THAAD Missile System

Exclusive: Eye on Weapons Systems, North Korean Hackers target US Defense Contractors

North Korean hackers have stepped up their attacks on U.S. defense contractors in an apparent effort to gain intelligence on weapon systems and other assets that might be used against the country in an armed conflict with the United States and its allies, The Security Ledger has learned.

Security experts and defense industry personnel interviewed by The Security Ledger say that probes and attacks by hacking groups known to be associated with the government of the Democratic People’s Republic of Korea (DPRK) have increased markedly as hostilities between that country and the United States have ratcheted up in the last year. The hacking attempts seem to be aimed at gaining access to intellectual property belonging to the companies, including weapons systems deployed on the Korean peninsula.

THAAD Missile System
North Korean hackers have been targeting US defense firms in search of information on weapons systems, according to multiple sources.

“As the situation between the DPRK and the US has become more tense, we’ve definitely seen an increase in number of probe attempts from cyber actors coming out of the DPRK,” an official at an aerospace and defense firm told Security Ledger. The so-called “probes” were targeting the company’s administrative network and included spear phishing attacks via email and other channels. The goal was to compromise computers on the corporate network.

According to the official, the attackers were not able to penetrate a separate and more secure network on which the company stores information on its weapons systems and other sensitive information. He asked that his name and his company’s name not be mentioned because he did not have permission to speak about the matter publicly.

All signs point North

While attribution of cyber attacks is difficult, the official said his employer felt confident that the perpetrators were operating out of North Korea and that the attempted hacks were directed at information the company had on weapons systems it had deployed in South Korea. “We saw that there was some correlation there,” the official said.

Security experts at the firm FireEye have also seen a group of hackers known as the Lazarus Group and believed to be affiliated with North Korea target defense industrial base firms in the U.S., Ben Read, the Manager of Cyber Espionage Intelligence at the firm FireEye told The Security Ledger. Read said that a hacking crew that FireEye has internally designated with the code name “Temp.Hermit,” a part of The Lazarus Group, has carried out a campaign of spear phishing and targeted attacks against defense firms. The attacks began in early August and have increased in recent months.

Read’s account of the campaign of attacks aligns with that of the official at the aerospace and defense firm, though FireEye declined to name the defense industry customers it had seen targeted or the type of information that hackers sought in those attacks, citing client confidentiality agreements.

“We’ve definitely seen that activity,” he said, describing attacks that start with spear phishing and other targeted efforts. “You’ll see people try to get in via weakest links,” he said. “We see stuff sent to (human resources) or general inquiries, rather than sent directly to engineers.” Read said that, because of that, he couldn’t confirm that weapons systems were the eventual target of the forays. “We can’t say for sure what type of information they’re after,” Read said. “These companies do a lot of stuff.” But the targeting was very consistent, he said.

Asked about whether it was aware of the targeted attacks providers of U.S. defense technology coming from North Korea, The U.S. Department of Defense declined to comment. “I will not comment on intelligence matters or specific incidents related to cyber intrusion. However, we continue to work closely with our partners in the international community in identifying, tracking, and countering cyber threats,” wrote Heather Babb a DoD spokesperson in an email statement.

A tactical shift from mayhem to missiles

North Korea is recognized as one of the few countries internationally with potent cyber offensive capabilities alongside the U.S., China, Russia and Iran.

Researchers at Kaspersky Lab have been tracking the outfit known as The Lazarus Group since 2009, according to Juan Guerrero, a principle security researcher at the firm. The group has become more “prolific” during that time, he said. “We’re seeing more malware and different types of campaigns. They’re ramping up in a lot of ways,” Guerrero said. Like FireEye, Kaspersky has observed different groups spin-off from the main Lazarus group, suggesting that the country’s cyber ranks are growing and diversifying. “They’re going after some very different targets,” he said.

