Cyber Espionage and Financial Crime: North Korea’s Double Threat
Assaf Dahan: North Korean threat actors are not script kiddies. They are a major cyber force to be reckoned with. And the global reach of their cyber operations should be taken very seriously not just by governments or government affiliated organizations, but it causes many industries and regions the financial motivation of the North Korean threat actors that really sets them apart from other nation state threat actors. And that aspect makes them more relevant to more organizations worldwide. [ Music ]
David Moulton: Welcome to "Threat Vector," the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host David Moulton, director of thought leadership. Today I'm speaking with Assaf Dahan, director of threat research at Palo Alto Networks' Cortex team. Assaf is a seasoned cybersecurity expert with over 18 years in experience at both military and civilian domains. Throughout his career Assaf has worn many hats from malware analyst to threat hunter to team leader and director working with top tier security companies and contributing to a variety of international security conferences. His experience spans across malware analysis, reverse engineering, threat hunting, threat intelligence, red teaming, and application security giving him a well rounded perspective on the ever evolving cybersecurity landscape. Currently leading the threat research for Cortex, Assaf's work focuses on providing insights into some of the most sophisticated cyber threats including those coming from state sponsored actors like North Korea. Today we're going to talk about North Korea and hackers and why they've become such a hacking powerhouse, what's driving their attacks, and what we can learn from the latest research conducted by the Cortex team. This is an important topic because North Korea's cyber activities have increasingly targeted critical sectors, raising significant concerns for governments, businesses, and individuals worldwide. Here's our conversation. Assaf Dahan, welcome to "Threat Vector." I'm really excited to have you here today.
Assaf Dahan: Thanks for having me. I'm really happy to be here.
David Moulton: Assaf, your background goes back decades. You've worked on threat hunting and intelligence. And now you're here as Palo Alto Networks' director of threat research and part of our Cortex team. What is it about cybersecurity that keeps you coming back for more?
Assaf Dahan: That's an interesting question, and it's a question that I tried to answer for myself for a better part of my career. But I guess it really boils down to that cat and mouse game. I really like the challenges. It's kind of like playing chess where you constantly have to outsmart your opponent. Right? You have to think a couple steps ahead. And I think that cat and mouse game is what really keeps me sharp, on the edge, keeps me learning all the time, keeps me motivated to develop new skills because with cybersecurity like every day there are new techniques, new exploits, new threat actors, new malware. So you have to constantly keep learning and developing technically and professionally. So I think that's what does it for me on a personal level.
David Moulton: That really resonates. I think that a lot of us are wired for the new and novel and then also doing something that we think is really good in the world. And so I can see how that would bring you back in day after day. Assaf, we're going to get into a conversation about North Korean threat actors and what makes them such a hacking powerhouse. We're also going to take a look at some of the research that you and your team have published on this topic. We've got a lot to get into so let's hop right into our conversation. Today we're going to be talking about some of the research you and your team have done on North Korean threat actors that have shown up consistently in the news. From your research, what makes North Korean hackers such a formidable force on the global cyber landscape?
