N Korea expanding cyber-attack capabilities, intention appears disruption
N Korea expanding cyber-attack capabilities, intention appears disruption

North Korea appears to be planning major international cyber-attacks, with espionage group  APT37 (Reaper) seen to be expanding its scope and sophistication with new zro day vulnerabilities and wiper malware according to a new report from FireEye.


FireEye previously published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878)  this suspected North Korean cyber espionage group which it says it assess with high confidence as working on behalf of the North Korean government and that the group is aligned with the activity publicly reported as Scarcruftand Group123.

Key points of the report, as noted by FireEye, are as follows:

  • “Targeting: Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.
  • “Initial Infection Tactics: Social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyber-espionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately.
  • “Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adobe Flash. The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802), and the ability to incorporate them into operations.
  • “Command and Control Infrastructure: Compromised servers, messaging platforms, and cloud service providers to avoid detection. The group has shown increasing sophistication by improving their operational security over time.
  • “Malware: A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware used for espionage purposes, APT37 also has access to destructive malware.”

Fraser Kyne, EMEA CTO at Bromium emailed SC Media UK to comment: “When you consider that 25 percent of UK councils have been breached in the last five years, this report should raise the alarm for any organisations unprepared for such attacks. But it would be foolish to think that North Korea is the only nation state engaged in such behaviour. Whether it's a sophisticated zero day attack, or a more simplistic phishing attempt, this report shows that the threat from nation state attacks is very real.


“We have already seen these attacks can have a huge impact on everyday life – just look at all the hospital appointments that had to be cancelled last year following WannaCry. Yet all this disruption and chaos can often be no more than a distraction designed to divert attention from the actor's real intention. This helps hackers to siphon sensitive data while SOC (Security Operations Centre) teams are busy putting out fires.

“This type of activity can have serious long-term implications to national security. A determined actor can easily bypass current cyber-defences which are woefully ill-equipped to deal with these attacks. Government and businesses alike are still relying on somehow predicting when lightning is going to strike, and detecting hackers before they can cause disruption – which is impossible and has been proven to fail. Whether it's a nation state hacker or a bored teenager, the fact is hackers can easily slip through the net undetected. It's time to accept this and to start changing our approach to focus on protection. Virtualisation is a game-changer. By isolating all applications within virtual machines, malware is rendered useless – hackers have nowhere to go, nothing to steal, and organisations can go about business as usual.”

An article in the US Washington post on the report quotes John Hultquist, director of intelligence analysis for FireEye saying that:  “Our concern is that this could be used for a disruptive attack rather than a classic espionage mission, which we already know that the North Koreans are regularly carrying out.”


As Raj Samani, chief scientist at McAfee  pointed out at last week's SC Congress - Ransomware is increasingly being used as a distraction, causing disruption rather than really seeking direct financial reward, while the attackers perpetrate some other crime elsewhere.