North Korean Destructive Malware Is Back, Says DHS Report
Malware not seen since the 2014 attack on Sony has returned, raising the possibility of future destructive attacks.
American intelligence analysts have discovered a destructive strain of North Korean malware not seen since the 2014 attack on Sony that crippled the company’s computer systems, according to Department of Homeland Security documents obtained by Foreign Policy.
On Dec. 17, 2017, “advanced persistent threat actors” deployed “newly discovered destructive malware that shares a number of similarities to the destructive malware” used in the Sony attack, according to a restricted report issued late last year. “This is the the first known instance since 2014 that North Korea-tied destructive malware has been seen,” says the report, marked “For Official Use Only.”
The report does not state whether the malware, called “SMASHINGCOCONUT,” was deployed by North Korean hackers, but argues that the technical similarities “make it very likely” that it was developed by Pyongyang.
Though the report states the malware can be linked back to North Korea, attributing specific attacks can be difficult. In February, U.S. intelligence officials concluded that a seeming North Korean cyberattack directed at the Winter Olympics in South Korea was really a Russian false flag operation, according to the Washington Post.
If North Korea was behind the SMASHINGCOCONUT attack, the malware marks a shift for Pyongyang’s hackers, who in recent years have focused on attacking financial institutions and bitcoin exchanges in an apparent attempt to procure hard currency as the regime faces strict sanctions, says Eric Chien, an analyst with security firm Symantec and a longtime observer of state-backed hackers.
When North Korean hackers attacked Sony in 2014 in apparent retaliation for a film depicting the assassination of leader Kim Jong Un, its operatives used a so-called wiper to delete large amounts of data from the company’s computer systems. Since then, they have mostly shelved that tool.
“What’s interesting to see here is that they are coming back with a wiper,” Chien says.
If in fact North Korean hackers once more have a wiper in their arsenal, it may be an indicator that they are preparing for future attacks in which they delete data, as in the Sony attack. “When they have a political motivation to do it, they will do it,” Chien says.
DHS alerted the public to the wiper in an alert last month, in a report that dubbed the malware “Sharpknot.” The department would not comment on the reports obtained by FP.
A DHS official speaking on condition of anonymity says that the department has issued technical alerts “over the last year to assist network defenders in understanding the types of malware” used by North Korean hackers and to urge network administrators “to remove them from their systems so that they cannot continue to have access to our infrastructure.”
In a separate report from a month earlier, DHS says hackers linked to North Korea targeted American utility companies with a flurry of spear-phishing emails — messages containing malicious software.
Between Sept. 13 and Sept. 22, American utilities received emails with subject lines such as “This Dallas Pets Alive!” and “invitation to you and your partner” that contained malicious software allowing hackers to spy on infected computers and control them remotely, according to a November 2017 report obtained by FP.
That software — called svchost — was similar to tools used in previous attacks attributed to North Korea.
Svchost functions as a “basic backdoor typically used for espionage” and allows a hacker to run programs remotely, download new programs, and carry out reconnaissance on the infected machine, says Blake Darche, the chief security officer of cybersecurity firm Area 1 Security, who obtained a copy of the file and analyzed the malware.
Previous reports have documented that Pyongyang’s operatives have gained access to the corporate network of at least one American energy company, and security experts describe the hacking logged by the Department of Homeland Security as emblematic of North Korea’s operations in cyberspace. “The activity is aggressive, continuous, and is stealing the type of information that could be useful for later attacks,” says Rob Lee, the founder of Dragos, Inc., an industrial cybersecurity firm.
The evidence compiled by DHS does not indicate North Korean hackers are on the verge of cutting power to swathes of the United States. “We shouldn’t be thinking of ‘lights out’ type scenarios with what we’re seeing,” Lee says.
There is no indication in the documents obtained by FP that North Korea has targeted American utilities with the destructive malware.
North Korea isn’t alone in going after the American electrical grid. Last month, the Trump administration accused Russia of penetrating American electrical utilities.
In recent years, North Korean hackers have been tied to attacks on South Korean bitcoin exchanges and a brazen attack on Bangladesh’s central bank that initially made off with $81 million. North Korean hackers have also attacked South Korean banks and television stations.
In December, the U.S. government blamed Pyongyang for WannaCry, a global ransomware outbreak that infected more than 200,000 computers and demanded a ransom payment in exchange for the contents of an infected computer to be decrypted.
Several of the spear-phishing emails documented by DHS did not contain any malicious software, and the November report notes that this “could be the result of unintentional omissions on the sender’s part, and further symptomatic of the unsophisticated nature of this campaign.”
The malware described in the pair of DHS reports does not represent anything particularly advanced, and Jake Williams, a former National Security Agency hacker and the founder of Rendition Infosec, calls it “pretty average.”
But the porous nature of computer networks and the North’s willingness to carry out brazen attacks with apparent disregard for the consequences allows Pyongyang to punch far above its weight. “Many utilities are equally bad at security, and DPRK doesn’t mind causing damage with cyber attacks as evidenced by Sony and South Korean banks,” Williams says.
That said, the report shouldn’t be cause for panic.
“The fact that DPRK is apparently changing their targeting to include utilities is concerning, but they are pretty bad at hacking,” says Williams, “so at least that’s comforting.”
Elias Groll is a staff writer at Foreign Policy covering cyberspace. @EliasGroll