The Microsoft Threat Intelligence Podcast 1.24.24
Ep 10 | 1.24.24

North Korea Threat Landscape Update


Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence" podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Welcome to the "Microsoft Threat Intelligence" podcast. I have two fantastic Microsoft Threat Intelligence analysts, security researchers, APT-focused, Matthew Kennedy and Greg Schloemer. Thank you so much for joining me. How are you guys doing?

Greg Schloemer: Doing great. Thanks for having us, Sherrod. Super excited to be here and talk North Korea.

Matthew Kennedy: Thanks so much for having us. I'm looking forward to chatting a little bit more about this fun world that we research every day of kind of North Korean cyber operations.

Sherrod DeGrippo: Well, as I was telling you guys earlier, DPRK was a special request. We got some listener feedback that they wanted DPRK specialists, specifically you two, and they wanted to hear like what's going on with North Korea, which I'll let you guys dig in. But I've always felt like North Korea was kind of a weird outlier in that larger kind of like that big four category that we think of with China, Russia, Iran. North Korea is weird. So, like, Greg, can you give us some of the breakdowns of like what makes it so strange?

Greg Schloemer: Yeah, well, first of all, I want to say, you know, often in the big four, North Korea doesn't get a ton of love, right? So, I just want to say thank you to those fans we have out there who were asking for us to talk a little bit more because there's a lot of cool stuff going on in North Korea. Yeah, I think there are a lot of things that make North Korea unique. Some of the big things are, you know, they're really persistent. They put a P in APT. They aren't afraid to try new things. They aren't always the most sophisticated but they get the job done. They're really a persistent and continually evolving threat. And they also are sort of this weird mix of APT and cybercrime. A huge part of what the North Koreans are doing these days is revenue generation, cryptocurrency theft. So, often when we think APT, we think strictly, you know, intel collection and espionage, but North Korea really brings in that cybercrime angle as well as a huge part of what they do.

Sherrod DeGrippo: Yeah.

Matthew Kennedy: Yeah, I think I would add to that something that I find really interesting about the North Korean cyber operations eco-space is that they really just have a mantra of kind of being hustlers, like they're scrappy, they're persistent, they're always kind of evolving. And I just think that's really unique sometimes when we think about classically kind of the big four and what sets North Korea apart. It's really, to me, it's a different mantra even about how they approach their cyber operations and the way that they take a fundamentally different view of how cyber operations enables the goals of the regime compared to some of the other big four.

Sherrod DeGrippo: I think that a lot of people that track this stuff kind of -- like let's talk Lazarus for a little bit. People really got hooked on Lazarus. And what do you think it was specifically about that particular group, the campaigns that they did, why did they capture the attention of kind of the industry and people that did APT work? What was special about them?

Matthew Kennedy: That's a great question. Greg, I'm curious to hear your perspective too. I think for me, probably one of the things that's really unique about Lazarus or kind of one of the groups we would call a Diamond Sleet, this kind of primary cluster which we think of kind of the historical Sony Pictures attack in 2014, then you have Wanna Cry in 2017, continuing on until today where we have kind of supply chain compromises. I think what started out as so interesting about that group is they really were one of the first kind of nation states to really kind of cross a line into a very provocative action in kind of what they were doing with Sony Pictures and that Sony Pictures historically had created the movie "The Interview", which the North Korean regime was not a fan of and proceeded to target Sony Pictures in response to their movie. And I think that really captured our attention because the idea of a private American company creating a movie or a satire of a geopolitical situation really elicited a government response towards this private company. And I think from that moment in 2014, something was different about how the North Korean cyber operations would operate over the next decade and even to what we see today. I think that was a key moment when something clicked in people's mind that like something might be different here.

Sherrod DeGrippo: That's really interesting too. And you mentioning 2014, I can't believe it's been basically 10 years since "The Interview" came out, which was Seth Rogen and James Franco just being -- it was very satirical. Like coming from any Western culture, you could watch that movie and see very clearly it's satirical but I guess perhaps in a way that the regime was not super fond of. Greg, why do you think Diamond Sleet or Lazarus captured so much attention from the industry and from security researchers?

