Security researchers from McAfee and Intezer have established that the code shared between several cyber attack campaigns is directly linked to North Korea. This leads researchers Christiaan Beek, lead scientist and senior principal engineer in the CTO quarters at McAfee, and Jay Rosenberg, senior security researcher at Intezer, to believe that most, if not all, of these attacks, came directly from North Korea. These researchers found that many of the high-profile cyber attacks over the last ten years, including WannaCry, are linked to the nation-state.
Beek has said that it was no secret that groups associated with North Korea were reusing code and tools, but now there are in-depth and far-reaching links, illustrating how far back North Korea’s attacks go. Beek and Rosenberg reportedly would examine malware samples from previous campaigns known to originate from North Korea. Through analysis of the code, they found several similarities between the samples including hidden data in the binaries and a shared networking infrastructure. Their findings are illustrated in the graph below. The darker the lines are the deeper the connections between the campaigns.
Source: McAfee
With sanctions and only $3 billion (2016 est.) in exports, the hermit state looked to more nefarious means of income. They established cyber warfare units with two primary objectives. Unit 180 targets financial institutions, sells illegal software, and more to produce a revenue for the country. It is important to note that targeting the finance industry is rather unique for nation-states as typical cyberattacks against finance are done privately. Unit 121 has a more adversarial goal, and that is to conduct acts of cyber warfare like stealing intelligence or even meddling in the infrastructure of other countries.
With the knowledge that these campaigns are sharing code, creating countermeasures to their attacks becomes that much easier. Beek and Rosenberg state that knowing the code may not only help with the detection of attacks but even give researches a head start in finding new malware. Since the beginning of conflict, knowing as much as possible about a threat has always been advantageous. According to Rosenberg, “The more information you have, the better chance you have to remediate or defend.” With as much information and data we now have in relation to previous North Korean cyber attacks, we now have new tools to defend ourselves.
