In August 2018, the US Department of Justice (DoJ) unsealed the indictment of a North Korean spy, Park Jin Hyok, whom they claim was behind the hack against Sony and the creation and distribution of theWannaCry ransomware. The 170-plus-page document was written by Nathan Shields of the FBI’s LA office and shows the careful sequence of forensic analysis they used to figure out how various attacks were conducted.
Security researchers have given Park’s organization various monikers, including the Lazarus Group, APT37, Lab 110, Group 123, Hidden Cobra, Nickel Academy and Reaper. Some are from themalware elements they created. That is the first thing that you will learn from the indictment: the North Koreans have been at the center of many different campaigns over the past six or so years.
Of course, the North Korean government denies that Park ever existed and that the crimes he is accused of have “nothing to do with us.” Rather than enter into that debate, let’s look at what the FBI found and what lessons CISOs and other IT managers can learn from this remarkable situation.
How the FBI found the Sony hackerYou should read the charging document not from a legal perspective, but rather for what it shows about North Korea’s determination to penetrate our networks. Here’s what the FBI discovered about how Sony was hacked.
The FBI was able to digitally track Park’s movements. He was stationed in a Chinese border city working for Chosun Expo, a North Korean government front company known for its military hacking operations. Before the Sony hacks began, he returned to North Korea.
First, the FBI methodically took apart the various pieces of malware and put together attack timelines on the three Sony breaches and three different WannaCry versions.
The Sony malware contained 10,000 hard-coded host names that showed the hackers had done extensive research from living inside Sony’s network for several months undetected. It also contained code that was designed to attack the specific Unix/linux systems that were used on the Sony network.
Reconnaissance was done in the fall of 2014, before the first attack happened in December . This was just prior to the release of the movie The Interview , which was one of the motivations for the attack.
The attackers used a number of other targeted elements, including spoofed spear phished emails that appeared to come from the Facebook accounts of Sony staffers. These emails were infested with malware attachments. Other emails were sent to AMC Theater personnel. AMC was scheduled to screen the movie on its opening for Christmas. Like Sony, these emails contained malware attachments, but these attempts to penetrate AMC’s network weren’t successful.
The same email and IP addresses that were used to attack Sony were also used to try to attack a British production company that was developing an independent TV series based on another North Korean-related plot line. In his book Dawn of the Code War , John Carlin describes the details about these efforts and also has a more narrative description of the series of attacks on Sony and other efforts by other nation-state cyberterrorists.
During 2016, the same North Korean actors also compromised SWIFT payment networks and stole funds from various banks in SE Asia. The FBI shows that they began targeting these banks in the fall of 2014. The banks were infected with a backdoor that communicated over a custom binary protocol designed to look like TLS traffic. The malware found in both the Asian banks and Sony shared a similar secure delete function that tied them to the North Korean hackers.
US Department of Justice
The complex network that was used by the North Korean hackers to penetrate Sony Pictures
Park and his cronies were busy: Other watering hole attacks were targeted at various Polish banks that were discovered in 2017 and seemed to begin in the fall of 2016. The same email and Facebook accounts and North Korean IP addresses used in these attacks were also part of other campaigns to breach other US corporations, including Lockheed Martin and several South Korean businesses. Some of the malware created by the North Koreans includes Brambul and Destover.
The FBI corroborated its analysis with published work from the Russian research analysts at Group-IB. Their report was released in mid 2017 and also linked many of these hacking attempts together.
Finally, elements of the malware pieces used in the above hacks were also present in WannaCry, along with key tells such as IP and email addresses. WannaCry actually has three different versions, all of which are linked together by common code and shared Bitcoin wallet payments.
North Korea’s far-reaching command and control infrastructureWhat struck me as I read through the indictment was the global reach of the North Korean command and control infrastructure. Servers were scattered in the US, South Africa, Saudi Arabia, Poland and other countries. Email accounts were accessed by multiple VPNs and proxy servers around the world as well, showing a deliberate effort to obscure their origins. Multiple backdoors and Trojans were employed, launched by numerous Gmail accounts and fake Facebook profiles. You can see an illustration of the various accounts that were linked to Park below.
US Department of Justice
Park’s complex network of various email accounts and infrastructure used in the Sony hacks
What makes this all the more incredible is that until relatively recently, the entire country of North Korea had about a thousand available public IP addresses and a very low-bandwidth internet connection. This was one of the reasons why a rogue collection of hackers was able to set up a DDoS attack on their ISP in January 2016 , to retaliate the Sony campaigns.
Key takeaways for CISOs and IT managementHere are 5 lessons for IT security that can be gleaned from the charging document and the various North Korean hacking efforts.