North Korea's hackers are re-using old code to build new attacks

One of the world's most notorious cyber warfare operations has been cutting corners - but it hasn't dented their potency.
Written by Danny Palmer, Senior Writer

New analysis of malware campaigns suggests that North Korean hackers may have re-used malware and computer infrastructure, leaving a trail which increasingly allow incidents to be traced back to them.

Examination of malware believed to be associated with North Korean cyber operations found the same code is often re-used in multiple attacks -- and increasing the confidence that a string of campaigns over the last decade have been the work of the hackers in the country.

The joint research by security firms McAfee and Intezer reveals new connections between attacks believed to be the work of North Korea, a shared networking infrastructure used to help conduct the attacks and work by specific teams within the country's cyber army.

North Korea has been blamed for a number of high-profile cyber attacks to have hit in recent years, including the WannaCry ransomware outbreak, cyber bank heists, and cryptocurrency theft attacks.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

Examination of the code reveals that a significant percentage of what powers the malware behind these campaigns isn't new -- and some has been used since at least 2009 in Brambul, one of the earliest forms of malware attributed to North Korea.

"They improve all the time but when you look at the code, it has so much overlap with other attack campaigns: elements of the malware used in WannaCry was already used in past attacks," Christiaan Beek, lead scientist and senior principal engineer at McAfee told ZDNet.

One element of WannaCry which had previously been deployed was a common server message block (SMB) module which can be traced back to attacks operating since 2009 including campaigns like Joanap and DeltaAlfa.

It means ten-year-old code helped power WannaCry, which shares up to 22 percent of its code with much older attacks, researchers say.

SEE: Cyberwar: A guide to the frightening future of online conflict

That wasn't the only code re-use researchers found analysing malware strains -- a code issuing commands is contained within 2009's Brambul, as well as 2011's KorDllBot, indicating that code re-use isn't a recent phenomenon for these attackers.

Analysis of the code even found the same snippets of code used in DarkHotel -- a long-term espionage campaign targeting luxury hotels across Asia with the intent of stealing banking credentials and other data.

And it isn't just the same section of code which has been repeatedly re-used, but rather different elements have been used across different campaigns -- but they all point to the same operators.

"It's different pieces of code used across different attacks. There's some crossover with code, but sometimes it isn't the same, but there are pieces which have been used in multiple attacks," Jay Rosenberg, senior security researcher at Intezer told ZDNet.


Code similarities between North Korean-associated malware families uncovered by researchers.

Image: Intezer

So while North Korean threat groups such as Lazarus have certainly evolved and updated their capabilities over the years, the re-use of code has created a downside: it's easier to trace the attackers.

But the state-sponsored hacking groups' reasons for re-using the code are the same as any other developer -- to save time and resources to ensure the rapid turnaround of builds.

"What could take an experienced developer weeks or even months to create from scratch, can be pieced together, using existing code within a matter of hours or days. Code reuse is therefore, a routine occurrence; it directly saves programmers and hackers alike a lot of time, while guaranteeing the desired operational results," said Rosenberg.

With sanctions against North Korea resulted in the county turning to cybercrime and cryptocurrency heists in order to fill its coffers, it could be that those in the cyber division are under additional pressure to get finished builds out -- resulting in repeated use of old code.

"The code re-use in the early stages is limited, but over the years you see the arsenal of tools growing, you see the number of cyber weapons they create growing, but still they refer back to the old code," said Beek.

This might drive a form of efficiency for the developers who need to churn out malicious software, but by re-using the same code, it also opens the door to campaigns becoming less effective as it enables researchers to more easily identify processes and perpetrators.

"They've been pretty careless leaving entire functions across binaries," said Rosenberg. "Knowing where the code was previously seen enables the incident response team to better remediate to the incident and try to immune themselves from the attackers."

That isn't to say the North Korean groups aren't sophisticated or suddenly aren't a threat -- new campaigns are still emerging from the state -- and those behind the attacks are clearly skilled and are well-resourced, despite occasionally cutting corners.


Editorial standards