CybersecurityNorth Korea sent spear phishing emails to U.S. electric companies

Published 18 October 2017

Cybersecurity firm FireEye says it can confirm that the company’s devices detected and stopped spear phishing emails sent on 22 September 2017 to U.S. electric companies by “known cyber threat actors likely affiliated with the North Korean government.” The activity was early-stage reconnaissance, and not necessarily indicative of an imminent, disruptive cyberattack that might take months to prepare if it went undetected (judging from past experiences with other cyber threat groups).

Cybersecurity firm FireEye says it can confirm that the company’s devices detected and stopped spear phishing emails sent on 22 September 2017 to U.S. electric companies by “known cyber threat actors likely affiliated with the North Korean government.” The activity was early-stage reconnaissance, and not necessarily indicative of an imminent, disruptive cyberattack that might take months to prepare if it went undetected (judging from past experiences with other cyber threat groups).

Fire Eye says the company has previously detected groups it suspect are affiliated with the North Korean government compromising electric utilities in South Korea, but these compromises did not lead to a disruption of the power supply.

“We have not observed suspected North Korean actors using any tool or method specifically designed to compromise or manipulate the industrial control systems (ICS) networks that regulate the supply of power,” Fire Eye said. “Furthermore, we have not uncovered evidence that North Korean linked actors have access to any such capability at this time.”

Nation-states often conduct cyber espionage operations to gather intelligence and prepare for contingencies, especially at times of high tension. FireEye has detected more than twenty cyber threat groups suspected to be sponsored by at least four other nation-states attempting to gain access to targets in the energy sector that could have been used to cause disruptions. The few examples of disruptions to energy sector operations being caused by cyber operations required additional technical and operational steps that these North Korean actors do not appear to have taken nor have shown the ability to take.

In December 2014, the South Korean Government reported that nuclear power plants operated by Korea Hydro and Nuclear Power (KHNP) were targeted with wiper malware, potentially linked to North Korean actors. This incident did not demonstrate the ability to disable operations. Instead, sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean Government, a technique we assess North Korea would turn to again in order to instill fear and/or meet domestic propaganda aims.

Fire Eye notes that thus far, the suspected North Korean actions are consistent with a desire to demonstrate a deterrent capability rather than a prelude to an unprovoked first-strike in cyberspace; however, “North Korea linked actors are bold, have launched multiple cyberattacks designed to demonstrate national strength and resolve, and have little concern for potential discovery and attribution of their operations. They likely remain committed to pursuing targets in the energy sector, especially in South Korea and among the U.S. and its allies, as a means of deterring potential war or sowing disorder during a time of armed conflict.”

The number of nation-states developing the capability to disable the operations of power utilities has increased in recent years. For North Korea, even limited compromises of power companies would probably be exaggerated and hailed as a victory by Pyongyang.

“North Korea linked hackers are among the most prolific nation-state threats, targeting not only the U.S. and South Korea but the global financial system and nations worldwide. Their motivations vary from economic enrichment to traditional espionage to sabotage, but all share the hallmark of an ascendant cyber power willing to violate international norms with little regard for potential blowback,” Fire Eye concludes.