Search This Blog

Showing posts with label North Korean Hackers. Show all posts

Russian military companies were reportedly attacked by hackers from North Korea

North Korean hacker group Kimsuky has reportedly conducted several attacks on the Russian military-industrial complex in order to obtain military and technological secrets of Russia

According to the cybersecurity company Group-IB, attacks by hackers from the Democratic People's Republic of Korea on the Russian defense industry took place in the spring of 2020. North Korean cyber criminals sought to obtain data from aerospace and defense companies, as well as from enterprises that produce artillery equipment.

Telegram-channel SecAtor reported that Rostec was among the companies that were attacked. RT-Inform, a subsidiary of Rostec that deals with information security, did not confirm or deny these data, but noted that the number of cyber attacks on the resources of the state corporation increased from April to September.

"Most of the attacks were poorly prepared and did not pose a significant threat when they were exposed, but this could only be preparation," said RT-Inform.

Experts believe that in this case, hackers from the DPRK will soon launch new, more well-prepared attacks.

Kimsuky is also known by the names Velvet Chollima and Black Banshee, it is engaged in cyber espionage. According to Group-IB, North Korean hackers previously attacked facilities in South Korea, but then engaged in enterprises in the production of artillery equipment and armored vehicles in Russia, Ukraine, Slovakia and Turkey, using fraudulent mailings.

According to Denis Legezo, a cybersecurity expert at Kaspersky Lab, some fraudulent emails from North Korean groups contain information about vacancies in the aerospace and defense industries. He believes that this indicates the interest of hackers in industrial espionage.

As reported by E Hacking News, in September in Russia there were cases of attacks by the Chinese hacker group Winnti on software developers for banks, as well as on companies in the construction sector. Winnti has previously repeatedly hacked the networks of industrial and high-tech companies from Taiwan and Europe, but the group's activities have not yet been reported in Russia.

United States Issues Alert on North Korean Threat Actors Finding Better Ways to Rob Banks


The Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Treasury Department, the FBI, and U.S. Cyber Command issued a joint warning on August 26th, alerting that North Korean hackers have reopened their campaign of targeting banks across the globe by making fraudulent transactions and ATM cash-outs.

The threat actors have made a systematic effort to attack financial institutions worldwide. They employ bold methods that do not guarantee a 100% success rate. However, these North Korean hackers have manipulated the ways in which some of the largest financial institutions interact with the international banking system. They dupe components of the system into making their hackers seem to be legitimate users; it allows them to transfer tens of millions of dollars into their accounts.

As these hackers continually intruded into bank transaction records and log files, financial institutions were prompted to release security alerts and necessary upgrades to counter and hence limit the threat. In haste to acquire valuable user data for ransom, these hackers have tampered hundreds of thousands of machines across the globe.

Notably, the attackers derived value from their failures and have amended their modus operandi in order to be more effective in their operations and fraudulent campaigns which can be seen in the $81 dollar theft from a Bangladeshi bank carried out by them in 2016. Other instances of their most profitable operations include attacking 30 countries in one single incident of fraudulent ATM cash-outs.

The alert came up with an “overview of North Korea’s extensive, global cyber-enabled bank robbery scheme, a short profile of the group responsible for this activity, in-depth technical analysis, and detection and mitigation recommendations to counter this ongoing threat to the Financial Services sector.”

These attackers’ “international robbery scheme” poses a “severe operational risk” for individual banks beyond reputational harm and financial losses. A robbery directed at one bank may implicate multiple banks “in both the theft and the flow of illicit funds back to North Korea,” as per the alert.

They “initially targeted switch applications at individual banks with FASTCash malware but, more recently, have targeted at least two regional interbank payment processors,” the alert states, cautioning that this suggests the hackers “are exploring upstream opportunities in the payments ecosystem.” The alert further warned.

US Army Says North Korea Has Hackers and Electronic Warfare Specialists Working and Operating Abroad


In a report published a month ago by the US Army said North Korea has at least 6,000 hackers and electronic warfare specialists working in its ranks with a large number of these are operating in nations, like Belarus, China, India, Malaysia, and Russia. 
The report is a tactical manual that the US Army uses to train their troops and military pioneers, and which the Army has made public for the first time just the previous month. 

