My reflection on CNBC News (North Korea’s rising ambition seen in bid to breach global banks) and written down comments below:
The overall situation looks extreme today no matter political or commercial. From commercial area, enterprise try to monopolize on market. From country to country, conflicts of interest in natural resources. My personal feeling was that the ownership of the non develop areas better belongs to natural instead of country. For sure that not only limit to Antarctica! Above description not intend to divert (side-track) your attention. Since the terms benefits or interest change the whole world. Yes, human being go for survival, money is the key factor. And such away create the criminal activities and conflict of interest.
Electronic age made the overall situation more complex
Electronic age made the overall situation more complex especially banking industry. The evidence was told that that even though Mira DDOS, IOT Botnet and Zombie types of cyber attacks not causes banking industries lost the money in their drawer. However the insider threats especially trojan and malware which lets the finanical institution lost huge amount of money (For instance Bangladesh heist). Furthermore cyber espionage infiltrate activities most likely relies on malware and Trojan. The best example can quotes is the Stuxnet malware. The goal of Stuxnet intend to disturb the operations of nuclear facilities in Iraq.
From technical point of view, malware belongs to monitor (surveillance) and control of tool. The huge group of survillaince program must utilize malware as a infection media. Sounds like the APT (advanced persistent threat) is the descendants of the malware.
The term kill chain was originally used as a military concept related to the structure of an attack; … Since then, the “cyber kill chain” has been adopted by data security organizations to define stages of cyber-attacks (see below picture diagram)
Regarding to the definition of APT show on wikipedia . An APT usually targets either private organizations, states or both for business or political motives. APT processes require a high degree of covertness over a long period of time. From criminal activities point of view, hacker most likely will collect the credential, personal details and database in the long run. For the criminal case like steal the money in electronic payment system, it is rare on APT type of attack.
Does APT equal to criminal activities in commercial world?
Observation – FBI stated that SONY INTRUSION and banking environment insider threats (banking malware) are the conspiracy of the North Korea government.
Why do we believe the perpetrator is North Korea?
The official statements from the FBI and US-CERT found the malware and disclose their md5 hashes for reference.
Dropper = d1c27ee7ce18675974edf42d4eea25c6
wiper = 760c35a80d758f032d02cf4db12d3e55
Web server = e1864a55d5ccb76af4bf7a0ae16279ba
Backdoor = e904bf93403c0fb08b9683a9e858c73e
Since the attack target of this malware exactly Microsoft windows platform. Base on definition of fair proof, I select and highlight Microsoft information details for reference.
This threat can give a malicious hacker access and control of your PC. They can then perform a number of actions, including downloading other malware. But as usual Microsoft’s not intend to provides the suspicious source IP address list.
Remark: Per Norse Corp information, the malware was signed with a compromised Sony certificate.
The cyber defense solution provider found more details of this malware on Sep 2013. The malware activities looks came from Jilin Province Network and Liaoning Province Network. The security expert believed that the command & control may came from North Korea. Since Jilin and Liaoning provides the Internet services to North Korea. This malware so called Kimsuki malware.
Transformation – file type format convert weaponized File format
Vulnerabilities in the old OLE2-based HWP file format
What is an HWP file?
HWP documents are document files specialized in the Korean language and OLE2–based document format similar to Microsoft’s 97-2003 Microsoft document. The file format created by the South Korean company Hancom. HWP files are similar to MS Word’s DOCX files, except that they can contain Korean written language, making it one of the standard document formats used by the South Korean government.
Design weakness of HWP files:
Para text is a data record type that stores the content of each paragraph in body text. When parsing a para text tag within an .hwpx file, a logic error in hwpapp.dll results in a type confusion scenario. When paired with an appropriate heap spray, this vulnerability can affect code execution.
Remark: In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’s heap and fill the bytes in these blocks with the right values.
2013 – Kimsuki malware design objective(OLE2-based HWP file format + APT) : Targets Critical Infrastructures and Industrial Control Systems (ICS)
2016 – Onion Dog, APT Focused On the Energy and Transportation Industries in Korean-language Countries
OnionDog malware is transmitted by taking advantage of the vulnerability of the popular office software Hangul in Korean-language countries, and it attacked network-isolated targets through a USB Worm. OnionDog APT targets Critical Infrastructures and Industrial Control Systems (ICS)
Since North Korea ruler as a dictator control their country. Developing nuclear bomb, test the missile looks show his power to the world. From psychological point of view, it is easy to understand his goal to enagaged APT attack. Since the dictator would like to emulate his imaginary enemy (USA) to destroy the nuclear power energy facilities from his enemy. However I remain to reserve my opinion that he is the lord behind the seen to engage the banking malware attack in foreign country except south Korea?
Reference to Korea CSIS report:
- 2011 – Denial-of-service(DDoS)attacks on websites, the first major cyber-attack attributed to North Korea was on April 12, 2011, which paralyzed online banking and credit card services of Nonghyup Agricultural Bank for its 30 million customers.
- 2013 – Advanced persistent threat campaigns, and employment of less sophisticated but sufficiently effective malware such as the Jokra wiper tool observed on March 20, 2013. South Korean media reports that North Korea has started to target smartphones as well.
For more detail, please refer to below url for reference.