Nork hackers no pantomime villains, but a hugely unpredictable menace
Modest resources, but can launch debilitating attacks
RSA 2015 North Korea's cyber attack on Sony Pictures revealed two uncomfortable truths about cybersecurity: businesses don't have to be an obvious target to get hacked, and their aggressors don't have to be superpowers.
Welcome, ladies and gentleman, to the world of asymmetric warfare on the interwebs, a themes that's likely to feature heavily at this week's RSA Conference in San Francisco.
Despite the US government's insistence, the tech world is less than completely convinced that North Korea was behind last November's Sony megahack, which saw thousands of computers on the entertainment giant's network scribed with wiper malware, as well as the theft and subsequent release of all manner of confidential information, ranging from corporate emails and employee data to unreleased films.
A group of hackers named Guardians of Peace claimed responsibility for the megahack. The FBI quickly concluded that North Korea had sought revenge for the Nork-ribbing comedy The Interview with an attack on Sony Pictures, the studio behind the film.
The (main) alternative theory — backed by most IT security experts up until fairly recently — is that disgruntled ex-employees, possibly in co-operation with hacktivists types, are the most likely culprits1.
"Sloppy" North Korean Sony attackers let their real IP addresses slip on occasion, according to the Feds. The FBI stated that, “... several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hard-coded into the data deletion malware used in this attack".
Infosec pros characterised that particular strain of evidence as flimsy and circumstantial. IP addresses are, after all, easily fake or spoofed.
However, that assessment shifted after it emerged that the NSA has been comprehensively compromising North Korea's internet infrastructure since 2010. The NSA only got on the coat-tails of South Korea's exploitation of its neighbour but (once inside) it's been rooting around ever since.
Politically motivated hacking isn't new, and the Sony hack is sadly far from unprecedented. Anonymous did something similar to the internet security company HBGary Federal, exposing corporate secrets and internal emails, back in 2011.
The Sony hack does however differ from previous assaults as it has become the first to create a diplomatic row, leading directly to the imposition of tougher sanctions against North Korea and an unconfirmed reprisal cyber attack against North Korea's internet on-ramp and flimsy internet infrastructure.
North Korea has had extensive offensive cyber capabilities for years, as covered by Voice of America (here), Al Jazeera (here), and news.com (here). And it has extensive support from China, its primary (if not only) ally on the world stage.
Bill Hagestad, a US Marine Corps lieutenant colonel turned cyber conflict author and researcher, told El Reg that North Korea currently has more than 6,500 troops. "The PLA [Chinese Peoples Liberation Army] is assisting in training the North Korean military to cyber capability," added Hagestad, a fluent Mandarin speaker who has studied Chinese military doctrine for years and writes under the online handle "Red Dragon Rising".
Reuters reports that North Korea has poured the country's scant resources into creating a cyber warfare cell called Bureau 121, made up of a "handpicked and pampered elite" of computer science majors around 1,800 strong. Their career path through university is sketched out here. A first hand account from a defector can be found in an article by Newsweek here.
North Korean defectors say that 'Bureau 121' hackers operate from Shenyang withing the People's Republic of China, CNN reports.
The FBI in its attribution refers to IP addresses used by North Koreans, not IP addresses within North Korea, an important distinction.
It's commonly thought that North Korea is shut off from the internet or has a “walled garden” intranet only available to the country's elite, but this is not altogether true, as a blog post by Cloudmark explains.
North Korea has an extremely narrow connection to the internet. There is a single ISP, Star JV, which is a joint venture between the national telecom ministry and Thailand’s Loxley Pacific.
Star JV peers with two other networks to connect to the net, China Unicom and Intelsat, and is only allocated a single IP address block, 184.108.40.206/22. That address block contains 1,024 IPv4 addresses.
This is a very small allocation for a country of 24 million people. For comparison, that is the same number of IP addresses as is allocated to Cloudmark.
The FBI has identified North Korea as the source of the recent compromise of Sony Pictures Entertainment (SPE).
Other researchers remain dubious of this claim, stating that the level of access gained by the attackers indicates that is was an inside job involving disgruntled ex-employees.
One argument used against the involvement of North Korea in the SPE attack is they do not have the bandwidth to receive the large volume of data that was exfiltrated from Sony.
However, the data may well have been exfiltrated to a location outside North Korea. For example, one part of the SPE attack was traced to the Regis Hotel in Bangkok.
Nation state V US company
"We routinely see attacks of 10-20Gbps against our commercial clients, with those of 100Gbps no longer uncommon,” said Ofer Gayer, a security researcher at DDoS mitigation firm Incapsula. “Even if North Korea had ten times its publicly reported bandwidth, bringing down its connection to the net would not be difficult from a resource or technical standpoint.”
Attribution of the Sony Pictures hack to North Korea may have taken the general public by surprise but security intelligence firms have been tracking the mendacious actives of the North Koreans for some time.
For example, South Korea banking and TV station networks were hit by wiper malware in March 2013 during the so-called Dark Seoul attacks.
China-based adversaries continued to proliferate in the targeted intrusion space alongside Russia, but North Korea is also active and Iran is an emerging player, according to security intelligence firm CrowdStrike.
Adam Meyers, CrowdStrike's VP of intelligence, told El Reg that while Russian attacks employed sophisticated trade-craft, Chinese attacks were of a far greater volume. "Chinese attacks are like a giant vacuum cleaner" for confidential data, according to Meyers. The security intelligence expert added that slinging computer wiper malware is a standard modus-operandi for North Korean cyber operations.
CrowdStrike is confident that North Korea attacked Sony Pictures, an attack it said was motivated because The Interview's fictional depiction of the assassination of its supreme leader Kim Jong-un was "perceived as an act of war" by the DPRK.
Meyers told El Reg that it had "medium-to-high degree of confidence" that the North Korea was behind the Sony Picture hack partly because the firm is able to see one or two layers deep into North Korea's cyber attack infrastructure, most of which is physically located in China.
A separate assessment of the cyber threat from North Korea, based on open source intelligence gathered and analysed by HP’s malware researchers is available here (PDF).
The Sony hack is significant because it "marked the first public cyber attack launched by a nation-state against a US company intended to cause physical and reputational damage that would render the business inoperable," according to HP.
That North Korea seems capable of launching such a debilitating attack as that thrown against Sony using modest resources for what amounts to an affront to national honour and pride leads corporate security towards a scary and still uncharted domain.
Lessons from the Sony Pictures hack are due to feature prominently in three sessions (featuring Agiliance, Cyber Ark Software and a round-table discussion, respectively) at the RSA Conference in San Francisco this week.
Attacks by the "unstable and unpredictable" nation state of North Korea are in some ways scarier than Chinese cyber-espionage which although massively damaging economically are predictable and cause less havoc and destruction, Gib Sorebo (chief cybersecurity technologist) of science and technology firm Leidos argues in a blog post on lessons from the Sony Pictures hack.
Security response firm Mandiant, which was called in to help Sony Pictures in the aftermath of the breach, said that "neither [Sony] nor other companies could have been fully prepared".
"Sony was not an attack on our critical infrastructure," Sorebo writes in a blog post. "While Sony will suffer, neither our infrastructure nor our economy will feel any noticeable impact. What the attack does demonstrate is the lengths that a rogue state or terrorist group will go to achieve a seemingly limited aim, to stop the release of a movie."
1Other theories that the Sony Picture hack was the work of independent North Korean nationals or that the Russian might have had a hand in the assault have also been raised. Initial doubts about the official line that the NORKS were behind the Sony Pictures hack are neatly summarised in a blog post by infosec veteran Graham Cluley and published last December in the immediate aftermath of the assault.