Nork hackers no pantomime villains, but a hugely unpredictable menace

Modest resources, but can launch debilitating attacks

RSA 2015 North Korea's cyber attack on Sony Pictures revealed two uncomfortable truths about cybersecurity: businesses don't have to be an obvious target to get hacked, and their aggressors don't have to be superpowers.

Welcome, ladies and gentleman, to the world of asymmetric warfare on the interwebs, a themes that's likely to feature heavily at this week's RSA Conference in San Francisco.

Despite the US government's insistence, the tech world is less than completely convinced that North Korea was behind last November's Sony megahack, which saw thousands of computers on the entertainment giant's network scribed with wiper malware, as well as the theft and subsequent release of all manner of confidential information, ranging from corporate emails and employee data to unreleased films.

A group of hackers named Guardians of Peace claimed responsibility for the megahack. The FBI quickly concluded that North Korea had sought revenge for the Nork-ribbing comedy The Interview with an attack on Sony Pictures, the studio behind the film.

The (main) alternative theory — backed by most IT security experts up until fairly recently — is that disgruntled ex-employees, possibly in co-operation with hacktivists types, are the most likely culprits1.

"Sloppy" North Korean Sony attackers let their real IP addresses slip on occasion, according to the Feds. The FBI stated that, “... several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hard-coded into the data deletion malware used in this attack".

Infosec pros characterised that particular strain of evidence as flimsy and circumstantial. IP addresses are, after all, easily fake or spoofed.

However, that assessment shifted after it emerged that the NSA has been comprehensively compromising North Korea's internet infrastructure since 2010. The NSA only got on the coat-tails of South Korea's exploitation of its neighbour but (once inside) it's been rooting around ever since.

Politically motivated hacking isn't new, and the Sony hack is sadly far from unprecedented. Anonymous did something similar to the internet security company HBGary Federal, exposing corporate secrets and internal emails, back in 2011.

The Sony hack does however differ from previous assaults as it has become the first to create a diplomatic row, leading directly to the imposition of tougher sanctions against North Korea and an unconfirmed reprisal cyber attack against North Korea's internet on-ramp and flimsy internet infrastructure.

North Korea has had extensive offensive cyber capabilities for years, as covered by Voice of America (here), Al Jazeera (here), and (here). And it has extensive support from China, its primary (if not only) ally on the world stage.

Bill Hagestad, a US Marine Corps lieutenant colonel turned cyber conflict author and researcher, told El Reg that North Korea currently has more than 6,500 troops. "The PLA [Chinese Peoples Liberation Army] is assisting in training the North Korean military to cyber capability," added Hagestad, a fluent Mandarin speaker who has studied Chinese military doctrine for years and writes under the online handle "Red Dragon Rising".

Reuters reports that North Korea has poured the country's scant resources into creating a cyber warfare cell called Bureau 121, made up of a "handpicked and pampered elite" of computer science majors around 1,800 strong. Their career path through university is sketched out here. A first hand account from a defector can be found in an article by Newsweek here.

North Korean defectors say that 'Bureau 121' hackers operate from Shenyang withing the People's Republic of China, CNN reports.

The FBI in its attribution refers to IP addresses used by North Koreans, not IP addresses within North Korea, an important distinction.

It's commonly thought that North Korea is shut off from the internet or has a “walled garden” intranet only available to the country's elite, but this is not altogether true, as a blog post by Cloudmark explains.

North Korea has an extremely narrow connection to the internet. There is a single ISP, Star JV, which is a joint venture between the national telecom ministry and Thailand’s Loxley Pacific.

Star JV peers with two other networks to connect to the net, China Unicom and Intelsat, and is only allocated a single IP address block, That address block contains 1,024 IPv4 addresses.

This is a very small allocation for a country of 24 million people. For comparison, that is the same number of IP addresses as is allocated to Cloudmark.

The FBI has identified North Korea as the source of the recent compromise of Sony Pictures Entertainment (SPE).

Other researchers remain dubious of this claim, stating that the level of access gained by the attackers indicates that is was an inside job involving disgruntled ex-employees.

One argument used against the involvement of North Korea in the SPE attack is they do not have the bandwidth to receive the large volume of data that was exfiltrated from Sony.

However, the data may well have been exfiltrated to a location outside North Korea. For example, one part of the SPE attack was traced to the Regis Hotel in Bangkok.

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021