North Korea is the most destructive cyber threat right now: FireEye

DPRK hackers are cybering every way they can, and according to FireEye their destructiveness and unpredictability makes them dangerous.

Destructive and unpredictable, North Korean hackers pose the biggest threat

FireEye's analysis of the North Korean financial hacking group it has dubbed APT38 is an important reminder that the Hermit Kingdom's cyber skills should not be underestimated.

As The New York Times reported a year ago: "North Korea's army of more than 6,000 hackers is undeniably persistent, and undeniably improving."

APT38 is the first specialised cyber unit dedicated to making money for a nation-state government. The associated money laundering operations are run, as Bloomberg has reported, through dodgy gambling activities in at least three countries.

"In some sense, you could say that North Korea might be the biggest threat right now to the majority of global nations," said FireEye chief executive officer Kevin Mandia in a briefing for journalists at the company's Cyber Defence Summit in Washington DC this week.

It's hard to rank North Korea's cyber capabilities in relation to Russia or China or the Five Eyes nations. Each has their specialities. But he said North Korea is more dangerous because it's unpredictable.

Some nation-state malware has "guard-rails" to prevent collateral damage. It might have an expiry date, or only activate in specific locations or environments. The "gentlemen hackers" of China try to do as little damage to target systems as possible, preferring to keep them operating for long-term access.

See: America the 'indispensable nation' for cybersecurity: Madeleine Albright

Not so with DPRK.

"North Korea is not only not guard-railing their malware, a backdoor we were analysing had six different checks to see if was being disassembled. And if disassembly was detected, whether it detected it was running in a virtual machine, if a debugger was running ... delete the hard drive at the physical level," Mandia said.

"That's a policy decision by North Korea to give you the cyber equivalent of this," he said, holding up the middle finger of each hand in a very well-known gesture.

"Destroy it. Who cares? Scorched earth. Doesn't matter."

North Korea is also cybering in every possible way, he said. Cyber espionage, cyber sabotage, cyber crime, cyber disruption, and disinformation operations.

In the last 12 years, North Korea has developed "a broad range of custom tools", according to Jacqueline O'Leary, a senior analyst on FireEye Intelligence's Advanced Analysis team.

"They have 26, which is a fair amount of tools for an advanced persistent threat (APT) group," O'Leary told ZDNet on Thursday.

"They really balance a lot of different evasion and anti-forensic techniques. They're using wipers, they might be doing some sort of false flag, they have a secure deletion utility. They're really using multiple techniques at once, which I think is pretty interesting," she said.

"They kind of want to cover their bases in multiple ways."

APT38 also tries to cover its tracks. It tries to distract investigators by planting commodity ransomware tools such as Hermes onto target systems, even though it's not after a ransom.

"After they conducted fraudulent transactions, so after they deployed DYEPACK [a suite of tools to manipulate data in the SWIFT banking transfer system], before they initiated the disk-wiping malware, they would actually deploy Dark Comet, which is a publicly available backdoor that a bunch of different groups use," O'Leary said.

Read: UK and Australia blame Russian GRU for quartet of cyber attacks

FireEye believes APT38 did that to deliberately trigger anti-virus software, so that investigators would be distracted by that backdoor, rather than all the custom tools it deployed into the target environment.

Another false-flag distraction was adding poorly translated Russian character strings to its malware NACHOCHEESE.

North Korean hackers have been implicated in attacks on cryptocurrency exchanges, but FireEye does not attribute those attacks to APT38. The toolsets used to attack the exchanges are similar to those used by APT38, but there are differences.

"The one instance that we saw, specific to APT38, was like a cryptocurrency media outlet. That was actually part of their watering hole campaign," O'Leary said, referring to an attack on a specific group of people by targeting websites where they congregate.

"That was probably targeted because of its proximity to bank. We think that occurred around an initial coin offering (ICO), so there may have been substantial traffic banks of financial institutions to that media outlet."

FireEye's research is detailed in the company's report APT38: Un-Usual Suspects [PDF], released on Wednesday.

Disclosure: Stilgherrian traveled to Washington DC as a guest of FireEye

Related Coverage

North Korea claims hacker responsible for WannaCry outbreak does not exist

The country insists the indictment of the hacker is nothing more than a smear campaign.

How US authorities tracked down the North Korean hacker behind WannaCry

US authorities put together four years worth of malware samples, domain names, email and social media accounts to track down one of the Lazarus Group hackers.

North Korea is likely underwriting cyberattacks by mining Monero (TechRepublic)

AlienVault threat engineer Chris Doman explains a new report on malware that mines Monero coins, then sends them to a North Korean university in Pyongyang.

Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic)

Deterring hackers is almost impossible when the rewards are so great and the risks are so low. Can anything stop them?

America the 'indispensable nation' for cybersecurity: Madeleine Albright

The US should take the lead in setting international cyber norms, says Albright, but can't go it alone. International institutions like the United Nations will need to be streamlined.