Assaf Dahan: That's an excellent question, David. So when we talk about major players in global cybersecurity North Korea might not be the first nation that comes to mind. Right? But over the last decade or so they've really earned their spot in what we might call the hall of fame or nation states threat actors. And let me tell you their rise to cyber I guess prominence is a fascinating story. For me at least the pivotal year was 2014 and what became known as the Sony Pictures hack. So to those of you who would maybe not be as familiar, back in 2014 Sony was about to release, "The Interview," a Seth Rogan parody with I guess -- about the assassination of the North Korean leader Kim Jong Un. And, as you might imagine, North Korea wasn't exactly thrilled about this premise and their response was a devastating cyber attack that caused a massive financial and reputational damage to Sony Pictures ultimately forcing them to cancel the movie's theatrical release. And this was -- at least for me it was one of North Korea's first true cyber -- how shall I say it? Tour de force. And perhaps a trailer for what's to come. And in the following years we started observing the formation of a more I guess cohesive or coherent cyber warfare strategy. Less vendetta motivated, if you will, but like something more robust and that you can feel that there's a strategy. And a crucial part of this strategy really revolves around financial gain and generating revenue through cyber crime. You have to remember North Korea is a very impoverished country. It has -- it's under a lot of embargoes and sanctions. So, for instance, in 2016 they attempted what could have been possibly one of the largest bank heists in history. And they targeted the Bangladeshi central bank and their goal was to get away with $1 billion. And this is where it gets kind of comical. Their entire operation was nearly successful, but it was ultimately foiled due to a typo that kind of raised flags in the banking system. So if you want to talk about a billion dollar spelling mistake, right. So they did manage to get away I think with $80 million I think, and the bank was able to retrieve it at some point. But in later years we've seen this trend of like going directly after banks and conducting bank heists in other parts of the world quite -- as part of their strategy. Some of them were more successful. Some were not as successful. But we've seen this direct pitting or targeting of banks. [ Music ] Now we talked about the financial motivation, and this is the next one if you -- I think it was 2017 was the infamous WannaCry ransomware attack. And I think everyone in cybersecurity today still remembers what happened with WannaCry. It was pretty unprecedented with over 200,000 computers infected across more than I guess 150 countries. Now this wasn't just another cyber attack. It was a demonstration of North Korea's growing cyber capabilities and their ability to cause global widespread destruction. In many ways I think for a lot of people, self included, this attack was really the wake up call that the infosec industry really needed both in terms of how we deal with ransomware, because it helped to shape or reshape a lot of the security strategy around ransomware, also the issue of military grade exploits falling into the wrong hands with -- such as in the case of the leaked NSA EternalBlue exploits. And I think it really put a spotlight on the cyber readiness or lack thereof, if you will, of organizations and how they must need to address cyber disasters in terms of cyber disaster recovery plans and so on. So that single attack was really impactful and helped to transform the cybersecurity industry. Now if we fast forward just a couple of years, and I'm going to bring this to a rest soon, but if we fast forward a couple of years the North Koreans gradually started shifting from bank heists to -- and really jumped the crypto bandwagon, if you will, focusing most of their cyber crime activity on stealing cryptocurrency. So in 2023 alone North Korean hackers were estimated to have stolen more than $600 million just in cryptocurrency. I've recently read that the UN is currently investigating cyber theft operations linked to North Korea amounting to $3 billion only in the last year. So again we're seeing a lot of emphasis and focus on the financial sector.
David Moulton: Why have the North Koreans shifted so heavily into these kinds of tactics and techniques?
Assaf Dahan: You know, I've been looking at North Korean threat actors for a long time now and they as far as their North Korean I guess cyber warfare evolution over the last decade we're seeing something that is really remarkable. They've gone from pretty basic novice level hackers to probably some of the most sophisticated cyber operators out there. But the mind bending part about all of it is that this is happening in a country where most people don't even have internet access. We're talking about 1% of the population that has internet access. Even that is quite censored. And the reason behind this giant leap is deeply anchored in their asymmetric warfare strategy, if you will. So North Korea being North Korea doesn't have anywhere near the same technological or military power as I guess as countries like the U.S or the U.K. So how do they level the playing field? Okay. So and they choose to do it through cyber warfare. And why? Well, because it's the perfect solution for a country with limited resources. Think about it for a second. To run cyber operations all you really need are computers, internet access, and some training. Pretty basic stuff. Right? So and fortunately for North Korea they've got allies who are experts in this game. Consider China, Russia, Iran that can really provide them with the relevant know how. Now another aspect to consider about this strategy is how cost effective it is. So if you think about building -- if you want to build yourself a navy or an air force, right, that costs billions of dollars. But creating a cyber army, that's relatively, you know, pocket money. It's cheap in comparison to traditional weapons. And I guess lastly what makes this so lucrative for North Korea and also other countries, by the way, is that in this day and age there are very little ramifications or accountability. Look what happened after WannaCry or after they, you know, robbed a bank or did other operations, broke into defense companies or tried to instigate, I don't know, all sorts of hostilities. Did you see any armies marching into North Korea? Did you see anyone firing ballistic missiles at them? No. Because for them, and for many other threat actors, it really creates this perfect gray zone where they can operate clandestinely, where you know attribution is very difficult to really pinpoint and to prove a connection of a certain country to a cyber attack. So they know that there will be -- they're are little consequences, if any. And I mean again nobody's going to invade North Korea because they hacked a company. Basically I think this is why it is -- the cyber or the asymmetric warfare strategy's so lucrative for them.
