Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
Threat Advisories
The latest threat research report from ReliaQuest Threat Research research team.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Note: This blog is a part of our MITRE ATT&CK Mapping series in which we map the latest major threat intelligence incidents to the MITRE ATT&CK framework. You can view similar postings such as Mapping MITRE ATT&CK to Compromised RDP Sales, Sandworm’s APT Campaign, or see our previous mapping of North Korean regime-backed programmers here.
Many will remember the June 2018 Singapore Summit between former US President Donald Trump and North Korean Supreme Leader Kim Jong-un, marking the first-ever meeting between these two countries’ leaders. The Summit attracted international attention as it was expected to relieve tensions between the two countries and bring about a mutual agreement. The following months didn’t quite match those expectations, however. Overtime, bilateral agreements to defuse military tensions and provide relief to Pyongyang collapsed, leaving Kim Jong-un for lack of financial resources to fulfill his strategic goals.
In recent years, the Democratic People’s Republic of Korea (DPRK) began carrying out low-risk and low-cost offensive cyber attack operations that yielded highly rewarding income streams. These actions occurred in a legal gray area, as there are no internationally-recognized laws for nation-state cyber crime in place. Several reports have highlighted that North Korean state-sponsored groups have been highly involved in cybercriminal operations to fund strategic goals (i.e. the nuclear arms program). In light of their recent indictment, we decided to publish a mapping of MITRE ATT&CK to the DPRK Financial Crime Indictment.
A recent indictment by the US Department of Justice (DOJ) charged three North Korean criminals involved in a series of destructive operations aimed to extort more than $1.3 billion from financial institutions and companies, in addition to felonies related to cryptocurrency frauds and attacks against the entertainment industry. The charges described more than six years of activity attributed to alleged members of the “Lazarus Group,” an umbrella term to describe the highly-active and sophisticated Advanced Persistent Threat (APT) groups whose motivations aligned with those of Pyongyang.
The indictment describes three North Korean computer programmers’ criminal activities, reportedly belonging to a Pyongyang military intelligence agency called the Reconnaissance General Bureau (“RGB”). One of the defendants was previously charged with felonies related to state-sponsored activities that were unsealed in 2018 (FYI, Digital Shadows (now ReliaQuest) mapped MITRE ATT&CK to that indictment, too). The latest accusations reiterate the same charges with additional evidence and knowledge of how this threat group operates.
Analyzing North Korea’s approach to offensive cybercrime operations is a remarkably insightful exercise. Unlike most other state-sponsored threat groups, Lazarus isn’t focused on cyber-espionage. Instead, the high-profile incidents linked with this threat group are more aligned to cybercriminal groups, as they are primarily involved in financially-motivated campaigns. As such, mapping the MITRE ATT&CK framework to the latest US Department of Justice indictment offers powerful insights into how state-associated financially-motivated malicious actors carry out their operations.
The indictment describes a variety of North Korea-led campaigns. For this blog’s purposes, we’ll focus on the malicious operations targeting banks and financial institutions from 2015 through 2019. According to the indictment, the threat actors attempted to “steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages”. Let’s see in detail how they did that.
T1589 – Gather Victim Identity Information
According to the indictment, the defendants would “use the internet to research potential victims with whom they would attempt to communicate.” Obtaining publicly available information on the targets, including personally identifiable information (PII), served the purpose of tailoring the subsequent spear-phishing messages. This practice increases the chances of successful social engineering campaigns, as it allows the attackers to establish a seemingly trustworthy relationship with the victim.
T1598 – Phishing for Information
The defendants would then develop false and fraudulent personas to establish contact with the targets. The attackers would then attempt to send spear-phishing messages aiming to trick targets into divulging further information or credentials. According to the indictment, the defendants would communicate with individuals in various verticals, including “entertainment companies, financial institutions, hundreds of cryptocurrency companies, online casinos, cleared defense contractors, energy utilities, technology companies, and government agencies.”
T1585 – Establish Accounts
According to the DOJ indictment, the defendants would “register and use email and social media accounts in false and fraudulent names” to establish contact with targeted victims. Persona development is a consistent practice during social engineering campaigns. It consists of developing public information dispersed across multiple platforms (i.e., Linkedin, Twitter, Facebook) to trick the victim into speaking with a seemingly legitimate interlocutor. The attackers made extensive use of fake personas to gain unauthorized access to the victim’s computer, extract contacts of further potential victims, and register accounts subsequently used by the defendants.