Named "North Korean Tactics," the 332-page report consists of a 'treasure trove' of data about the Korean People's Army (KPA) like the military strategies, weaponry, leadership structure, troop types, logistics, and electronic warfare capacities. 

By far most of the report manages exemplary military tactics and capacities; the report likewise highlights North Korea's clandestine hacking units. "Most EW [electronic warfare] and cyberspace warfare operations take place within the Cyber Warfare Guidance Unit, more commonly known as Bureau 121," the US Army said. 

This evaluation is equivalent to the past reports from the intelligence and cybersecurity communities, which have additionally connected all of North Korea's hackers back to Bureau 121, a division of the Reconnaissance General Bureau, a North Korean intelligence agency that is a part of the National Defence Commission. 

The US Armed force says Bureau 121 has developed exponentially lately, as North Korea has expanded it’s the cyberspace exercises. According to the report, Bureau 121 developed from "at least 1,000 elite hackers in 2010" to more than 6,000 members today. 

The number is a steady one with comparable figures published by the South Korean Defence Ministry, which said that North Korea was operating a cyberwarfare staff of 3,000 out of 2013, a number that later multiplied to 6,000 by 2015. 

Notwithstanding, the US Army as of now believes that it's 6,000 figure isn't totally accurate. Army officials state that they have estimates for the internal divisions within Bureau 121, numbers that seem to have not been released previously, until the previous month. 

They don't have an exact number for the members part of the Lazarus Group sub-division, yet this group is the one, for the most part, the one to which North Korean authorities turn "to create social chaos by weaponizing enemy network vulnerabilities and delivering a payload if directed to do so by the regime." 

While the US Army report doesn't go a lot into details on why the Pyongyang regime lets military hackers travel abroad, there are previous reports and court documents that have gone into these details, with the Pyongyang regime utilizing its hackers to set up shell companies that serve both as cover when setting up 'foreign-based server infrastructure', yet in addition as 'intermediary entities in money laundering operations'. 

In any case, while the US Army report acknowledges that North Korean hackers have been engaged with financial cybercrime, Armed officials go significantly further and outline the whole North Korean government as a criminal network, with the Kim regime being associated with a wide scope of activities that likewise incorporated drug trading, counterfeiting, and human trafficking, and not simply the variety of cybercrime.

Discovery of a New Malware Framework and Its Linkages with a North Korean Hacker Group



The discovery of a brand new malware framework and its linkages with a North Korean hacker group has heightened the panic within the digital world. Kaspersky, the cybersecurity company has already alerted the SOC groups of the discovery.

Referred to as  "MATA," the framework has been being used since around April 2018, principally to help in attacks intended to steal customer databases and circulate ransomware.

The framework itself gives its controllers the adaptability to target Windows, Linux, and macOS and comprises of a few components including loader, orchestrator, and plugins.

Kaspersky associated its utilization to the North Korean group "Lazarus”, which has been engaged for a considerable length of time in 'cyber-espionage' and sabotage and, by means of its Bluenoroff subgroup, endeavors to collect illegal funds for its Pyongyang masters.

The group was even pegged for WannaCry, just as refined attacks on financial institutions including the notorious $81m raid of Bangladesh Bank. Kaspersky senior researcher, Seongsu Park, contended that the most recent attacks connected to Lazarus display its eagerness to invest serious resources to create new malware toolsets in the chase for money and data.

“Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on. This approach is typically found among mature APT groups” he added later.

“We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the key and most valuable resources that could be affected.”

The security vendor encouraged the SOC teams to get to the most recent threat intelligence feeds, install dedicated security on all Windows, macOS and Linus endpoints, and to back-up regularly.

The framework seems to have been deployed in a wide variety of scenarios, focusing on e-commerce firms, software developers, and ISPs across Poland, Germany, Turkey, Korea, Japan, and India.

US Intelligence Reveals Malware, Blames North Korea


The FBI (Federal Bureau of Investigation), US Cyber Command, and DHS (Department of Homeland Security) recently discovered a hacking operation that is supposed to originate from North Korea. To inform the public, the agencies issued a security statement which contains the information of the 6 malware that the North Korean Hackers are currently using.