Greg Schloemer: Yeah, I think, you know, this Sony Pictures incident really like brought North Korean cyber to the main stage. Right? "The Interview" was a popular movie when we think about like garnering attention even beyond the security industry. Much of state-sponsored cyber activity is targeting of the defense industrial base, targeting of government agencies like those are things that honestly the common person doesn't care a lot about but now it's like suddenly there's this popular movie that has been released and we have North Korean hackers carrying out an attack against the well-known company in response to a well-known movie. So, it like opened up the whole world of state-sponsored cyber activity for so many people. And I think that's why Lazarus really caught the world by storm both, you know, regular people who aren't in the cyber industry and also security professionals.

Sherrod DeGrippo: So, that's why they've captured the attention. What have they been up to lately? So, I know we released a blog a little bit ago about Diamond Sleet, I know we've put out bulletins here and there. What's the focus for Diamond Sleet in the past six months or so? What have they been doing?

Greg Schloemer: Maybe this is a great time to talk a little bit about our blog and, you know, some of the most recent stuff. So, back in November, we released the blog on some Diamond Sleet activity. TLDR, Diamond Sleet carried out a software supply chain attack against a company called CyberLink. And so, Diamond Sleet actually added some malicious code to a multimedia application that CyberLink developed. And what's really interesting about this activity is, you know, this wasn't completely unexpected from Diamond Sleet. In 2022, they sort of started this trend of weaponizing open-source software. So, they would take software applications that had, you know, open-source code out there for the public to access and they would add malicious code to that application. PuTTY was one example of a program that they weaponized. And then they would send the malicious PuTTY version to a target and say, "Hey, you know, I need you to connect to this server for me." And then the victim would run the software and get infected. So, this CyberLink incident represented sort of an evolution of everything that worked with the weaponizing open-source software. So, we saw, you know, this is no longer open-source software, this is actually a proprietary application produced by CyberLink. The CyberLink malicious application was actually signed so Diamond Sleet stole a code signing certificate from CyberLink and signed the malware. There was also a lot of like cool anti-reversing things that they added in this CyberLink malware. They were looking for like certain EDR programs. The malware would actually only run on Tuesdays at 11 o'clock. So, it was like they took all the things that went wrong with the activity in 2022 and fixed all those things. And, you know, you think about like CyberLink is used all over the world so it was a perfect opportunity for them to have global reach and spread their malware to users all over the world.

Sherrod DeGrippo: That's amazing that they went back and did like essentially it sounds like quality control on the operation and fixed basically like fixed the issues. They did bug fixes for their whole operation and that's pretty cool. Matthew, you want to expand on that a little bit in terms of the stuff you've seen lately?

Matthew Kennedy: Yeah, definitely. I think one other group that has really caught my attention over the past 18 months or so would be Jade Sleet, that's a group that the US government has also dubbed TraderTraitor. What's significant about this group is they've stolen billions of dollars. And even more recently I think TRM said that in 2023, a third of all stolen crypto was stolen by the North Korean regime. That's over $700 million. And so, this is a fascinating group because they are using a lot of the techniques that they've learned over the past decade and they're using new techniques as well as abusing trust relationships and moving downstream into victim environments to pull off wildly successful crypto jackpotting of a lot of these cryptocurrency exchanges that you've heard that have been breached over the past year. And I think this group is fascinating because, one, just because of the fact that it's working, right, at a certain level to pull off billions of dollars in theft shows that they're doing something right. And so, I think as we have kind of tracked this group more closely as they've continued to be successful, we've seen they're doing a lot of novel things. And the sophistication of this operation and this group has been very high, it's been one of the ones that has really stood out to us as a group that is leveraging cutting-edge TTPs most notably over the past year. We track the CircleCI breach as well as the JumpCloud breach that were both reported by those companies as attributable to Jade Sleet, which they leveraged to move downstream into victim environments. And so, maybe a little bit different definition of what you might think of like a software supply chain attack similar to CyberLink, but unique in the sense that they're abusing that trusted relationship from a supplier to a customer. And so, you know, I think this group is really fascinating because it continues to show that North Korea is evolving in the ways that they're conducting operations and they're proving to be widely successful in how they do it.

