Aditya MadanapalleOct 25, 2017 08:00:41 IST
Very few instances of malicious cyber activity is traced back to North Korea, although cyber offensive groups believed to be associated with the country have carried out a series of high profile attacks. A hacking group known as Lazarus is believed to be currently targeting financial institutions in the Asia Pacific region, in an effort to steal cash for the impoverished country.
A report by a threat analysis cybersecurity firm, Recorded Future indicates that North Korea is not using local resources to carry out their cyber operations. Instead, analysis of data indicates that North Korea is basing its cyber operations from countries around the world including India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. About a fifth of all the activity recorded during the period of the study originated from India.
Based on the analysis, Recorded Future says North Korea clearly has a physical and virtual presence in India, and supports this claim with evidence of an increasingly close diplomatic and trade relationship between India and North Korea. The analysis suggests that students from North Korea are in at least seven universities across the country, and may even be working with research institutions and government departments. The presence in India is apart from a strong physical presence of the cyber attack group in China. Recorded Future suggests western engagements and partnerships with the listed countries, including India can help circumvent the lack of cooperation from China or Russia.
According to an article by the New York Times, that traces the advent of strong North Korean cyber offensive operations, while the weapons tests invite strict sanctions from world governments, there is hardly any pushback or retaliation for the cyber strikes. Although the cyber capabilities of North Korea were initially dismissed, they are proving to be quite effective. It is not the technological sophistication of the attacks per se, but rather a matter of how cheaply North Korea is able to achieve its cyber objectives. Recorded Future notes that less than one percent of North Korean cyber activity was protected or obfuscated in any way. Another contributing factor to how effective North Korean hacker groups, is the the lack of interconnectivity and cyber infrastructure within the country, which keeps North Korea itself mostly isolated from cyber attacks.
Kaspersky Lab, while tracking the activities of the Lazarus group, uncovered a number of compromised servers being used as their command and control infrastructure. The compromised servers were found to be located in Indonesia, India, Bangladesh, Malaysia, Vietnam, South Korea, Taiwan, and Thailand among other countries. The malware infecting the compromised servers is known as Manuscrypt, which compromises servers using Microsoft Internet Information Services vulnerability fixed in June 2017. Kaspersky also tracked the countries with the most number of servers which still have this vulnerability, topping the list are China (with 7,848) and India (1,524).
Lazarus is a threat actor associated with a series of high profile but relatively low tech cybersecurity incidents. In late 2014, the Lazarus group also apparently executed an attack on Sony Pictures, which was then believed to be the worst attack of its kind on a company on US Soil.
Lazarus is also believed to be behind the WanaCry ransomware attack, that took down critical services in a 100 countries, including India. The malware would infect computers and demand a payment for users to gain access to their systems and data. The ransomware was pinging a randomly generated unregistered domain, which a 22 year old security researcher registered, accidentally stopping the spread of the malware in its tracks. Over 300,000 computers were infected before the malware was stopped. According to researchers from Symantec, Lazarus was responsible for the WannaCry attack. Symantec does not associate cyber attacks with countries as a matter of practice, but it did not deny the common belief among cybersecurity firms that Lazarus is a group associated with North Korea.
According to Russian cybersecurity firm Group-IB, North Korean hackers were responsible for the $81 million heist from Bangladesh central bank account with the US Federal Reserve. Kaspersky also compiled evidence that the hacking group had connections to North Korea. A server used to control the infected computers was directly traced to an IP address in North Korea. The Lazarus group, also known as the Dark Seoul Gang is believed to be responsible for the attack, and is in turn controlled by Bureau 121, a division of the Reconnaissance General Bureau, an intelligence agency in North Korea. The attackers attempted to siphon out $951 million but made a mistake in the payment request.