit from this hack is through business email compromise (BEC) schemes. Its hackers could extract information on a company’s financial relations with clients, such as contact information and outstanding invoice payments. Hackers would then disguise themselves as the victim company via fake domains and email addresses to demand these payments from clients. ClearSky reported North Korean attempts to conduct these kinds of BEC activities on Israeli and other Middle Eastern defense firms this year

The hackers could also use ransomware, a computer virus that encrypts a user’s computer files and renders the machine unusable until the victim pays a ransom, to make money and create mass disruption, much like North Korea did with its WannaCry ransomware: Between February and May 2017, North Korea infected over 230,000 computers worldwide, including those of the National Health Service in the United Kingdom, with ransomware. Throughout the coronavirus pandemic, hackers worldwide have been deploying ransomware against hospitals and other medical research facilities.

Presently, Kim Jong Un is in dire need of revenue to help relieve the unprecedented economic challenges that could lead to regime collapse if left unaddressed. The confluence of factors that led to the current crisis includes a series of typhoons that devastated North Korean agricultural production, COVID-19 border closures that cut off cross-border trade essential to internal markets, and economic sanctions.

Despite these challenges, the Kim regime’s recent military parade showcasing new ballistic missiles and other advanced weapons systems demonstrated that Pyongyang will not stop spending on its military’s development despite its economic woes. Kimsuky and other North Korean hackers therefore are likely to continue their cyber theft operations to help Kim meet his goals.

The latest U.S. government alert will help strengthen cyber defense against incoming North Korean cyberattacks because, as head of U.S. Cyber Command General Paul Nakasone explained, publicly releasing information on malware “makes that malware less effective because defenses can be tuned to detect and defeat it.” However, the alert is not comprehensive. It describes Kimsuky’s distinct tactics, techniques, and procedures based on the group’s activities between 2012 and July of this year. Thus, it may lack important new technical information by neglecting analysis of several important Kimsuky-attributed intrusions of cryptocurrency exchanges, defense companies, nuclear facilities, and now pharmaceutical companies that occurred after the reporting period.

While analysis of cyberattacks requires time, the U.S. government needs to be able to share tactics, techniques, and procedures TTPs in a more timely manner so that private sector cybersecurity defenders are not constantly playing catch-up against resourceful state-backed adversaries. The U.S. government needs to respond more swiftly to the emerging threat, lest North Korea continue to have free reign in cyber space, where it can exploit its asymmetric advantages.

Mathew Ha is a research analyst focused on North Korea at the Foundation for Defense of Democracies (FDD), where he also contributes to FDD’s Center on Cyber and Technology Innovation (CCTI). For more analysis from Mathew and CCTI, please subscribe HERE. Follow Mathew on Twitter @MatJunsuk. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.