North Korean hackers have staged an audacious attack targeting cybersecurity researchers, many of whom work to counter hackers from places like North Korea, Russia, China and Iran. The attack involved sophisticated efforts to deceive specific people, which raises the level of social engineering, or phishing attacks, and enters the realm of spy tradecraft.
The attack, reported by Google researchers, centered on fake social media accounts on platforms including Twitter. The fake personas, posing as ethical hackers, contacted security researchers with offers to collaborate on research. The social media accounts included content about cybersecurity and faked videos purporting to show new cybersecurity vulnerabilities.
The hackers enticed the researchers to click links to shared code projects – repositories of software related to cybersecurity research – that contained malicious code designed to give the hackers access to the researchers’ computers. Several cybersecurity researchers reported that they fell victim to the attack.
From phishing to espionage
The lowest level of social engineering hack is a typical phishing attack: impersonal messages sent to many people in the hopes that someone will be duped into clicking on a malicious link. Phishing attacks have generally been on the rise since early 2020 – a side effect of the pandemic-driven work-from-home environment in which people are sometimes less vigilant. This is also why ransomware has become prevalent.
The next level of sophistication is spear-phishing. Here people are targeted with messages that include information that is specific to them or their organizations, which increases the likelihood that someone will click a malicious link.
The North Korean operation is at a higher level than spear-phishing because it targeted people who are security-minded by the nature of their occupation. This required the hackers to create convincing social media accounts complete with content about cybersecurity, including videos, that could fool cybersecurity researchers.
The North Korean operation highlights three important trends: stealing cyberweapons from industry, social media as a weapon, and the blurring of cyber and information warfare.
1. Theft of cyberweapons from industry
Before the North Korean operation, the theft of cyberweapons made headlines at the end of 2020. In particular, December’s FireEye breach resulted in the theft of tools used by ethical hackers. These tools were used to crack the security of corporate clients to show the clients their vulnerabilities.
This prior incident, attributed to Russia, illustrates how hackers attempted to augment their arsenals of cyberweapons by stealing from a commercial cybersecurity firm. The North Korean action against security researchers shows that they’ve adopted a similar strategy, though with a different tactic.
Back in the fall, the National Security Agency disclosed a list of vulnerabilities – ways that software and networks can be hacked – that were exploited by Chinese state-sponsored hackers. Despite these warnings the vulnerabilities have persisted, and information about how to exploit them could be found on social media and the dark web. This information was clear and detailed enough that my company, CYR3CON, was able to use machine learning to predict the use of these vulnerabilities.
2. The weaponization of social media
Information operations – collecting information and disseminating disinformation – on social media have become abundant in recent years, especially those conducted by Russia. This includes using “social bots” to spread false information. This “pathogenic social media” has been used by national intelligence operatives and ordinary hackers alike.
Traditionally, this type of targeting has been designed to either spread disinformation or entice an executive or high-ranking government employee to click on a malicious link. In contrast, the North Korean operation was aimed at stealing cyberweapons and information about vulnerabilities.
3. The confluence of cyber and information warfare
Outside of the United States – especially in China and Russia – cyberoperations are considered part of a broader concept of information warfare. The Russians, in particular, have proved very adept at combining information operations and cyberoperations. Information warfare includes using traditional spy tradecraft – operatives with false identities attempting to gain the trust of their targets – to collect and disseminate information.
The attack against cybersecurity researchers could indicate that North Korea is taking cues from these other powers. The low-cost ability of a second-tier authoritarian regime like North Korea to weaponize social media provides it an advantage against the much greater technical capabilities of the U.S.
In addition, the North Koreans appear to have used one of their most valuable cyberweapons in this operation. Google reported that it appeared the hackers used a means of exploiting a zero-day vulnerability – a software flaw that is not widely known – in Google’s Chrome browser in the attack on the cybersecurity researchers. Once such an exploit is used, people are alerted to defend against it and becomes much less effective.
Setting the stage for something bigger?
In cybersecurity, big news items tend to be events like the Sunburst operation by Russian hackers in December – large-scale cyberattacks that cause a great deal of damage. In the Sunburst attack, Russian hackers booby-trapped widely used software, which gave them access to the networks of numerous corporations and government agencies.
These large events are often proceeded by smaller events in which new techniques are experimented with – often without making a large impact. While time will tell if this is true of the North Korean operation, the three current trends – stealing cyberweapons from industry, social media as a weapon, and the blurring of cyber and information warfare – are harbingers of things to come.