US Government agencies this week published a very full dossier on what specific hacks and attacks they think bear the fingerprints of the cybersecurity threats which they think have the fingerprints of the DPR Korea (North Korea) on them.
Specifically, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) say at least seven malware variants can be traced to the Communist country’s state agencies:
- Hoplight – proxy applications that mask traffic between the malware and the remote operators
- Bistromath – performs simple XOR network encoding and are capable of many features including conducting system surveys, file upload/download, process and command execution, and monitoring the microphone, clipboard, and the screen.
- Slickshoes – a Themida-packed dropper that decodes and drops a file “C:\Windows\Web\taskenc.exe” which is a Themida-packed beaconing implant
- Hotcroissant – custom XOR network encoding and is capable of many features including conducting system surveys, file upload/download, process and command execution, and performing screen captures
- Artfulpie – performs downloading and in-memory loading and execution of a DLL from a hardcoded url
- Buffetline – sample uses PolarSSL for session authentication, but then utilizes a FakeTLS scheme for network encoding using a modified RC4 algorithm. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration
- Crowdedflounder – a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory.
Note that these are only the incidents which the general American public is made aware of, and, as Telecoms.com notes in its write-up of the data, the US is also far from being the only target; “In November, New Zealand’s National Cyber Security Centre (NCSC) suggested that 38% of the incidents it had to respond to were most likely state-sponsored. These are only a small proportion of the total cyber incidents, though the NCSC is tasked with tackling the most serious.”
If you liked this content…
American lawmakers raise spectre of national Cybersecurity weakness
Five Eyes Nations urge MSPs to bolster their cyber defences
Is Your Cyber Insurance Policy Actually Worth The Paper It’s Written On?
Too Much Focus On Revenue, Not Enough On Risk: Is There A Dangerous Parallel Between The Credit Crunch And Cyber Threat?
EY: Despite more and more attacks, businesses still see Cybersecurity as an ‘afterthought’
It’s also important to know that The Five Eyes intelligence alliance of Australia, Canada, New Zealand, the United Kingdom and the United States have attributed the WannaCry incident to North Korea and NotPetya to Russia in recent years.
However, the magazine does also caution that, “State-sponsored cyber incidents are most certainly on the rise, but the worrying element of this trend is that no-one genuinely knows.
“The likelihood of being able to attribute these incidents back to a particular regime with absolute certainly, and free from political bias, is incredibly low.”
