In August 2018, the US Department of Justice (DoJ) unsealed the indictment of a North Korean spy, Park Jin Hyok, whom they claim was behind the hack against Sony and the creation and distribution of the WannaCry ransomware. The 170-plus-page document was written by Nathan Shields of the FBI’s LA office and shows the careful sequence of forensic analysis they used to figure out how various attacks were conducted.
Security researchers have given Park’s organization various monikers, including the Lazarus Group, APT37, Lab 110, Group 123, Hidden Cobra, Nickel Academy and Reaper. Some are from the malware elements they created. That is the first thing that you will learn from the indictment: the North Koreans have been at the center of many different campaigns over the past six or so years.
Of course, the North Korean government denies that Park ever existed and that the crimes he is accused of have “nothing to do with us.” Rather than enter into that debate, let’s look at what the FBI found and what lessons CISOs and other IT managers can learn from this remarkable situation.
How the FBI found the Sony hacker
You should read the charging document not from a legal perspective, but rather for what it shows about North Korea’s determination to penetrate our networks. Here’s what the FBI discovered about how Sony was hacked.
The FBI was able to digitally track Park’s movements. He was stationed in a Chinese border city working for Chosun Expo, a North Korean government front company known for its military hacking operations. Before the Sony hacks began, he returned to North Korea.
First, the FBI methodically took apart the various pieces of malware and put together attack timelines on the three Sony breaches and three different WannaCry versions.
The Sony malware contained 10,000 hard-coded host names that showed the hackers had done extensive research from living inside Sony’s network for several months undetected. It also contained code that was designed to attack the specific Unix/Linux systems that were used on the Sony network.
Reconnaissance was done in the fall of 2014, before the first attack happened in December. This was just prior to the release of the movie The Interview, which was one of the motivations for the attack.
The attackers used a number of other targeted elements, including spoofed spear phished emails that appeared to come from the Facebook accounts of Sony staffers. These emails were infested with malware attachments. Other emails were sent to AMC Theater personnel. AMC was scheduled to screen the movie on its opening for Christmas. Like Sony, these emails contained malware attachments, but these attempts to penetrate AMC’s network weren’t successful.
The same email and IP addresses that were used to attack Sony were also used to try to attack a British production company that was developing an independent TV series based on another North Korean-related plot line. In his book Dawn of the Code War, John Carlin describes the details about these efforts and also has a more narrative description of the series of attacks on Sony and other efforts by other nation-state cyberterrorists.
During 2016, the same North Korean actors also compromised SWIFT payment networks and stole funds from various banks in SE Asia. The FBI shows that they began targeting these banks in the fall of 2014. The banks were infected with a backdoor that communicated over a custom binary protocol designed to look like TLS traffic. The malware found in both the Asian banks and Sony shared a similar secure delete function that tied them to the North Korean hackers.
US Department of Justice
The complex network that was used by the North Korean hackers to penetrate Sony Pictures
Park and his cronies were busy: Other watering hole attacks were targeted at various Polish banks that were discovered in 2017 and seemed to begin in the fall of 2016. The same email and Facebook accounts and North Korean IP addresses used in these attacks were also part of other campaigns to breach other US corporations, including Lockheed Martin and several South Korean businesses. Some of the malware created by the North Koreans includes Brambul and Destover.
The FBI corroborated its analysis with published work from the Russian research analysts at Group-IB. Their report was released in mid 2017 and also linked many of these hacking attempts together.
Finally, elements of the malware pieces used in the above hacks were also present in WannaCry, along with key tells such as IP and email addresses. WannaCry actually has three different versions, all of which are linked together by common code and shared Bitcoin wallet payments.
North Korea’s far-reaching command and control infrastructure
What struck me as I read through the indictment was the global reach of the North Korean command and control infrastructure. Servers were scattered in the US, South Africa, Saudi Arabia, Poland and other countries. Email accounts were accessed by multiple VPNs and proxy servers around the world as well, showing a deliberate effort to obscure their origins. Multiple backdoors and Trojans were employed, launched by numerous Gmail accounts and fake Facebook profiles. You can see an illustration of the various accounts that were linked to Park below.
US Department of Justice
Park’s complex network of various email accounts and infrastructure used in the Sony hacks
What makes this all the more incredible is that until relatively recently, the entire country of North Korea had about a thousand available public IP addresses and a very low-bandwidth internet connection. This was one of the reasons why a rogue collection of hackers was able to set up a DDoS attack on their ISP in January 2016, to retaliate the Sony campaigns.
Key takeaways for CISOs and IT management
Here are 5 lessons for IT security that can be gleaned from the charging document and the various North Korean hacking efforts.
1. Phishing awareness training is essential
The reason AMC didn’t fall for the spoofed emails is that they had more training, and better defenses. Awareness training needs to happen on a continuous, year-round basis. The hackers are getting better at crafting their phishing emails to look more genuine, and use insider information, corporate logos and templates, and almost-similar domain names and email addresses to fool recipients.
Various vendors offer awareness training programs, including Wombat Security, KnowBe4, MediaPro.com and the SANS Institute. The goal of such programs should be assessment, education, reinforcement, and measurement in a continuous cycle. Also, think about how you can offer incentives to your users to make the training less onerous and thereby more effective.
2. Evaluate your intrusion detection system
Enterprises need better early warning intrusion detection mechanisms. The North Koreans lived for many months inside the Sony and other networks, learning what servers to hit and which employee accounts to mimic. If your intrusion detection system (IDS) can’t detect intruders, it is time to look for other solutions.
Each target acquired by the hackers was carefully picked and researched to improve the realism and the chances of their phished emails and watering holes ensnaring victims. Other than the AMC theater company, they were incredibly successful at penetrating other corporate networks and spending months looking around inside to find the right targets.
3. Beef up network segmentation
To complement your IDS, you also need to beef up your network segmentation. Sony’s network wasn’t well partitioned, which made it easier for hackers to move laterally across it. Separate data into the appropriate places where it makes sense.
4. Audit access controls
It is time to audit your access controls. Examine which employees have administrative rights and understand if these are too generous in terms of permissions.
5. Perform red team exercises
Look at having red team exercises to find weak spots. The full report contains details that red teams can use to help determine whether your network would be vulnerable to the same tactics that the Sony hackers used. Ideally, perform your red team exercises after you’ve addressed the other points above.