Hackers believed to be from North Korea are casing out US electric companies in preparation for a possible cyber attack – so says security firm FireEye.
"FireEye devices detected and stopped spear phishing emails sent on Sept. 22, 2017, to US electric companies by known cyber threat actors likely affiliated with the North Korean government," the infosec outfit reported on Tuesday. "This activity was early-stage reconnaissance, and not necessarily indicative of an imminent, disruptive cyber attack that might take months to prepare if it went undetected."
FireEye has previously detected suspected Nork hackers probing the systems of South Korean utilities. The firm adds that DPRK hackers are yet to display ability to interfere with industrial control systems much less cause power outages. All this probing is nonetheless a cause for concern.
In December 2014, the South Korean government claimed that nuclear power plants operated by Korea Hydro and Nuclear Power (KHNP) were targeted by wiper malware. North Korean hackers were the prime suspects in the attack, the impact of which may have been exaggerated for propaganda purposes. "This incident did not demonstrate the ability to disable operations," FireEye said. "Instead, sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean government."
Reports of reconnaissance on US utilities follow earlier reports alleging DPRK spies stole a large cache of military documents from South Korea, including a plan to assassinate North Korea's leader, Kim Jong-un.
Documents including wartime contingency plans put together with the US were stolen from South Korea's defence ministry. Information on power plants and military facilities in the south also featured among the stolen data, the BBC reports.
Rhee Cheol-hee, a South Korean lawmaker who sis on its parliamentary defence committee, said 235GB of military documents were swiped from the Defence Integrated Data Centre, adding that 80 per cent of these documents have yet to be identified. The South Korean defence ministry has so far refused to comment on the breach, which reportedly dates back to last September.
Chris Doman, a security researcher at AlienVault, said: "The recent North Korea cyber hack may relate to the reported August 2016 compromise of the South Korean ministry of defence. The group behind those attacks are named Andariel and likely a sub-group of the attackers behind the Sony attacks, WannaCry and SWIFT banks. They are very active and we continue to see new malware samples from them every week."
Suspicions that Pyongyang may have stolen intel from South Korea will do nothing to de-escalate tensions with the US, which are already at a 50-year high following the North's rocket tests. ®