Ransomware aimed at South Korea in early 2017 may be work of North Korea, firm says
North Korean hackers may have sent phishing emails to South Korean organizations in late 2016 and early 2017 that carried ransomware, according to private sector intelligence firm Intel 471.
Intel 471 obtained information about several samples related to this peculiar phishing email campaign, which in one case targeted a South Korean political organization earlier this year.
“The sender was fluent in Korean and had a good familiarity with Korean culture,” said Intel 471 CEO Mark Arena, a former chief researcher with FireEye’s intelligence collection group iSight Partners. “The email included a fake Microsoft Word .doc file that when run, dropped ransomware and a likely Chinese originated trojan that could perform distributed denial of service attacks.”
Oddly, although the phishing emails clearly targeted specific South Korean organizations, the ransomware itself was not capable of encrypting the most popular file type in Korea, .hwp (Hanword). It’s not clear why the attackers sent what appears to be a dulled attack.
The sender’s ability to write fluent, highly targeted emails to Korean organizations in addition to their use of a Chinese trojan and a foreign ransomware variant points to likely North Korean involvement, explained Arena, whose firm regularly monitors the dark web and other hidden communications channels for insight into hacking operations.
“Further information we received at the time is that the internal fiscal situation in North Korea had become tight and that North Korean hackers were needing to begin funding themselves and this campaign may be an attempt to do this,” he added.
The samples collected by Intel 471 may represent the first known cases of North Korean hackers using ransomware in the wild. A Symantec spokesperson said the company was unaware of the ransomware-laden emails aimed at South Korean entities late last year.
South Korea’s Computer Emergency Response Team did not respond to a request for comment.
While the hermit kingdom is known to use cybercrime as a means to fund domestic projects, private sector cybersecurity experts have yet to fully attribute a single ransomware incident to North Korea. A sophisticated hacking group linked to the isolated nation, known as the Lazarus Group, was blamed in April for hacking into the Bangladesh Central Bank — but that operation did not include ransomware, based on research conducted by Kaspersky Lab.
Earlier this week, North Korea again found itself in the spotlight earlier for its possible role in a cyberattack when a set of security researchers found similarities between malware used by the Lazarus Group and a now infamous ransomware campaign that disrupted upwards 300,000 computers, globally. In the most recent case, the ransomware attack known as WannaCry leveraged leaked computer code once used by the National Security Agency.
“Based upon the information we currently have as described above and having to make a decision on who we think is responsible, we believe with low confidence that North Korea was behind WannaCry,” said Arena. “We don’t discount the possibility that some of the financially motivated cyber criminals we have identified or others we haven’t as of yet identified are behind WannaCry.”
Preeminent cybersecurity firms, including Symantec, FireEye and Kaspersky, all recognize that computer code in one Lazarus Group tool looks similar to that used in WannaCry, but they did not go so far as to blame North Korea for the global disruption. The New York Times reported Monday, citing unnamed U.S. officials, that the U.S. government was aware of these very same similarities.
While code looks to have been copied from one attack to the next, it remains unclear whether Lazarus Group is in anyway a participant to spreading WannaCry. Researchers disagree on how strong the existing evidence actually is.
Attribution in cyberspace is a notoriously difficult thing to nail down. Nevertheless, evidence that supports the notion that North Korea recently experimented with ransomware is notable and perhaps indicative of other activities.