North Korea hacking group is expanding operations, researchers say

The actions of this group are not something to be ignored warns FireEye

north korea statue pyongyang
(stephan) (CC BY-SA 2.0)

A group of hackers from North Korea (DPRK), recently connected to the usage of an Adobe Flash zero-day vulnerability (CVE-2018-4878), has expanded its operations in both scope and sophistication, FireEye says.

With a tool-set that includes zero-day vulnerabilities, destructive malware, and lack of concern when it comes to breaking norms and exasperating heightened tensions in Northeast Asia, the group should be taken seriously.

"We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests," FireEye explained in a new brief on the group, dubbed APT37 (Reaper).

Their high confidence comes from a number of data points, including personal information inadvertently disclosed by one of the developers behind a number of Reaper's malicious payloads. In addition, the development cycle is consistent with someone operating in the DPRK's time zone and all of their targets align DPRK objectives.

FireEye also said Reaper is aligned with the actions of a group previously reported by Kaspersky under the name ScarCruft, and the actions of Group123, which were detailed earlier this year by researchers working for Cisco's Talos group.

Old dogs learning new tricks:

Likely active since 2012, Reaper is an intelligence gathering operation that has mostly focused on targeting public and private sector organizations in South Korea.

However, in 2017, the group expanded operations to include targets in Japan, Vietnam, and the Middle East. They also expanded their verticals to chemicals, electronics, aerospace, healthcare, automotive, and manufacturing. This is in addition to existing target interests in the government and defense industrial base, as well as media and NGOs.

Recent attacks include one from 2017, where Reaper targeted a Middle Eastern company after it entered into a joint venture with the DPRK to provide telecom service to the country. That same year, other targets included individuals involved with international affairs and those working with the Olympics.

"A research fellow, advisory member, and journalist associated with different North Korean human rights issues and strategic organizations were targeted by APT37. An entity in Japan associated with the United Nations missions on sanctions and human rights was also targeted," FireEye's report notes.

Reaper uses a number of methods to pull-off their attacks. Social engineering and phishing operations are not generic, but instead tailored to their targets for maximum impact. The group also compromises legitimate websites to host customized malware, which is later tired into their targeted socially-based attacks.

The malware itself is routinely developed to target flaws in Hangul Word Processor (HWP) due to it's popularity in South Korea, but Reaper also works to quickly develop and weaponize exploits in Flash after they become public knowledge, and even process their own zero-day vulnerabilities.

Recent Attacks:

During the opening ceremony of the Winter Olympics this year, the network was infected with malware designed to wreak havoc. However, there is no indication in FireEye's brief that Reaper was connected to the incident.

Writing about the Olympic attacks, researchers working with Cisco's Talos group said the samples identified, "are not from adversaries looking for information from the games but instead they are aimed to disrupt the games. The samples analyzed appear to perform only destructive functionality."

While Reaper uses destructive malware, they also look to gain workable intelligence, so while they could have been behind the Olympic attacks, there just isn't enough evidence one way or another.

However, the recent string of attacks using a zero-day vulnerability in Adobe Flash is the work of Reaper. The group embedded malicious SWF files inside of documents.

A likely threat in the future:

"North Korea has repeatedly demonstrated a willingness to leverage its cyber capabilities for a variety of purposes, undeterred by notional redlines and international norms," FireEye's brief concludes.

"Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions, APT37 is an additional tool available to the regime, perhaps even desirable for its relative obscurity. We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor."

SUBSCRIBE! Get the best of CSO delivered to your email inbox.