Sherrod DeGrippo: That is so interesting because one of the questions that we actually got in from a fellow researcher in another organization, Greg Lesnevich, shout out to Greg, yeah, he's a good friend. So, one of the questions that he actually sent in was, "Give us kind of an idea of what allowed DPRK to become a second tier" -- or excuse me, a first-tier APT actor from that second tier because both of you at this point have said, earlier or a second ago, Greg was like they put the P in persistent and that is just such a like great little bullet point to put beside them. What are some other things that you feel like reflect how these operations have matured from the groups coming out of North Korea?

Greg Schloemer: Yeah, think one thing that really stands out for both of us when we think about, you know, why North Korea has sort of made this jump from second tier to first tier is just that they really adopt this mindset of evolution as opposed to revolution. So, we've seen -- you know, we've talked about Sony Pictures back in 2014. There are elements of what they did in that attack that are still used today. They very much have like a "don't reinvent the wheel" philosophy. Operation Dream Job, you know, targeting of the defense industrial base from Diamond Sleet, that playbook is still used today. There have been drastic improvements since it first came about. But just this ability for all the North Korean groups to figure out what works and make subtle changes over time as opposed to completely reinventing the wheel, I think that is really what has allowed them to mature and level up to where they are today. Matt, do you have anything you'd add to that?

Matthew Kennedy: Yeah, thanks, Greg. I would just echo what you said there and maybe even if we can learn a little bit of a life -- a lesson from North Korean cyber operations is that sometimes the slow faithful progression is more effective in the long term than trying to create a spark or a revolution. And really I think that's what we've seen from North Korean cyber operations going back over a decade, you know, how did they get here to where they're at today? Well, it's from incremental changes. Even as Greg highlighted a little bit earlier about the way that Diamond Sleet started by weaponizing open-source software. They figured out how to make that work. And then what did they do? They leveled up and they said, let's go impact code bases and conduct software supply chain compromises. But that didn't come out of nowhere, that came after years of perfecting how to weaponize open-source software. And so, I think that's really unique in that they are persistent and they are getting better every day rather than trying to create a spark and conduct a revolution in their operations.

Sherrod DeGrippo: That's really interesting. So, something that I've kind of picked up from, you know, talking about this now is it sounds like they've got broad TTPs in terms of how they do like first contact. Because I know they use email. We've seen them where else? You said software supply chain. I think they've used some social media tactics as well. What else have they done that kind of gives them that broad spectrum, you know, sort of jack-of-all-trades on the TTPs?

Greg Schloemer: I think it's really that they do all of those things at the same time, right? It's they don't adopt a philosophy of like, okay, well, you know, phishing is the way we do things. If phishing certain subsets of their victim base works, why change it? If, you know, reaching out to victims on LinkedIn with potential job opportunities works, then why reinvent it? On top of some of those, you know, social engineering techniques, we do see some more CNO-type exploitation activity from a lot of groups. We see exploitation of n-day vulnerabilities that have been publicly disclosed, we see a couple of groups that are actually developing novel zero days. Anything and everything in terms of initial access is on the table for North Korean groups. And I think that's what helps them be successful in their broad targeting scope.

Sherrod DeGrippo: You think they're developing those zero days or they're buying them?

Greg Schloemer: That is a very good question. Matt, any thoughts there?

Matthew Kennedy: Yeah. That's a good question. I think by and large one thing that we have noted is that we haven't seen a ton of evidence of North Korean cyber operators having larger or consistent relationships with the cybercrime eco-space kind of within Eurasia. So, at some level, I do think they are developing these capabilities but I wouldn't put it out of the realm of possibility that they do have connections that could enable them to procure zero days. But I wouldn't say that those relationships exist at scale or would be indicative of a larger connection to the larger cybercrime ecosystem.