US Cyber Command's subordinate unit, Cyber National Mission Force (CNMF), on its official twitter account published that the North Korean hackers are spreading the malware via phishing campaigns. The tweet says, "Malware attributed to #NorthKorea by @FBI_NCIJTF just released here: https://www.virustotal.com/gui/user/CYBERCOM_Malware_Alert …. This malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions. #HappyValentines @CISAgov @DHS @US_CYBERCOM."

According to the US Cyber Command, the malware allows the North Korean hackers to sneak their way into infected systems and steal money. The funds stolen are then transferred back to North Korea, all of it done to avoid the economic sanctions imposed upon it. It is not the first time that the news of the North Korean government using hackers to steal money and cryptocurrency to fund its nuclear plans and missile programs, and avoid the economic sanctions have appeared. According to the reports of the US agencies, the 6 malware are Bistromath, Slickshoes, Crowdedflounder, Hotcroissant, Artfulpie, and Buffet line. The official website and twitter account of DHS, US Cyber Command, have complete details about the malware.

The US Alleges Lazarous Group for the Attack 

Cybersecurity and Infrastructure Security Agency (CISA) claims that the attack was carried away by the North Korean hacker group Lazarus. The group also works under an alias, Hidden Cobra, and is one of the largest and most active hackers' groups in North Korea. According to the DOJ (Department of Justice), Lazarus was also involved in the 2014 Sony hack, 2016 Bangladesh Bank Attack, and planning the 2017 WannaCry ransomware outbreak.

A new 'Name and Shame' approach 

Earlier, the US used to avoid issuing statements when it faced cybersecurity attacks. However, in the present times, it has adopted a new name and shame approach to deal with this issue. The US cybercommand, as observed, publishes about the malware publicly on its Twitter handle, along with the nation responsible. This didn't happen earlier.

Internet Explorer Targeted by North Korean Hackers: How to Stay Safe?



In a recent cybersecurity issue, some hackers from North Korea are attacking Internet Explorer by exploiting a vulnerability, which is said to be a zero-day flaw. The company Microsoft has not yet spoken on the issue and is still silent. 



Users should immediately stop using Internet Explorer for a while to stay safe from the hackers, suggest cybersecurity experts. If the users still prefer to use Microsoft software, they can download the latest Edge Browser by Microsoft. The Edge browser is safe from the attack as well as offers a better user experience while browsing than Internet Explorer. Other secured browsers include Google Chrome and Mozilla Firefox.

But if the users still want to use the traditional software, cybersecurity experts at Tom's Guide suggest downloading a limited time user account that is safe for any software modification.

Microsoft has scheduled to release its next security patch, not until the 11th of February, therefore, its a long wait before the latest update is issued.

Microsoft reveals the Flaw-

In an online advisory published on 17th January, Microsoft explained the vulnerability, saying the flaw allows the hacker to corrupt the memory and perform arbitrary coding. If achieved successfully, the hacker has full access to the system, the same as the genuine user.

"Let us imagine a scenario where the hacker hosts a website on the web, which is specially made to exploit the vulnerability via Internet Explorer, in this case, the hacker can lure the user to visit the website by sending him emails," says Microsoft.

Once the hacker has access to the admin user rights, the user system is hacked and the hacker has command over the system. He can modify the programs, install or delete any existing software or worse, delete important data.

The hackers are likely to be from North Korea-

One should not ignore this vulnerability because it has ties to hackers from North Korea. The attack on Internet Explorer seems to be similar to the one that affected the Mozilla firefox. Researchers at Qihoo 360 discovered the attack and accused Darkhotel, a group of hackers from North Korea, for carrying out this activity.

ISRO targeted by North Korean Hackers during Chandrayaan-2 Launch


According to the fresh news that has been coming from various experts, it has appeared that Chandrayaan-2 (also known as Mission Moon), a famous mission by the Indian Space Research Organisation (ISRO) was attacked by hackers from North Korea. It also appears that the attacks were organized using a malware named Dtrack, which is connected to a club of North Korean hackers managed by the administration. "The malware was identified by the Financial Institute and Research Centers in 18 Indian states," confirms the reports by Kaspersky, a cybersecurity firm.


