When cybersecurity experts talk about APT groups targeting the U.S. and its allies, they usually end up connecting the activity to one of “The Big Four:” Russia, China, Iran and North Korea. While these countries are far from the only ones conducting clandestine operations in cyberspace today, they’re often pegged as the most sophisticated and thus tend to get much of the attention.
But that doesn’t mean they all operate the same way. From a preference for writing custom malware code to pioneering new strategies, North Korean hacking groups have shown an innovative spirit that allows them to punch above their weight despite crushing sanctions.
At the 2021 RSA Conference, Dmitri Alperovitch, former co-founder and chief technology officer at Crowdstrike, said North Korean hacking groups, many of which operate under the umbrella name Lazarus Group, stand out considerably from their other Big Four counterparts in the creativity of their hacking campaign tactics and the way they eschew popular commercial offensive tools.
“They’re in some ways my favorite actor in cyberspace, because they’re just so incredibly innovative,” said Alperovitch, now executive chairman at the Silverado Policy Accelerator.
In the early 2000s, North Korean intelligence agencies like the Reconnaissance General Bureau “pioneered” the concept of destructive cyberattacks in digital skirmishes with their South Korean neighbors, while the country’s 2014 hack of entertainment giant Sony foretold the coming era of hack and leak operations that would be picked up by Russia just a few more years down the line.
Alperovitch said that in recent years, Russian, Chinese and Iranian APTs have increasingly incorporated publicly available commercial offensive hacking tools like Cobalt Strike or open-source tools like the credential harvesting Mimikatz in their operations in lieu of writing their own malware, because they are less expensive and because using commonly available tooling can make it harder to attribute that activity back to a specific nation or actor.
“But the North Koreans have really shied away from that; they’re still focused on custom development. You can almost call it ‘Juche’ malware,” Alperovitch said, referencing Pyongyang’s notorious slogan and ideology for self-reliance and production in the face of a hostile world.
Many countries have incorporated offensive cyber operations into their overall geopolitical strategies, but North Korea was among the first nations to leverage its government hacking capabilities in the cybercrime arena. While some countries use their APT hacking groups as a surgical scalpel or a weapon to carry out targeted goals, Pyongyang uses it as an all-purpose sword to carry out a range of interconnected geopolitical and financial objectives.
“We watched them conduct bank heists around the world. They were targeting, at one point, 16 different financial organizations at once,” said Alperovitch's co-presenter Sandra Joyce, executive vice president and head of global intelligence at Mandiant.
A miasma of state-connected and adjacent hacking groups are charged with carrying out ransomware attacks, cryptocurrency scams and other moneymaking schemes to help the heavily isolated and cash-strapped country evade economic sanctions and fund the regime. A United Nations report in 2019 estimated that these digital theft and extortion campaigns had transferred more than $2 billion to Pyongyang's coffers.
North Korea is already cut off from most forms of international commerce by U.S. and global economic sanctions, so it have little to lose by engaging in aggressive offensive operations against other nations. Much of its critical infrastructure is already crumbling and its internet is isolated and closed off from the rest of the world, so it often have little to fear in terms of retaliation in cyberspace outside of China, its pseudo patron state.
"With intensive information and communication technology, and the brave RGB with its [cyber] warriors, we can penetrate any sanctions for the construction of a strong and prosperous nation," said President and dictator Kim Jong Un in 2013 while visiting the Reconnaissance General Bureau headquarters.
The country's innovation can even fool some cybersecurity experts. Earlier this year, Google revealed details behind a year-long campaign by North Korean hackers to pose as members of cybersecurity community to spearphish security researchers. The campaign essentially exploited the professional networking and collaboration that regularly takes place between security researchers around vulnerability research to compromise a number of high-value targets who would otherwise have their guard up.
The actors set up their own research blog as a front, in some cases recycling the work of other researchers and, in at least one case, faking a successful exploit. They also created multiple personas and sockpuppet accounts on social media sites like Twitter, LinkedIn, Telegram, Keybase and Discord, where they shared posts, promoted the work of others and interacted with researchers over direct messages.