Note: This blog is a part of our MITRE ATT&CK Mapping series in which we map the latest major threat intelligence incidents to the MITRE ATT&CK framework. You can view similar postings such as Mapping MITRE ATT&CK to Compromised RDP Sales, Sandworm’s APT Campaign, or see our previous mapping of North Korean regime-backed programmers here.

Many will remember the June 2018 Singapore Summit between former US President Donald Trump and North Korean Supreme Leader Kim Jong-un, marking the first-ever meeting between these two countries’ leaders. The Summit attracted international attention as it was expected to relieve tensions between the two countries and bring about a mutual agreement. The following months didn’t quite match those expectations, however. Overtime, bilateral agreements to defuse military tensions and provide relief to Pyongyang collapsed, leaving Kim Jong-un for lack of financial resources to fulfill his strategic goals.

In recent years, the Democratic People’s Republic of Korea (DPRK) began carrying out low-risk and low-cost offensive cyber attack operations that yielded highly rewarding income streams. These actions occurred in a legal gray area, as there are no internationally-recognized laws for nation-state cyber crime in place. Several reports have highlighted that North Korean state-sponsored groups have been highly involved in cybercriminal operations to fund strategic goals (i.e. the nuclear arms program). In light of their recent indictment, we decided to publish a mapping of MITRE ATT&CK to the DPRK Financial Crime Indictment.

The US Department of Justice Strikes Again

A recent indictment by the US Department of Justice (DOJ) charged three North Korean criminals involved in a series of destructive operations aimed to extort more than $1.3 billion from financial institutions and companies, in addition to felonies related to cryptocurrency frauds and attacks against the entertainment industry. The charges described more than six years of activity attributed to alleged members of the “Lazarus Group,” an umbrella term to describe the highly-active and sophisticated Advanced Persistent Threat (APT) groups whose motivations aligned with those of Pyongyang.

The indictment describes three North Korean computer programmers’ criminal activities, reportedly belonging to a Pyongyang military intelligence agency called the Reconnaissance General Bureau (“RGB”). One of the defendants was previously charged with felonies related to state-sponsored activities that were unsealed in 2018  (FYI, Digital Shadows (now ReliaQuest) mapped MITRE ATT&CK to that indictment, too). The latest accusations reiterate the same charges with additional evidence and knowledge of how this threat group operates.

Mapping MITRE ATT&CK to the DPRK indictment

Analyzing North Korea’s approach to offensive cybercrime operations is a remarkably insightful exercise. Unlike most other state-sponsored threat groups, Lazarus isn’t focused on cyber-espionage. Instead, the high-profile incidents linked with this threat group are more aligned to cybercriminal groups, as they are primarily involved in financially-motivated campaigns. As such, mapping the MITRE ATT&CK framework to the latest US Department of Justice indictment offers powerful insights into how state-associated financially-motivated malicious actors carry out their operations.

The indictment describes a variety of North Korea-led campaigns. For this blog’s purposes, we’ll focus on the malicious operations targeting banks and financial institutions from 2015 through 2019. According to the indictment, the threat actors attempted to “steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages”. Let’s see in detail how they did that.

Reconnaissance

T1589 – Gather Victim Identity Information

According to the indictment, the defendants would “use the internet to research potential victims with whom they would attempt to communicate.” Obtaining publicly available information on the targets, including personally identifiable information (PII), served the purpose of tailoring the subsequent spear-phishing messages. This practice increases the chances of successful social engineering campaigns, as it allows the attackers to establish a seemingly trustworthy relationship with the victim.

T1598 – Phishing for Information

The defendants would then develop false and fraudulent personas to establish contact with the targets. The attackers would then attempt to send spear-phishing messages aiming to trick targets into divulging further information or credentials. According to the indictment, the defendants would communicate with individuals in various verticals, including “entertainment companies, financial institutions, hundreds of cryptocurrency companies, online casinos, cleared defense contractors, energy utilities, technology companies, and government agencies.”

T1585 – Establish Accounts

According to the DOJ indictment, the defendants would “register and use email and social media accounts in false and fraudulent names” to establish contact with targeted victims. Persona development is a consistent practice during social engineering campaigns. It consists of developing public information dispersed across multiple platforms (i.e., Linkedin, Twitter, Facebook) to trick the victim into speaking with a seemingly legitimate interlocutor. The attackers made extensive use of fake personas to gain unauthorized access to the victim’s computer, extract contacts of further potential victims, and register accounts subsequently used by the defendants.