It is also said that the same malware was used to direct hacks on Kudankulam nuclear factory. The National Cyber Coordination Center that attempts to protect the nation from harmful cyber invasions recently received critical information from a US cybersecurity firm regarding the hack. It said that Kunankulam Nuclear Plant's master domain controllers alongside the ISRO were attacked by the hackers. Following this incident, Kaspersky's specialists detected the malware and notified the issue to the Indian government before the Chandrayaan-2 landing.

"The hack was organized using very simple and basic techniques like phishing emails, an unedited browser, and poor security that resulted in allowing the hackers to easily invade the devices," says Yash Kadakia in an interview, founder, Security Brigade, a cybersecurity firm in Mumbai. He further adds that a similar server was used to send spams to superior nuclear experts at the Nuclear Plant in Kudankulam which was also aimed by the hackers to pick other experts at ISRO later.

About Dtrack Malware- 
Generated by North Korean Hackers, the Dtrack malware provides a full command that permits the hackers to obtain data from the device. The virus can misuse devices with weak privacy and passwords. If the virus invades a device, it can obtain critical information like catalogs, IDs, user history, and IP addresses. "A high number of DTrack attacks were discovered. The hack was carried by Lazarus that has become a major concern for big corporations," said Konstantin Zykov about the virus who is a Researcher at Kaspersky Cybersecurity, at an event in Delhi.

US issues warning against malware 'Electricfish' linked with North Korea








The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a joint security warning about a new malware called "Electricfish,’’ which is allegedly linked to a state-sponsored North Korean cyberattack group.

The investigators uncovered the malware while they were tracking the activities of Hidden Cobra, it is believed that the group is sponsored by the North Korean government. 

The warning released by the US Computer Emergency Readiness Team on Thursday says that the malware is a 32-bit Windows executable program. After reverse engineering the sample, the malware was found to contain a custom protocol which permits traffic to be funneled between source and destination IP addresses.

‘’The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) addressaa. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.’’

‘’The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network,’’ read warning. 


The whole list of Indicators of Compromise (IOC) for Electricfish can be downloaded here

Russian Hacking Trouble for the Cyber World



According to data analysis by computer security company CrowdStrike, Russian hacking attack team spares only 19 minutes to the victim to respond to the attack. The next fastest group were North-Koreans who took two hours to jump to the next server to spread the attack,the third on the list comes Chinese attackers who on average gives four hours to the victim to foil their target attack.

Statistically the calculated time is coined as  “dubbed time“ and is the time attacker takes to jump from one network to another to spread the attack. Introducing the concept, CrowdStrike wrote in its report “shows how much time defenders have on average to detect an initial intrusion, investigate it and eject the attacker before sensitive data can be stolen or destroyed.”

According to the author, Pete Singer, the new analysis is eye-opening, "These stats are driven by a whole variety of factors, among them the skills and capability, the relative risk each is making in their likelihood of getting caught and the consequences. No matter how you look at it, an average of 18 minutes is quite amazing given the scale."

The Russians hackers have attacked many defense and military establishments throughout Europe and NATO since last year. Russian hackers were alleged to attack PyeongChang Winter Olympic Games in 2018.

Chris Krebs, DHS Cybersecurity and Infrastructure Security Agency Director, told defenseone.com recently, “We are doubling down on election security in advance of the 2020 election. Despite what some of the reporting might be, election security and countering foreign influence efforts aren’t going anywhere.”

According to a research from Arizona state University, researchers revealed that the exploiting a known vulnerability depended greatly on the country of the attacker.For Instance, the researchers looked at the Dark Web chat rooms , If attackers were discussing  vulnerabilities in National Database and If the hackers discussing the bug were Chinese, the chances to exploit the vulnerability in question was nine percent, But if the conversation was between Russians, then the probability of exploiting vulnerability is forty percent.

Infamous North Korean Hacking Group Steals $571 Million in Cryptocurrency


The North Korean Hacking Group, Lazarus has managed once more to embezzle more than a billion dollars in cryptocurrency. The group has purportedly done such sorts of thefts since January 2017, amassing an enormous $571 million from the attacks. This was in accordance with an article published on Friday by The Next Web as well as the coming yearly report from the cybersecurity vendor Group-IB.

The claims made by some South Korean officials in February express that the North Korean hackers likely stole millions of dollars' worth in cryptocurrency in the year 2017.

