Overview
“Cyber Threat Intelligence (CTI)” is an industry term that has been in use for nearly 20 years. There is a fair amount of argument about what it truly means, what constitutes real CTI, and the value one places on a threat feed. For this article, we suggest that for “intelligence” to be useful, it requires the skilled use of reason and the act of understanding a corpus of informative events. And often enough, effective CTI can simply be a matter of situational awareness coupled with deductive reasoning.
Note: This blog post discusses Advisories from the Cybersecurity & Infrastructure Security Agency (CISA) and ongoing research by third parties into an ongoing threat. This information should be considered preliminary and will be updated as research continues.
On February 9 2023, CISA released an advisory in conjunction with the Republic of Korea’s National Intelligence Service (NIS), the ROK Defense Security Agency (DSA) as well as several US agencies. This advisory, along with details provided by cybersecurity firm Mandiant, detailed ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.
What makes the announcement compelling are the timing and the targets of this increase in activity. We at the Cybrary Threat Intelligence Group (CTIG) and others in the industry have discussed how the falling value of cryptocurrency would force actors such as North Korea to generate revenue by other means, and the corresponding increase in their ransomware campaigns aligns with this theory. Their targets are of interest, as they have selected victims in industries known to pay off quickly. Hospitals in particular are known to place the immediate needs of administering to patients above the desire to slog through a ransomware attack and therefore make for inviting targets. However, it is less common for nation-state actors to pursue these targets. Even LockBit recently apologized for the targeting of a children’s hospital.
Adaptive Larceny
When seeing frequent reports of North Korean missile tests, one may give thought to how a country with such extensive economic sanctions and low economic output can afford to create, maintain, and test nuclear weapons and delivery systems. Of course, most of the sanctions came after they began testing weapons in 2006, but it was not until 2017 that their testing activity brought about harsh restrictions in trade for their largest exports. This timeline corresponds with their increasing activity directed at stealing funds from around the world through digital incursions.
By most calculations, the government of North Korea is estimated to fund upwards of one-third of its weapons program with money stolen through various cyber attacks. Last year being their most fruitful, indications are that the DPRK purloined nearly $2 billion mostly stealing from banks and cryptocurrency exchanges. Among these was the spectacular theft of $100m from the Horizon Bridge crypto exchange, of which they likely realized $60m after laundering the money.
Threat Analysis
North Korean threat activity achieved its most notable event with the WannaCry event in late 2017. What was also notable about that year? Bitcoin first broke $10,000 in valuation. Between 2017 and 2021, estimations are that North Korea was able to steal over one billion in virtual assets. As mentioned before, 2022 was a banner year with another billion in USD added to that total. But the value of Bitcoin and all cryptocurrencies has cratered since a high of $61k in October of 2021, with the present value resting at $23k.
Thus the recent advisory from the US and South Korean governments. As North Korea realizes less “juice for the squeeze” in stealing virtual currency, they will be forced to turn more attention to other forms of income. Especially in light of their recent food shortages owing to reduced agricultural production.
As an example of using current events to conduct one's own CTI, the logical conclusion is to focus one's attention on the ransomware Tactics, Techniques, and Protocols (TTPs) used by a variety of North Korean state and -sponsored groups, which is already a crowded market. However, this does not go far enough.
One tactic used by these same actors that have gone somewhat unnoticed is their ability to steal intellectual property. Since last year, North Korea has focused not only on stealing intellectual property and intelligence from their South Korean neighbors, but also on defrauding companies around the world by posing as legitimate South Korean IT workers in the hopes of offering cheap outsourced labor while infiltrating large organizations.
Summary
In short, there’s never a good time to discount an adversarial group. If one were to be charged with the security of an enterprise, or any business with an e-commerce aspect, now would be the time to pay more attention to the methods and kinds of threats posed by these actors in particular. However, North Korea is not the only sponsor to realign its goals in response to the decreasing return on investment from crypto-stealing. They just happen to be the most prolific. While the ransomware game has become increasingly difficult as a result of the focus by western governments and security agencies, it continues to be a massive drain on resources, and it continues to evolve. Threat actors have begun to model their organizations after terror cells, and break away from centrally-controlled structures. Shopping for the actual malware has become easier, as has the technical barrier to entry.
As the evolution of ransomware continues, CTIG will keep you informed. Follow us on social media to stay up to date on the latest CTIG news!