Nork hackers no pantomime villains, but a hugely unpredictable menace

Modest resources, but can launch debilitating attacks

RSA 2015 North Korea's cyber attack on Sony Pictures revealed two uncomfortable truths about cybersecurity: businesses don't have to be an obvious target to get hacked, and their aggressors don't have to be superpowers.

Welcome, ladies and gentleman, to the world of asymmetric warfare on the interwebs, a themes that's likely to feature heavily at this week's RSA Conference in San Francisco.

Despite the US government's insistence, the tech world is less than completely convinced that North Korea was behind last November's Sony megahack, which saw thousands of computers on the entertainment giant's network scribed with wiper malware, as well as the theft and subsequent release of all manner of confidential information, ranging from corporate emails and employee data to unreleased films.

A group of hackers named Guardians of Peace claimed responsibility for the megahack. The FBI quickly concluded that North Korea had sought revenge for the Nork-ribbing comedy The Interview with an attack on Sony Pictures, the studio behind the film.

The (main) alternative theory — backed by most IT security experts up until fairly recently — is that disgruntled ex-employees, possibly in co-operation with hacktivists types, are the most likely culprits1.

"Sloppy" North Korean Sony attackers let their real IP addresses slip on occasion, according to the Feds. The FBI stated that, “... several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hard-coded into the data deletion malware used in this attack".

Infosec pros characterised that particular strain of evidence as flimsy and circumstantial. IP addresses are, after all, easily fake or spoofed.

However, that assessment shifted after it emerged that the NSA has been comprehensively compromising North Korea's internet infrastructure since 2010. The NSA only got on the coat-tails of South Korea's exploitation of its neighbour but (once inside) it's been rooting around ever since.

Politically motivated hacking isn't new, and the Sony hack is sadly far from unprecedented. Anonymous did something similar to the internet security company HBGary Federal, exposing corporate secrets and internal emails, back in 2011.

The Sony hack does however differ from previous assaults as it has become the first to create a diplomatic row, leading directly to the imposition of tougher sanctions against North Korea and an unconfirmed reprisal cyber attack against North Korea's internet on-ramp and flimsy internet infrastructure.

North Korea has had extensive offensive cyber capabilities for years, as covered by Voice of America (here), Al Jazeera (here), and (here). And it has extensive support from China, its primary (if not only) ally on the world stage.

Bill Hagestad, a US Marine Corps lieutenant colonel turned cyber conflict author and researcher, told El Reg that North Korea currently has more than 6,500 troops. "The PLA [Chinese Peoples Liberation Army] is assisting in training the North Korean military to cyber capability," added Hagestad, a fluent Mandarin speaker who has studied Chinese military doctrine for years and writes under the online handle "Red Dragon Rising".

Reuters reports that North Korea has poured the country's scant resources into creating a cyber warfare cell called Bureau 121, made up of a "handpicked and pampered elite" of computer science majors around 1,800 strong. Their career path through university is sketched out here. A first hand account from a defector can be found in an article by Newsweek here.

North Korean defectors say that 'Bureau 121' hackers operate from Shenyang withing the People's Republic of China, CNN reports.

The FBI in its attribution refers to IP addresses used by North Koreans, not IP addresses within North Korea, an important distinction.

It's commonly thought that North Korea is shut off from the internet or has a “walled garden” intranet only available to the country's elite, but this is not altogether true, as a blog post by Cloudmark explains.

North Korea has an extremely narrow connection to the internet. There is a single ISP, Star JV, which is a joint venture between the national telecom ministry and Thailand’s Loxley Pacific.

Star JV peers with two other networks to connect to the net, China Unicom and Intelsat, and is only allocated a single IP address block, That address block contains 1,024 IPv4 addresses.

This is a very small allocation for a country of 24 million people. For comparison, that is the same number of IP addresses as is allocated to Cloudmark.

The FBI has identified North Korea as the source of the recent compromise of Sony Pictures Entertainment (SPE).

Other researchers remain dubious of this claim, stating that the level of access gained by the attackers indicates that is was an inside job involving disgruntled ex-employees.

One argument used against the involvement of North Korea in the SPE attack is they do not have the bandwidth to receive the large volume of data that was exfiltrated from Sony.

However, the data may well have been exfiltrated to a location outside North Korea. For example, one part of the SPE attack was traced to the Regis Hotel in Bangkok.

Keep Reading

Biting the hand that feeds IT © 1998–2021