Since the beginning of last year, the greatest contribution that could be made in hacking outfits has been done by Lazarus, which stole $571 million in cryptocurrency. Their greatest plunder - $534 million originated from a solitary attack led earlier in January 2018.

As indicated by the eminent cybersecurity unit Group IB the hacking outfits are more acclimated with utilizing techniques extending from spear phishing to social engineering and malware introduction to compromising cryptocurrency exchange networks.

"After the local network is successfully compromised, the hackers browse the local network to find work stations and servers used working with private cryptocurrency wallets," says the summary of an annual report prepared by the unit detailing the situation of hi-tech cybercrime trends across the globe. It also indicates that $882 million in cryptocurrency was stolen from exchanges in total from 2017 to 2018.

Massive phishing groups, as the report stated, are exploiting the users' fear of missing out a major opportunity, baiting them to invest their resources into unauthentic projects on knockoff websites.
Group IB additionally states that the quantity of attacks focusing on crypto trades is probably going to rise further, with hackers of more conventional financial institutions, like the banks are being attracted to the space looking for enormous increases.

All the more worryingly, these thefts are prognosticated to increment similarly as with time, more and more aggressive hacking groups are likely to move towards cryptocurrency.

South Korean Newspaper Reports North Korean Hackers Behind Attacks on Cryptocurrency Exchanges

Chosun Ilbo, a major South Korean newspaper, on Saturday reported that according to a South Korean spy agency, North Korean Hackers were behind the theft of about $6.99 million (7.6 billion won) worth of cryptocurrencies this year, which now amount to almost $82.7 million (90 billion won).

The report said that these attacks included the theft of cryptocurrencies from accounts at exchanges Yapizon (now called Youbit), and Coinis, in April and September.

According to the report by the newspaper, the leaks of the personal information of about 36,000 accounts from Bitthumb, a major cryptocurrency exchange, in June were also connected with North Korean hackers, as discovered by the country’s National Intelligence Service (NIS).

Again citing NIS, Chosun Ilbo also reported that these hackers had demanded around $5.5 million (6 billion won) in return for deleting the stolen information.

These hackers were also responsible for another attack on about 10 other exchanges in October which was stopped by Korea Internet Security Agency (KISA), as per the report.

The newspaper also reported that according to NIS, the malware used in the emails to hack the exchanges were made with a similar method to the one used in hacking Sony Pictures in 2014 and the Central Bank of Bangladesh in 2016 and that the email ids used in the attacks were also North Korean.

South Korea hit by cyber attack.




Yesterday South Korea was hit by a massive cyber attack . The attack disturbed the functioning of three banks and two TV channels. The bank were hit such that no financial transactions can be made.

The TV channels were affected by locking their computers hence not allowing the TV channels to edit or function to full efficiency.The attack points towards North Korea which only days ago said it will attack South Korea.

The attacks originated from China but this might simply be because the IP's from North Korea are not allowed in South Korean Cyberspace ,so the hackers  could have used compromised computers in China to bypass that restriction and also to hide their real location.

Unlike other "disruption" attacks which rely on DDOS this was done using a malware called "DarkSeoul" which "locked" the systems.

These sort of attacks are more dangerous because when you block the DDOS attack the servers will get back to "normal" with minimum effort but a virus attack takes much longer to recover from and even then you cant be really sure that the computers are fully clean.

This recent attack shows that the need for a strong "physical" army is not needed to bring down an another country. A few experienced hackers can do the work of a massive army. 

30 North Korean hackers steal millions of dollars from online gaming sites

North Korea stands accused by its southern rival of operating an elaborate hacking network that allegedly broke into online sites hosted in South Korea and stole prize points worth almost £3.7m ($6m).South Korean police claim $6m was stolen after 30 hackers from the North infiltrated online game servers in Seoul. Whereas North Korea has denied allegations by South Korea that it engaged in a computer hacking scheme to steal millions of dollars from online gaming sites.

South Korean police recently arrested five suspects they say were recruited to work in China alongside more than 30 hackers from North Korea. The hackers allegedly broke into gaming sites and stole gaming points worth around $6 million. The North has been accused several times in recent years of mounting cyber attacks on the South. Pyongyang has denied all the allegations.

[source]