Mitigating the North Korean Cybersecurity Threat
Cybersecurity firm Kaspersky recently published an analysis that detailed how a North Korean threat actor, which it called the BlueNoroff group, is stealing cryptocurrency by bypassing the “Mark of the Web” flag security feature within the Windows operating system.
Kaspersky’s advisory is only the latest in a string of cybersecurity research pointing to North Korean cyberattack aggression. In the fall and winter of 2022, the Menlo Labs research team published an analysis of attacks that used exploit templates to deliver malware, such as FormBook, Snake Keylogger and SmokeLoader. Identical indicators of compromise (IoCs) led the researchers to conclude the threat actor was tied to the North Korean threat actor Lazarus Group.
Additionally, ReversingLabs malware researcher Joseph Edwards examined ZetaNile, a set of open source software Trojans reportedly used by Lazarus to attack Japanese cryptocurrency firms and U.S. energy companies.
“It is evident that this group has a robust track record and continues to reinvent its techniques to carry out attacks on its targets,” Edwards wrote.
The U.S. and Republic of Korea (ROK) governments are actively taking steps to mitigate the North Korean cybersecurity threat. In May 2022, during a U.S. and ROK summit between president Joe Biden and president Yoon Suk-yeol, the two leaders recommitted to creating a joint cybersecurity working group that would try to mitigate North Korean digital attacks, especially financial-related crimes. Following that meeting, the Center for a New American Security published its analysis of the North Korean cybersecurity threat.
That report detailed the think tank’s recommendations, laying out suggestions for joint state-sponsored attack deterrence. The analysis found that, to deter attacks that targeted the U.S.’s and the ROK’s social, financial and cyberinfrastructure, the two countries should:
- Establish a research agenda for the U.S.-ROK cybersecurity working group to identify exploitable vulnerabilities in state-sponsored cybercrime strategy, with an initial focus on North Korea.
- Identify specific representatives from relevant U.S. and ROK government agencies to participate in the joint cybersecurity working group. This will improve routine information sharing and joint investigations.
- Consider the joint cybersecurity working group as a U.S.-ROK partnership to protect against any state-sponsored cyber-enabled financial crime operations.
- Issue joint advisory guidance document on potential cybersecurity and financial risks related to social engineering hacks. This will build trust and rapport with the private sector while attempting to stymie cyber-enabled financial crime tactics.
- Organize an external advisory team of leading U.S. and ROK nongovernment researchers and private sector analysts who work on issues pertaining to the agenda of the joint working group and can offer outside assistance and advice.
While the Center for a New American Security’s report focused on mitigating North Korean threat actors, it also noted that both nations need to pay attention to other state-sponsored threat actors, specifically China and Russia. Although the current focus of the U.S.–ROK joint cybersecurity working group is on North Korea–sponsored cyber-enabled financial crime efforts, Washington and Seoul should consider future research that includes cybersecurity threats from other state-sponsored actors, the report stated.