Among them: defense industrial base firms. “We’ve definitely seen them target plenty of defense industrial base companies in South Korea,” Guerrero said. Among the targeted firms have been those dealing in nuclear weapons and aviation. Still, “most of it revolves around South Korea,” Guerrero said, citing the prevalence of phishing documents using Korean language or targeting Hangul, a popular word processing platform used in South Korea.

Kaspersky has labeled one of the spin-off groups “Blue Noroff” and said it uses typical Lazarus Group tools to gain access to target networks, but then appears to be handed off to “different operators” with “different priorities,” he said. “It’s the more financially motivated special subgroup of the Lazarus group as far as we can make out.”

The North Koreans have developed a rich arsenal of tools including worms and spreaders, ransomware and wipers like WannaCry. “There are lots of data exfiltration and espionage,” Guerrero said. “They definitely have the capabilities.”

North Korea’s fast-expanding cyber capabilities

Historically, the DPRK has limited its offensive campaigns to its main rival: South Korea and other perceived enemies of the regime. In recent years, the country’s hacking units have been linked to attacks on South Korean media outlets, banks and government agencies. North Korea is also believed to have carried out the devastating hack of Sony Pictures Entertainment in 2014, purportedly in retaliation for its role in making the movie The Interview, a comedy that imagined a plot to assassinate North Korean leader Kim Jong Un. More recently, North Korea is suspected of involvement in the WannaCry wiper malware attack that paralyzed scores of hospitals operated by the UK National Health Service in May.

In past attacks, North Korean hackers have been bent more on destruction than the kinds of intellectual property transfers typically associated with China. But that is changing. In recent weeks, for example, North Korean hackers are believed to have broken into a shipyard operated by the firm Daewoo and stolen plans for naval technologies including 60 “classified documents including blueprints and technical data for submarines and vessels equipped with Aegis weapon systems” according to a report by The Wall Street Journal.

Security experts who follow the country’s fast evolving cyber capabilities say that North Korean offensive hacking campaigns against defense contractors are not monolithic, but can have many stages. The first objective would be to understand how the weapons systems work.

“Their first modus operandi would be data gathering – figuring out what the threat is and what the capabilities of the system are,” Priscilla Moriuchi the Director of Strategic Threat Development at the firm Recorded Future told The Security Ledger.  Subsequent campaigns might attempt to achieve more subtle aims, such as influencing the performance of the weapons system in the event of a conflict. “They might try to influence the development of the system using a supply chain attack,” Moriuchi said.

Such campaigns have been successful when tried by other nations. For example, the U.S. and Israel delayed progress in Iran’s Uranium enrichment program by infecting programmable logic controllers manufactured by Siemens with the Stuxnet malware and causing vital centrifuges to self destruct. Recorded Future doesn’t have any evidence that North Korea has that kind of capability, but considers it a “next step” for the country.

That may involve the use of agents planted within target companies. “We know they have HUMINT agents in diaspora,” said Moriuchi, referring to “human intelligence.” Well placed North Korean agents in defense firms is South Korea or, or supply chain partners of those firms could be an easier path to infiltrating sensitive weapons programs than external hacking, she said.

In fact, the official at the aerospace and defense firm said his employer and other defense industry firms are very concerned about that very threat. “There’s the risk of them hitting the lower level suppliers,” he said. “The (defense) industry is very aware of that, and so is the government.” He said “actions” are under way to help small suppliers. “Some of these guys that are providing a small part, you may have a company of 15 people, and the IT person as other jobs.” He said his employer has sent technical, incident response staff on site to suppliers on some occasions where there was concern that they may have been targeted. “We’re looking for ways to strengthen everybody,” he said.

The key is to not underestimate the means or motives of North Korea, which is often perceived as a strange, impoverished and isolated nation, experts agree.  “They’re a capable country,” Read said. “They’ve built a (nuclear weapon) and an ICBM. So just because they’re the DPRK doesn’t mean they cant find a use for sensitive technology.” And, while South Korean firms have been North Korea’s traditional targets “nothing is quite beyond these guys,” he said. “It’s not because they’re the most sophisticated. It’s because they are willing to do things other (nation-state hacking groups) are not.”