T1587.001 – Develop Capabilities: Malware
Before obtaining initial access to the victim, the defendants highly likely developed their own malware to gain unauthorized access to the targeted computers. According to the indictment, such malware would include the Brambul worm and various ransomware strains. Additionally, MITRE ATT&CK states that “as with legitimate development efforts, different skill sets may be required for developing malware […] that may be located in-house, or may need to be contracted out”. However, given the sensitive nature of the offensive operations described in the indictment, it is likely that the RGB developed their own malware capabilities internally.
The DOJ indictment claims that developing and deploying malware supported the defendants in concealing their point of access to the victim bank’s computer network, their lateral movement, and the fraudulent wire transfers. Occasionally, the attackers would also attempt to impair the victim bank’s computers to cloak forensic evidence that could have tied the intrusion to them.
T1566.001 – Phishing: Spearphishing Attachment
The defendants’ intrusions typically started with fraudulent spear-phishing emails designed to trick victims into downloading and executing the previously developed malware. Such emails frequently contained sensitive and personal information about the targeted victim previously gathered to improve the spear-phishing campaigns’ success rate.
T1204.002 – User Execution: Malicious File
The attackers would then rely on the previously built relationship to deceive victims into downloading and opening a malicious document attachment. According to the indictments, the defendants would use various file formats to deliver malicious payloads. In some cases related to cryptocurrency fraud, the defendant would conceal the malicious code in cryptocurrency-related software programs suitably created by the attackers.
T1035 – Masquerading
The indictment states that the defendants took significant steps to “avoid detection and attribution of their computer intrusions to themselves, the RGB, and the DPRK.” To avoid the victim’s suspicion, the attackers would manipulate the malicious email attachment’s name and appearance to evade defense and observation. For example, the attackers would occasionally conceal malware within “seemingly legitimate word processing documents or software applications” to avoid being detected by the targeted recipients.
T1087 – Account Discovery
Once the attackers gained access to the targeted computer system, they would attempt to move laterally and conduct research to locate and exfiltrate sensitive information. The indictment also affirms that the defendants would try to “access one or more computers that the victim bank used to send or received messages through the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) communication system.” Getting unauthorized access to these computers would then allow the attackers to conduct and authorize fraudulent wire transactions to bank accounts controlled by them.
The DOJ indictment doesn’t state the total value of the money successfully extracted by the attackers; however, the DOJ clearly says that the defendants attempted to steal over $1.3 billion from worldwide banks. Additionally, this is just the number for the attributed campaigns; it is realistically possible that the unattributed operations could bump those digits higher. To put this number in perspective, just think that the estimated Gross Domestic Product (GDP) of the DPRK is set at $40 billion.
In the previous years, the United Nations and the United States imposed heavy penalties on Pyongyang to deter it from developing a fully-fledged nuclear program. Additionally, the European Union recently imposed their first sanctions against cyber-attacks against North Korea (as well as Russia and China). Consequently, analyzing this indictment sheds light on the wide-ranging cyber operations conducted by North Korea to bypass existing international sanctions.
As long as the DPRK remains isolated from the international community and is hit by economic sanctions, it is likely that it will continue to fund its strategic goals via illicit means—one of them being, of course, cybercrime. Therefore, the latest DOJ indictment represents another crucial document to fully understand the intentions and capabilities of this sophisticated threat actor.
It’s fundamental to keep an eye out for threat actors targeting your industry verticals and/or geographic area. Having an in-house or outsourced Cyber Threat Intelligence (CTI) team can quickly identify trends and listings relevant to your organization. This practice can help security teams prioritize the most vulnerable areas, thus granting a more robust security posture.
If you’d like to trial getting a clear picture of your attack surface, SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) aggregates data from billions of sources across the open, deep, and dark web, giving you a picture of your network exposure in real time. Unlike other threat intelligence providers, Digital Shadows (now ReliaQuest) focuses on high priority, actionable alerts as they relate to genuine threats to the business. Get a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.