Sherrod DeGrippo: Okay. Interesting. Because I know that we typically say like with Russia-based threat actor groups that there's a lot of overlap there between cybercrime and then we see, you know, TTP overlap too, right, like them using off-the-shelf crimeware malware in, you know, various back-and-forth between the two different sides and typically potentially some of the same people doing some of the same tactics whether they're doing it for personal crime reasons or they're doing it in their kind of day job at government work. So, it sounds like DPRK doesn't really have that breadth of that broad scope across the two pillars. I want to ask though, because this is my favorite -- like you know I'm a crime -- I like the crimes. But here is my question, right, this is what we want to really dig in on. Man, they steal a lot of cryptocurrency over there. So, kind of help me and the audience understand like it's state-sponsored but it's state-sponsored with a heavy focus on currency collection. So, can you sort of like walk us through what some of the points of that are? And like what that means in terms of differentiation? What's the goals there? How does that work? Matt, I'll start with you, like what's up with this cryptocurrency situation with North Korea?

Matthew Kennedy: Yeah. That's a great question. I think one of the things is kind of how we touched on earlier that kind of early on North Korea learned that they could utilize cyber operations to accomplish strategic goals of the regime. And one unique goal that they have is that revenue generation, right? And as sanctions have been levied against the regime, the need to generate revenue has become an increasing priority. And so, what they have found is that they can also use their cyber operations to meet that goal. And we see this going back to 2016 with the Bangladesh Bank Heist where they had stolen almost a billion dollars, one flag prevented it from going through that ultimately only led to a theft of $81 million. But they quickly learned in 2016 that, oh, we can also generate significant revenue using cybercrime but under the goal of supporting the state. And so, I think again, they have leveraged that understanding of how to target financial entities and how to abuse trust in the financial system for their benefit. And I think particularly with the emergence of cryptocurrencies, that has only increased as I think of a lot of these crypto companies, probably do not have the level of processes or security that an international bank may have. And so, it's proven for them to be a fertile ground for targets that they could compromise. And it's worked really, really well. I also think one thing that's unique about the way that they're stealing cryptocurrency is kind of the way that the whole model operates in the sense that if you look within kind of the Eurasian kind of cybercrime eco-space, you tend to have access brokers and there's hand-offs, and there's this personal relationship, and you really have this like map of just like relationships all over the place because it really in some sense, it doesn't cluster in the same way that we think of APT. But I think what's different about the North Korean state is that really the whole operation from stealing the money and then to kind of cashing out the revenue, all happens in-house. And so, that doesn't mean that they don't use people outside of the country to enable what they need, when they need it, but by and large, it's different in that it tends to be managed fully in-house. And that makes it different than what we see from other cyber-criminal gangs traditionally that Microsoft might follow.

Sherrod DeGrippo: So, they've amassed like I've read in the Microsoft Digital Defense report that with Harmony Bridge, Jade Sleet stole almost a billion dollars of cryptocurrency. It's the volumes of money is insane. So, there has to be some aspect of once they get that amount of cryptocurrency, what's next? And, Matt, kind of give us that understanding because this isn't something that we normally talk of in these volumes, especially with a nation-sponsored actor.

Matthew Kennedy: Yeah, for sure. I think one thing historically when you think about a bank robbery, you may think of someone walking out with cold hard cash that they can then use. What's a little bit different in cryptocurrency theft that the North Koreans have accomplished is that once they've stolen it and they've gotten it to their wallets, that's the first part of the puzzle. The second part of the puzzle is how do you launder that money and eventually get to cash out to where you can turn cryptocurrency into local fiat that they can use to support the regime. And so, I think from our perspective, we tend to see a lot of government partners across the globe really trying to develop relationships within the financial industry that are helping to prevent the money laundering and the fraud that enables the cash-out. And so, that's a key piece in the deterrence of these operations is really, one, if on our end we can stop the compromises from happening in the first place, that's ideal but even if that wasn't successful, can you stop the cash-out? And really that's the key piece of the money laundering that gets back into even whole different lanes of thinking around accounting around following the money and using that skill set but on the blockchain to follow how it is that they're laundering money so that you may be able to complicate or disrupt their ability to cash out.

Sherrod DeGrippo: Interesting. So, I want to ask you both how much work have you put into becoming blockchain and cryptocurrency experts in your day job. Greg, how much are you working on that blockchain?

Greg Schloemer: Yeah. I'm going, to be honest, I probably should do it more. And I say that because, you know, revenue generation and crypto theft has really become a priority for almost every group we track like it's pretty rare these days to see a group that is not in some way supporting the revenue generation front. Yeah, I definitely could do some more learning and understanding of blockchain technology. Like Matt said, you know, our job is to try to stop the intrusion in the first place. And so, I do take some pride in feeling like we do a pretty good job of staying on top of the latest TTPs and malware that they're using to break into these financial entities in the first place.