T1587.001 – Develop Capabilities: Malware

Before obtaining initial access to the victim, the defendants highly likely developed their own malware to gain unauthorized access to the targeted computers. According to the indictment, such malware would include the Brambul worm and various ransomware strains. Additionally, MITRE ATT&CK states that “as with legitimate development efforts, different skill sets may be required for developing malware […] that may be located in-house, or may need to be contracted out”. However, given the sensitive nature of the offensive operations described in the indictment, it is likely that the RGB developed their own malware capabilities internally.

The DOJ indictment claims that developing and deploying malware supported the defendants in concealing their point of access to the victim bank’s computer network, their lateral movement, and the fraudulent wire transfers. Occasionally, the attackers would also attempt to impair the victim bank’s computers to cloak forensic evidence that could have tied the intrusion to them.

Initial Access

T1566.001 – Phishing: Spearphishing Attachment

The defendants’ intrusions typically started with fraudulent spear-phishing emails designed to trick victims into downloading and executing the previously developed malware. Such emails frequently contained sensitive and personal information about the targeted victim previously gathered to improve the spear-phishing campaigns’ success rate.

Execution

T1204.002 – User Execution: Malicious File

The attackers would then rely on the previously built relationship  to deceive victims into downloading and opening a malicious document attachment. According to the indictments, the defendants would use various file formats to deliver  malicious payloads. In some cases related to cryptocurrency fraud, the defendant would conceal the malicious code in cryptocurrency-related software programs suitably created by the attackers.

Defense Evasion

T1035 – Masquerading

The indictment states that the defendants took significant steps to “avoid detection and attribution of their computer intrusions to themselves, the RGB, and the DPRK.” To avoid the victim’s suspicion, the attackers would manipulate the malicious email attachment’s name and appearance to evade defense and observation. For example, the attackers would occasionally conceal malware within “seemingly legitimate word processing documents or software applications” to avoid being detected by the targeted recipients.

Discovery

T1087 – Account Discovery

Once the attackers gained access to the targeted computer system, they would attempt to move laterally and conduct research to locate and exfiltrate sensitive information. The indictment also affirms that the defendants would try to “access one or more computers that the victim bank used to send or received messages through the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) communication system.” Getting unauthorized access to these computers would then allow the attackers to conduct and authorize fraudulent wire transactions to bank accounts controlled by them.

Taking a Look at the Broader Threat Landscape

The DOJ indictment doesn’t state the total value of the money successfully extracted by the attackers; however, the DOJ clearly says that the defendants attempted to steal over $1.3 billion from worldwide banks. Additionally, this is just the number for the attributed campaigns; it is realistically possible that the unattributed operations could bump those digits higher. To put this number in perspective, just think that the estimated Gross Domestic Product (GDP) of the DPRK is set at $40 billion.

In the previous years, the United Nations and the United States imposed heavy penalties on Pyongyang to deter it from developing a fully-fledged nuclear program. Additionally, the European Union recently imposed their first sanctions against cyber-attacks against North Korea (as well as Russia and China). Consequently, analyzing this indictment sheds light on the wide-ranging cyber operations conducted by North Korea to bypass existing international sanctions.

As long as the DPRK remains isolated from the international community and is hit by economic sanctions, it is likely that it will continue to fund its strategic goals via illicit means—one of them being, of course, cybercrime. Therefore, the latest DOJ indictment represents another crucial document to fully understand the intentions and capabilities of this sophisticated threat actor.

It’s fundamental to keep an eye out for threat actors targeting your industry verticals and/or geographic area. Having an in-house or outsourced Cyber Threat Intelligence (CTI) team can quickly identify trends and listings relevant to your organization. This practice can help security teams prioritize the most vulnerable areas, thus granting a more robust security posture.

If you’d like to trial getting a clear picture of your attack surface, SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) aggregates data from billions of sources across the open, deep, and dark web, giving you a picture of your network exposure in real time. Unlike other threat intelligence providers, Digital Shadows (now ReliaQuest) focuses on high priority, actionable alerts as they relate to genuine threats to the business. Get a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.