Big attacks a smokescreen for “low-level” North Korea cybercrime that the world is ignoring

North Korean hackers’ use of gaming hacks has become one of numerous strategies they have successfully used to stay under the radar of international law-enforcement authorities, according to a threat-intelligence researcher who warns the world has long underestimated the rogue state’s use of criminal activities to raise money.

“We believe they focus on gaming because it’s a low attention, relatively not-prosecuted area and the ROI is significant,” Priscilla Moriuchi, director of strategic threat development with threat-intelligence firm Recorded Future told CSO Australia after her presentation at the recent Australian Information Security Association (AISA) National Cybersecurity Conference.

“There’s a lot of low-level activity that researchers largely don’t pay attention to – gaming hacks, or ATM fraud, and so on,” she continued. “From a volume and financial-return perspective, it’s the most valuable thing for North Korea but it’s the thing that the world is paying the least attention to.”

Recorded Future’s threat researchers have kept a watching brief on the activities of North Korean hackers, who have proven adaptable and flexible in engaging in activities such as reverse-engineering games, reselling fraudulent games, attacking Steam accounts, stealing people’s in-app purchases and reselling them, reselling users’ credentials, planting point-of-sale malware.

But it was North Korea’s high level of cybercriminal activity – collectively known as ‘Hidden Cobra’ – that caught many researchers unawares.

The country’s high-profile hacks, such as its 2014 compromise of Sony Pictures Entertainment – lauded as “righteous” but denied by the country’s government at the same time – established the country’s cybercriminal enterprises as a force to be reckoned with.

That hack sent shivers through the global business community, with many urgently reviewing their own security arrangements. Sony competitor 21st Century Fox, for one, undertook a broad and significant review of its information security that resulted in more than 10 security-focused initiatives being implemented across the business.

“It was harder prior to that terrible event to gain as much focus [on cybersecurity] as there has been,” Christopher Johnson, the studio’s APAC executive director of IT, said during a recent CSO webinar, “but it became a catalyst for all studios to make significant investments – and for the maturity that came along with that. It has shifted, significantly, the way we approach [security].”

In April the US government warned that Hidden Cobra had refined and redeployed two malware families – compounding a growing volume of information about high-level attacks that have been traced to North Korean hackers who are also thought responsible for orchestrating the globally devastating WannaCry attack.

The new business as usual

North Korea’s boldest attacks may have established a new geopolitik – the government continues to steadfastly defend itself against the allegations that it calls a “smear” – but behind the scenes Moriuchi says the country’s hackers have been working overtime figuring out new ways to extract money to keep cash rolling into the internal pariah.

That has included the high-profile 2016 hack of the international SWIFT transaction-clearance network in an exploit that, investigators say, siphoned $US81m ($A112m) out of the Federal Reserve Bank of New York to an account in the Philippines.

Such brazen theft was an eye-opener for investigators, Moriuchi said: “people never thought a country would actually do that,” she explained. “It always seemed like SWIFT and the banks were protecting against criminals doing that, but they didn’t realise that a country would go to that extent.”

“It just opened up the optics on what was really driving North Korea’s cyber operations for years before then, that we had just never realised.”

Exercises in stealing real-world money had paled in comparison to North Korea’s efforts to leverage cybercurrencies to build up its cash reserves, however.

With crypto malware potentially dating back to 2015, North Korean hackers were quick to recognise the advantages that an anonymous, globally redeemable currency could have in bypassing conventional blocks on currency transfer.

That period was “the cutting edge of cryptocurrency for normal people,” she said, “but North Korea were already there and exploiting it. They’re interested in the money, but they also care a lot about the anonymity.”

The cybercriminals also care, increasingly, about targeting corporations and members of their supply chains that might become conduits for theft.

This posed ominous warnings for small businesses and non-government entities that may have thought they were off the radar for nation-state hackers’ seemingly high-end ambitions.

But with business acquisitions often leaving network-security blind spots and subcontractors regularly enabling outside access to business partners’ networks, Moriuchi said, “if that company is not their end goal, it’s just enabling access.”

Verizon’s 2018 Data Breach Investigations Report noted that nation-state or state-affiliated actors were involved in 12 percent of 2216 analysed data breaches.

“When you put it all together, they are really exploiting the full range of the Internet,” Moriuchi said. “They have been a criminal state for a few decades anyway, and the Internet is just another natural extension of that criminality. They’re creating a blueprint for how rogue regimes can deisolate themselves from global financial controls.”