North Korean cyber crime activities have been known to target various sectors of the United States, these sectors includes financial institutions, Automobile dealers, Healthcare providers and other businesses. Their tactics have been dynamic, their cyber program pose a calculated and agile espionage attempt on U.S based businesses and critical infrastructure sector entities. This articles sheds light on common strategies used to breach U.S based business and available mitigation method as recommended by the Cybersecurity & Infrastructure Security Agency.
PHISHING ATTACKS
North Korean cyber threat actors use deceptive email that appear legitimate to deceive employees into providing sensitive information or clicking a malicious link. These emails may appear to be from legitimate sources such as a trusted vendor, banks or government agencies. They also use Spear Phishing technique which is a customized phishing email that target specific individuals within an organization.often with information gathered from social media or other sources to increase the appearance of legitimacy.
SOCIAL ENGINEERING
North Korean scammers may use social engineering techniques like pretexting, tailgating and other forms of social engineering attacks to manipulate individuals and C-suite executive into revealing confidential information. This can involve building a relationship of trust or exploiting psychological vulnerabilities. Fake job offers is also a form of social engineering attack. Posting fake job listings or reaching out to individuals with false job offers to extract personal information or initiate scams.
MALWARE DISTRIBUTION
Malicious software payload can be used to compromise computer systems and steal sensitive information. North Korean scammers usually make use of infected attachments or using malware ingested websites. North Korean scammers use various techniques including email links, to distribute malware. This malicious software can take many forms such as ransomware, spyware, or Trojan. Once activated, these programs can compromise systems, steal sensitive data, or provide unauthorized access to attackers.
CRYPTOJACKING
North Korean hackers might infiltrate an organization network to deploy cryptocurrency mining scripts without authorization. This process consumes computing resources, slowing down systems and increasing operational costs for the targeted business.
BUSINESS EMAIL COMPROMISE (BEC)
BEC involves impersonating C-suite executives or employees within an organization to deceive employees into transferring funds or providing sensitive information. This often occurs through email requests that appear legitimate instructing employees to take urgent actions like wire transfer. Most times bank coordinates are replaced and funds belonging to the organization is sent to the attackers account.
RANSOMWARE ATTACKS
North Korean cyber criminals deploy ransomware through various means encrypting a company's data and demanding payments, usually in cryptocurrency, in exchange for decryption keys. This type of attack can disrupt business operations and cause significant financial losses and reputational damage. Whist not unique to any specific region, ransomware attacks involve encrypting a victim's data and demanding payment for its release.North Korea has been linked to the WannaCry ransomware attack, among others to attack U.S based businesses.
SUPPLY CHAIN ATTACKS
North Korean threat actor usually target third-party supplier or vendors connected to an organization's network to gain access to their systems. Once compromised, the attackers exploit these connections to infiltrate the primary target, causing potential data breaches or system compromises.
CREDENTIAL THEFT
North Korean threat actors employ various methods to steal login credentials, including using keyloggers, phishing attacks, or exploiting vulnerabilities in software to gain unauthorized access to a company's system and sensitive information.
DDoS ATTACKS
Distributed Denial of Service attacks overwhelm an organizations servers or network resources with a flood of incoming traffic, rendering systems inaccessible. North Korean cyber criminals may use DDoS attack to disrupt services, causing financial losses and damaging an organization's reputation.
CREATING FAKE WEBSITE
North Korean Scammers might create counterfeit websites resembling legitimate businesses, banks or government agencies. These websites are designed to deceive users into entering personal or financial information, which is then captured by the attackers for fraudulent purposes.
IMPERSONATING GOVERNMENT AGENCIES
North Korean Scammers pose as legitimate representatives from government agencies or regulatory bodies, sending intimidating messages to coerce businesses into providing sensitive information or making payments under the false pretence of compliance or legal action.
FAKE INVESTMENT OF FINANCIAL OPPORTUNITIES
There has been instances where North Korean scammers promote fraudulent investment schemes promising high returns or exclusive financial opportunities. These schemes aim to entice businesses into investing money or sharing sensitive financial information, leading to financial losses or identity theft.
FAKE INVOICES OR PAYMENT REQUEST
North Korean Scammers might send fraudulent invoices or payment requests appearing to be from legitimate vendors, contractors or authorities. These requests often contain altered bank account details, aiming to trick employees into transferring funds to the scammer's accounts.
AVAILABLE MITIGATION METHODS RECOMMENDED BY CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY ( CISA)
To strengthen operational resilience against this threat, CISA advises organizations to implement the actionable mitigations that CISA and our partners in the U.S. government and around the world release. As a starting point, organizations should:
- Prioritize mitigation of known exploited vulnerabilities.
- Implement the Cyber Performance Goals, which are a baseline set of broadly applicable cybersecurity practices with known risk-reduction value.
- Urgently report potential malicious activity to CISA or the FBI:
- The easiest way is to go to CISA.gov and click the “report a cyber issue” button right up top.
- You can also contact CISA’s 24/7 Operations Center: cisa.gov/report | report@cisa.gov | 888-282-0870
- Contact your local FBI field office or IC3.gov.
- Sign up to receive CISA’s cybersecurity alerts and advisories for timely notification of emerging campaigns and incidents. Review advisories on North Korean state-sponsored cyber threats outlined in the table below. CISA particularly recommends reviewing the following advisories:
- #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities. Specific mitigations include implementing the following Cyber Performance Goals:
- 2.K Strong and Agile Encryption
- 2.E Separating User and Privileged Accounts
- 2.L Secure Sensitive Data
- 2.F Network Segmentation
- 2.T Log Collection
- Protecting Against Malicious Use of Remote Monitoring and Management Software, which outlines steps to help organizations harden networks against malicious use of remote monitoring and management software.
- Technical Approaches to Uncovering and Remediating Malicious Activity, which outlines steps to help organizations identify intrusions across their enterprise.
- #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities. Specific mitigations include implementing the following Cyber Performance Goals:
- Sign up for CISA’s free Vulnerability Scanning service to receive alerts when the service identifies vulnerabilities known to be exploited by North Korean state-sponsored cyber actors.
- Establish a relationship with a regional CISA Cybersecurity Advisor to access additional services, assessments, and guidance.
