North Korea Targeted Cybersecurity Researchers Using a Blend of Hacking and Espionage

This prior incident, attributed to Russia, illustrates how hackers attempted to augment their arsenals of cyberweapons by stealing from a commercial cybersecurity firm. The North Korean action against security researchers shows that they’ve adopted a similar strategy, though with a different tactic.

Back in the fall, the National Security Agency disclosed a list of vulnerabilities – ways that software and networks can be hacked – that were exploited by Chinese state-sponsored hackers. Despite these warnings the vulnerabilities have persisted, and information about how to exploit them could be found on social media and the dark web. This information was clear and detailed enough that my company, CYR3CON, was able to use machine learning to predict the use of these vulnerabilities.

2. The Weaponization of Social Media
Information operations – collecting information and disseminating disinformation – on social media have become abundant in recent years, especially those conducted by Russia. This includes using “social bots” to spread false information. This “pathogenic social media” has been used by national intelligence operatives and ordinary hackers alike.

Traditionally, this type of targeting has been designed to either spread disinformation or entice an executive or high-ranking government employee to click on a malicious link. In contrast, the North Korean operation was aimed at stealing cyberweapons and information about vulnerabilities.

3. The Confluence of Cyber and Information Warfare
Outside of the United States – especially in China and Russia – cyberoperations are considered part of a broader concept of information warfare. The Russians, in particular, have proved very adept at combining information operations and cyberoperations. Information warfare includes using traditional spy tradecraft – operatives with false identities attempting to gain the trust of their targets – to collect and disseminate information.

The attack against cybersecurity researchers could indicate that North Korea is taking cues from these other powers. The low-cost ability of a second-tier authoritarian regime like North Korea to weaponize social media provides it an advantage against the much greater technical capabilities of the U.S.

In addition, the North Koreans appear to have used one of their most valuable cyberweapons in this operation. Google reported that it appeared the hackers used a means of exploiting a zero-day vulnerability – a software flaw that is not widely known – in Google’s Chrome browser in the attack on the cybersecurity researchers. Once such an exploit is used, people are alerted to defend against it and becomes much less effective.

Setting the Stage for Something Bigger?
In cybersecurity, big news items tend to be events like the Sunburst operation by Russian hackers in December – large-scale cyberattacks that cause a great deal of damage. In the Sunburst attack, Russian hackers booby-trapped widely used software, which gave them access to the networks of numerous corporations and government agencies.

These large events are often proceeded by smaller events in which new techniques are experimented with – often without making a large impact. While time will tell if this is true of the North Korean operation, the three current trends – stealing cyberweapons from industry, social media as a weapon, and the blurring of cyber and information warfare – are harbingers of things to come.

Paulo Shakarian is Associate Professor of Computer Science, Arizona State University. This article is published courtesy of The Conversation.