The North Korean group accused of some of the biggest cyber crimes ever conducted may have harnessed some highly sophisticated technologies, but their ability to break into computer networks worldwide often relied on nothing more than a bogus email.
The US Department of Justice has formally charged a North Korean programmer for his part in some of the largest cyber attacks in recent years, conducted by a group backed by the North Korean government.
The 172-page criminal complaint published by the US Department of Justice provides an unprecedented insight into the workings of one of the most notorious hacking groups on the planet, but also shows how their most successful attacks were at least in part down to a blizzard of fake -- phishing -- emails.
SEE: Free, easy to use, and available to anyone: The powerful malware hiding in plain sight on the open web
The group's activities allegedly include the devastating attack on Sony Pictures Entertainment in November 2014. The group launched their attack on the company in response to the movie The Interview, a comedy that depicted the assassination of North Korea's leader. The hackers gained access to the company's network, stole confidential data, threatened executives and employees, and rendered thousands of computers inoperable.
The group was also responsible, according to the criminal complaint, for the 2016 theft of $81 million from Bangladesh Bank -- the largest successful cyber theft from a financial institution to date -- and creation of the malware used in the 2017 WannaCry global ransomware attack.
On top of the money stolen, the damage caused by the hacking attacks and malware may have cost billions of dollars, according to US officials. The FBI said the group has targeted, and continue to target, other victims and sectors, including defense contractors, university faculties, technology companies, virtual currency exchanges, and US electric utilities.
The FBI said the group did significant research before launching their attacks, with online reconnaissance including research relating to the victim company, as well as to individual employees of the victim company.
The results of that reconnaissance were then used by the hackers to prepare spear-phishing messages to send by email or social media to persons affiliated with those entities. "In general, the hackers intend their victims to open the spear-phishing messages while using their employers' computer systems, thus breaching the employers' network security," said the complaint.
Some of these phishing emails pretended to be emails from Facebook or Google. In other cases the hackers created email accounts in the names of recruiters or high profile execs at one company (like a US defense contractor), and then used the accounts to send bogus recruitment messages to employees of competitor companies. Other phishing attempts simply posed as apparently speculative job applications.
The attack on Sony Pictures, for example, started with hackers doing research on the company in September 2014, and the malware used to attack its computers was customized as the result of a period of "sustained covert reconnaissance" by the hackers within its network before they launched the attack that disabled its computers.
In the months preceding the overt attack on Sony Pictures, multiple social media accounts sent or posted links that would direct victims' computers to a malicious file, as a part of the scheme to attack the company's computer networks. However, it seems a separate spear-phishing email referring to a 'flash video', but which contained malware, appears to have been how the group gained access to the company's network in September 2014.
"Because of the harmful nature of the attack on [Sony Pictures] in which vast amounts of data were overwritten and computers were rendered unrecoverable, a complete reconstruction of the subjects' activities during the period of the intrusion was not possible through a forensic analysis," the complaint said. Spear-phishing emails were also sent to employees of the movie theatres where the The Interview was due to be shown, although these were not successful.
Around the same time that the North Korean hackers were targeting Sony Pictures and other companies, they also began targeting financial institutions. These intrusions were carried out using some of the same accounts for spear-phishing and targeting, and used malware that shared similarities with that used in the attacks on Sony Pictures, the FBI said.
SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)
The hackers again started by sending spear-phishing messages to employees of the bank, as well as email or social media addresses associated with that bank. Once a spear-phishing message had been successful and the group had gained access to the bank's computer network, they moved through the bank's network to find the computers used to send or receive messages via the SWIFT banking communication system, and to authorise transfers of money.
In February 2016, Bangladesh Bank was the victim of a cyber-heist that caused a loss of $81m with an attempted theft that approached $1 billion. Targeting the bank with reconnaissance and spear-phishing emails however started in October 2014, more than a year before.
Again, after a number of attempts, the group gained access via phishing emails. The complaint said: "as with the subjects' cyber-attack on [Sony Pictures], the subjects were successful in causing recipients at Bangladesh Bank to download the payload from their spear-phishing emails."
Email phishing wasn't the only way the group tried to get access to computer systems; the complaint alleges that in another campaign the hackers also tried to use a so-called 'watering hole' attack to infect the computers of workers at banks, by infecting the website of the Polish Financial Supervision Authority
In addition, the North Korean hackers also tried to use spear phishing in their attempts to penetrate US defense contractors, at least one US university, academic researchers, US energy companies, and virtual currency exchanges. The FBI said spear-phishing emails were sent to various employees of defense contractors at various times through 2016 and 2017, and said that although the hackers have continued to target Lockheed Martin with repeated waves of spear phishing, the FBI has no evidence the attempts were successful.
Some emails were made to look like recruiting offers with subject lines such as "Leadership role opportunity?", while others claimed to come from a journalist apparently looking for information on fighter jet software.
The FBI connected up the different campaigns by email and social media accounts that connect to each other and that were used to send spear-phishing messages. In addition they identified shared aliases; malware "collector accounts" used to store stolen credentials; common malware code libraries; proxy services used to mask locations; and North Korean, Chinese, and other IP addresses. While one of the alleged members of the group has been named the move is largely symbolic, as it is highly unlikely he would ever appear in a US court.
MORE ON CYBERSECURITY