North Korean hacking group Covellite abandons US targets

The hacking group specializes in attacks against core energy services.
Written by Charlie Osborne, Contributing Writer
File Photo

Cyberattackers linked to North Korea have appeared to have withdrawn from attacks on the US industrial sector.

Researchers from Dragos said last week that the advanced persistent threat (APT) group, called Covellite, has been previously linked to attacks against US, European and East Asian organizations in the civilian energy sector.

While Covellite appears to lack the means to attack industrial control systems (ICSs) at present, the APT is still able to gather intelligence on intellectual property and internal industrial operations.

Researchers first recorded attacks against US targets performed by Covellite in 2017. A targeting phishing campaign was launched at a number of select US electric companies, of which fraudulent emails contained remote access tool (RAT) payloads used to conduct reconnaissance and maintain persistence on victim PCs.

However, it now appears that the US has been crossed off the target list -- in what appears to be an interesting time to do so, as North Korea has a current interest in patching up its relationship with America.

US President Trump and North Korean leader Kim Jong Un are soon to meet at a summit in Singapore.

The APT is still actively targeting organizations in other countries.

According to Dragos, Covellite's infrastructure and malware arsenal are similar to the North Korean Lazarus Group, also known as Hidden Cobra.

Lazarus has been connected to a number of high-profile attacks, such as the 2014 security incident at Sony, alongside the devastating WannaCry ransomware campaign which crippled organizations worldwide in 2017.

North Korea was blamed for the attack due to the Lazarus connection, an accusation the country has deemed "absurd."

A technical analysis of the APT has also revealed that Covellite is making use of malware developed from Lazarus toolkits.

Beyond this connection, however, Dragos is not certain of whether or not both groups and their campaigns are connected.

"Given the group's specific interest in infrastructure operations, rapidly improving capabilities, and history of aggressive targeting, Dragos considers this group a primary threat to the ICS industry," the researchers say.

State-sponsored threat actors emerge from most countries, and with the backing of states and far greater resources than most individual operations, they have the potential to cause the most damage.

See also: North Korean defectors, journalists targeted through Google Play

Another hacking group of note which has been linked to North Korea utilizes zero-day vulnerabilities to attack targets based on the country's interests.

Dubbed Reaper, security researchers from FireEye say the APT primarily focuses on South Korea but has also been connected to attacks against Japan, Vietnam, and the Middle East.

Reaper tends to attack government agencies and those in the chemical, military, electronics, aerospace, automotive, healthcare, and manufacturing sectors in order to gather intelligence.

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards