Posted by on Jun 1, 2018
A few years ago, I somehow got involved in the discussion of a run-of-the-mill malicious spam campaign and ended up speaking to a journalist from the Daily Telegraph. "Is it true that North Korea may be behind this campaign?", the journalist asked me – I had a hard time trying to keep a straight face. Back then the question seemed ridiculous. Now, less than four years later, it is a totally normal thing to ask.
Malware and threats attributed to North Korea featured heavily among proposals for this year's Virus Bulletin conference and we had to turn down a number of high-quality submissions on the subject, still leaving us with several very interesting papers.
Of course, the standard disclaimer applies here: attribution is hard and many vendors, for understandable reasons, don't go further than linking attacks to specific groups and refrain from linking these groups to nation states. In the case of North Korea, this is particularly relevant for two reasons.
The first is that there is a strong suspicion that 'Olympic Destroyer', the malware that attempted to disrupt this year's Winter Olympic Games, was a false flag operation made to look as if it came from North Korea. Olympic Destroyer will be discussed at VB2018 by Cisco Talos researchers Paul Rascagnères and Warren Mercer, who have spent a lot of time researching threats affecting the Korean peninsula, their analysis of 'NavRAT' being the latest example of this.
The second reason is that it has been suggested that North Korea may use digital mercenaries in some of its attacks. If this is indeed the case, attributing attacks to the same mercenary group, even if one somehow were able to do so conclusively, wouldn't mean that the attacks were performed for the same 'customer'.
Moreover, attack groups may consist of many smaller subgroups. This is true in the case of the Lazarus Group (also known as Hidden Cobra), which is often linked with threats like the 2014 Sony Pictures hack and the 2017 WannaCry outbreak. In a VB2018 paper, ESET researchers Peter Kalnai and Michal Poslusny will look at various cells within this group, that may share code but are assumed to otherwise operate independently.
Their presentation will be followed by a paper from AhnLab researcher Minseok "Jacky" Cha, one of the leading experts when it comes to attacks on the Korean peninsula. He will discuss further attacks by the same group that followed the Sony Pictures hack and targeted the Korean peninsula.
A lesser known group that has been active in the same region is 'DOKKAEBI'. Researchers Jaeki Kim, Kyoung-Ju Kwak and Min-Chang Jang from South Korea's Financial Security Institute will present a technical paper at VB2018 with details on this group's activities.
Another company that has focused on threats in the region, and that often isn't shy of attributing attacks to nation states, is Recorded Future. Juan Andres Guerrero-Saade of their Insikt Group, a regular VB speaker, will present what promises to be a very thought-provoking paper on how we should become better at describing threat actors and their activities; I wouldn't be surprised if he mentioned some of the North Korea-linked attacks in his paper. He briefly discussed his forthcoming paper in a recent podcast.
Finally, while North Korea has indeed become a very prominent player in the cyber realm in recent years, it is worth noting that its prominence may be slightly overstated by a publication bias.
It is known that security companies don't always publish every threat they analyse. Apart form time and budget constraints, commercial and ethical considerations also play an important role here. Few, if any, security companies will see North Korea as a potential business partner and it would be hard to argue that any of these attacks are well intended. North Korea is thus almost always 'fair game' for publication.
Still, despite this possible bias, the activities are very real. Recent political developments and the possible Kim-Trump summit later this month (not to be confused with this week's Kim-Trump summit) could of course see some changes to the threat landscape in the region. So far, there have been no signs of such a change, with a US-CERT alert on two pieces of malware by the Lazarus/Hidden Cobra group published only yesterday.
Whatever the developments, VB2018 will be an excellent place to discuss them, if not in the talks (and note that a call for last-minute papers will be published in summer) then during breaks, the social events or late at night in the hotel bar: few conferences attract so many security researchers from all over the world. So remember to register for VB2018 — and don't forget to do so before 1 July, to get an early bird discount.
See you in Montreal!