Pyongyang’s cyber playbook includes denial of service attacks, infiltrating systems and extracting data, DDOS attacks against websites and potentially destructive computer worm capabilities.
First Published 16th June 2017
"We might be hungry, but we'll see you at Black Hat."
4 min read | Reflare Research Team
The United States Computer Emergency Readiness Team, better known as US-CERT issued a technical alert this week outlining what they claim to have identified as a North Korean hacking team.
The report
The team - named Hidden Cobra - is alleged to have been active since 2009, and responsible for several cyber attacks using mostly exploits against known vulnerable software and botnets. Popular rumours - which we explicitly do not intend to confirm - even attribute the recent WannaCry ransomware attacks to Hidden Cobra.
The report includes a large amount of technical information such as IP ranges, targeted applications, fingerprints and signatures. This information released by US-CERT is notably much more detailed than was released by the FBI in reports leading to US sanctions against Russia.
Who is US-CERT?
US-CERT is a central agency which coordinates the sharing of threat information and threat responses among US organizations and companies. It also cooperates with similar CERTs in other countries such as Japan’s JP-CERT or Germany’s CERT-Bund. CERTs usually hold no political interests and perform a solely technical role. The level of trust in them from the general industry is high.
Why is US-CERT focused on North Korea?
While military strong houses such as the US, Russia or China have well-known cyber attack capabilities, the proportionally large number of attacks attributed to small states such as North Korea and Palestine or even regional powers such as radical ideological movements or terrorist organizations often leads to confusion.
Why is it that smaller actors seemingly play a disproportionally large role in cyber attacks?
The determining factors are cost and leverage. A small actor would be hard pressed to significantly increase a physical military presence. Doubling the strength of an army usually means either doubling the number of conscripts - an extremely unpopular and expensive measure - or drastically increasing the efficiency of weaponry - a measure that would be equally costly and often technically impossible.
But on the point of state security, conversely, a state-sponsored hacking team can consist of as few as a dozen members, and be well equipped for a fraction of the cost of a single warplane. While the cost of so far unknown vulnerabilities on the black market is steadily increasing, even highly critical exploits in widely deployed systems can be acquired for single-digit millions of dollars or less.
In other terms, for the price of developing a single Intercontinental Ballistic Missile (ICBM), a small actor can at this point in time develop and fund one of the strongest offensive hacking teams in the world. And while the development of an ICBM may draw international sanctions, the secretive nature of cyber security means that consequences for development and even use of the new asset are highly unlikely.
Summary
While we cannot confirm US-CERT’s recent report, the information contained therein is consistent. Relatively small governments and regional actors are developing disproportionally strong cyber security capabilities as the return on investment is far better than compared to traditional military spending.
We expect this trend, within the realm of international security matters, and beyond, to continue for the foreseeable future.