Matthew Kennedy: Yeah, I think from my perspective, I'm almost too close to tracking the thefts to be able to trust the cryptocurrency ecosystem. So, I tend to stay away, maybe I've just been burned too many times tracking these thefts.

Sherrod DeGrippo: You know, over the past couple of years, with ransomware coming up, and then, you know, North Korea being so focused on cryptocurrency, I've learned more about it than I really ever wanted to, and something that I remember very vividly was a couple of years ago watching some -- I can't remember the exact group but it was North Korean actor going after the exchanges themselves. So, going after cryptocurrency exchanges, wallet holders, and forums basically with the intent of getting even closer to the bigger money. And I was researching these exchanges and I'm like, wow, this seems really -- these exchanges themselves seem quite shady. And now, going a couple of years later, we've seen two arrests of exchange and broker CEOs. So, it's pretty interesting to see how those two things kind of interact with each other. But I definitely learned a majority of -- maybe all of what I know about cryptocurrency and blockchain because of what threat actors are doing with it. So, let's talk a little bit about like from the perspective of a defender, you have got stuff you want to protect. It sounds like the DPRK loves some software supply chain. What are the kinds of things that organizations should be considering when thinking about how to defend themselves from this particular group of actors?

Greg Schloemer: Yeah, that's a really good question, Sherrod. And, you know, unfortunately, this is a really, really challenging problem to solve. It sort of challenges a lot of the assumptions we've made about trust for the entire history of computing. Just because a software application comes from a trusted publisher and is signed, you know, that's no longer enough for us to trust the integrity and the security of that application. So, increasingly, you know, we're seeing North Korean threat actors abuse that trust more and more in software supply chain attacks. And targeting of IT service providers to move downstream and compromise their customers. And so, you know, for us, at Microsoft, we've really, really been leaning forward on mitigation of this activity. So, following the 3CX supply chain compromise last year, you know, we've sort of set out as a team to be much more aggressive in finding and responding to the supply chain attacks. So, as soon as we can uncover the activity, we're proactively deploying protections for our customers to stop that activity in its tracks as quickly as possible. And that's just because, you know, a software supply chain attack of a legitimate application can truly affect the entire world, right? You're no longer depending on a phishing email that you have to persuade a target to go and open and interact with, you're actually abusing the fact that your target inherently trusts something. And so, yeah, we're really just trying to be aggressive in how we can protect customers from those threats. Not only in, you know, product protections but also in just getting our context, you know, like the blog from November with the CyberLink activity. The more we can provide awareness and context around this type of activity from North Korean actors, ultimately the better-prepared defenders we'll be to respond to these threats.

Sherrod DeGrippo: Matt, anything you want to add to that? Any tips you want to add for organizations that need to worry about this?

Matthew Kennedy: Yeah. I would just echo what Greg said in that this is a really difficult problem to solve. Being a former defender, I know that a lot of the solutions that are crafted in theory are very, very difficult to implement practically. And so, I think it's all the things though. It's log monitoring. It's endpoint solutions. It's doing all of the things today in the cybersecurity suite of tools and processes and capabilities that we have available to us as defenders. And I don't think it's necessarily one thing that helps us solve this problem. I think it's a holistic security program that helps us to be able to respond when these incidents of trust are broken from a supplier to a customer and there's downstream actions. And so, I think it just echoes the need for resilient cybersecurity defenses.

Sherrod DeGrippo: Got it. Let me kind of switch gears a little bit to what you really like working on. And kind of I want to ask Greg and, Matt, I'll ask you too, why do you do North Korea? Like why would you pick that?

Greg Schloemer: Yeah. So, when I first joined the team, I actually worked China for about a year. And I had an opportunity to switch over to North Korea and took it with quite a bit of excitement about, you know, what the threat landscape brings. I think the thing that I really enjoy frankly is that a lot of people don't care about North Korea and they sort of aren't looking, they're sleeping on North Korea, right? We always say like don't sleep on North Korea. A lot of people are sleeping on North Korea. And as a result, there is a lot of opportunity for North Korean security researchers to find really cool stuff, right? When China does something new, the entire security industry is looking. But, you know, we're one of a few teams in the industry who is hyper-focused on North Korea. So, when they do something new and novel, I have an opportunity to be one of the first people in the world to find that and to understand it and to tell the world about it, which is really cool.

Sherrod DeGrippo: Okay. So, the last question about North Korea. What do you think we're going to see there coming out of their future campaigns? What the actors are going to be doing? Greg, I'll start with you, what do you think is on the horizon for them?

Greg Schloemer: Yeah, I think the big thing looking forward for North Korea will be just continuing to abuse these chains of trust. Over the last few months, we've seen several more actors getting on the supply chain compromise train. I don't see any sign of that stopping any time soon. They're going to continue stealing code signing certs. They're going to, you know, continue leveraging signed code as a means of infiltrating some of the security measures that we've had in place for years. We talked a little bit about, you know, compromising IT service providers, moving downstream. That's something that we've seen be particularly effective for some of our groups, especially Ruby Sleet. And as we've talked about, you know, this idea of evolving and sharing what works, I think this will be another sort of shared TTP, shared playbook that we'll see demonstrated across numerous North Korean actors. Matt, anything you'd add to that?

Matthew Kennedy: I don't think so. I think you crushed it. That was a great answer.

Sherrod DeGrippo: That was a great answer, Greg. Matt, also a great answer. Very good. Always good to defer to a fellow expert. All right. So, let's say they tell you, the big boss comes down and is like, "Hey, you can't do North Korea anymore." You do any other thing you want, including crime, what do you pick?

Greg Schloemer: I would actually like to go to the cybercrime side.

Sherrod DeGrippo: Yeah.

Greg Schloemer: The guys and gals working over there are crushing it. And I just love -- they're all brilliant. I love the way they do their work. I love the way they think. And I think the threat landscape is just so interesting and so different than what we often see in APT space.

Sherrod DeGrippo: All right. Matt, what got you on North Korea?

Matthew Kennedy: Yeah, that's a funny story. I don't think I've told the story too many times but when I was early on in my career, the first ever group that I was tracking was the group that we call Emerald Sleet or kind of THALLIUM Kimsuky. And the first APT email that I ever mitigated was -- it had a link in the email to compromised infrastructure and I was so excited because I blocked this email and I'm digging on the email that I just mitigated, and I look and the next stage domain is actually to an alpaca farm that was compromised that happened to be a mile from the home that I grew up in. And from that moment, I was just like, okay, this is just meant to be, this hits too close to home. And so, you know, years ago, that little alpaca farm kind of was the first hook into the North Korea cyber actor tracking and I kind of never let it go. And since then, I just loved the ride to kind of continue tracking all that they're doing. And as Greg said, they do a lot of really, really novel things. They don't inherently maybe get the attention that other regions may get and I think that's part of a superpower for them. And I love following their activity and trying to mitigate their activity when we're able to.

Sherrod DeGrippo: So, the same question for you. Let's say, it's taken off the table, where do you go?

Matthew Kennedy: Ooh, that's tough. You know, I have so many colleagues that are doing amazing work in finding just really novel, really exciting work. I think one area that I'm really interested in is particularly China and I think the kind of China activity is a strategic challenge in scale. There is so much activity that it is really challenging to prioritize to choose what to focus on and what to pour your resources into. And I think that problem kind of is really interesting to me.

Sherrod DeGrippo: Got it. So, I'm really glad that you guys were able to come on the podcast and tell us about North Korea. And I hope, you know, we can continue to have regular updates on what's going on with North Korea, you know, as we continue doing the podcasts. I'm really hoping that we can get that done. We have a lot of incredible people at Microsoft that work on all these different things but I really hope that I can have both of you back to tell us more P in persistent coming out of DPRK.

Matthew Kennedy: We would love that.

Greg Schloemer: Awesome. Thanks so much for having us. It's been a lot of fun.

Sherrod DeGrippo: Thanks for coming on. Thanks for listening to the "Microsoft Threat Intelligence" podcast. We'd love to hear from you, email us with your ideas at Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out for more and subscribe on your favorite podcast app.