David Moulton: So we talked about some of the primary drivers of North Korean activity. It seems like it's been mostly about -- around financial gain. But are there other motivations? Espionage. Maybe political activity or just general disruption. What are the driving factors?
Assaf Dahan: So in short all of the above. So North Korean cyber warfare program is like a Swiss army knife with four key tools, if you will. Let me break it down for you. So first, as we've mentioned, they're after revenue generation. You have to remember North Korea's under crushing international sanctions and therefore they've practically turned hacking into a national fundraising program through crypto heists and banking system breaches. We're talking billions of dollars here, not just pocket money. The second tool in their toolbox or Swiss army knife is their digital sledgehammer. Namely sabotage. So when they want to send a clear message they'll, I don't know, shut down an infrastructure or wipe computers like they did, I don't know, with Sony or WannaCry and other attacks. That's their way of showing that they can hurt you without firing a single bullet or a missile. Thirdly they're running what I call their digital spy ring. Instead of, you know, what we imagine as agents in trench coats, they're using malware to steal military and economic secrets. And they're getting actually pretty good at it. And finally they're also playing the influence game. We see them meddling again and again in elections and the foreign politics and spreading a lot of propaganda mostly through social media. [ Music ]
David Moulton: Assaf, your team at Cortex has conducted some really in depth research on North Korean cyber activities. Can you share some of the key findings from those investigations?
Assaf Dahan: Yes. Definitely. So let me tell you about some pretty alarming discoveries we've made in recent months about North Korean cyber operations. So what's really fascinating and frankly quite concerning is how they're infiltrating global organizations, particularly tech companies, but also financial institutions and the defense industry. And here's how they're doing it. They've developed this sophisticated spear phishing campaign that looks like more like a long con than a typical hack. Picture this. North Korean hackers are creating elaborate fake profiles on Linked In posing as job recruiters or head hunters. Right? Now they start off by building rapport and their relationship with their targets offering really attractive and lucrative job opportunities. And once they've established trust, and of course who among us doesn't -- isn't a little bit interested in hearing about a better job opportunity, right? We're all humans at the end of the day. So once they've done that they make their move in one of two ways. So the first approach is they'll send what looks like a harmless technical assessment and/or stuff for I guess most tech interviews. But here's the kicker. It will actually -- it will actually be a malware in disguise. And the second approach they'll convince the target to download what appears to be a regular conferencing app for the interview for the purpose of the interview such as Zoom, let's say, except, well, surprise, surprise, it will be a Trojanized version which is loaded with malware. Once they're in these hackers can do pretty much anything they want. We're seeing them conduct espionage, steal cryptocurrency, and even swipe credit card information from employees. And what makes it so worrisome is the scale. We're not talking about just a few isolated incidents here and there. These operations have a global reach. They're targeting some of the most sensitive and important industries in western countries. And I think this is a bit of a reminder to all of us how some of the biggest threats may come through our most routine professional activities such as, I don't know, like job hunting, if you will.
David Moulton: Assaf, were there any surprises or new developments that you uncovered in this research that set North Korean operations apart from say previous years?
Assaf Dahan: So what troubles me personally even more than their social engineering campaigns that we're seeing is that they found a way to attack software developers worldwide without sending a single phishing email. And they do so by poisoning software supply chains, particularly Python packages. And here's the deal. We discovered that North Korean hackers abused the PyPi or PyPi repository which is basically, I don't know, like a giant software supermarket that millions of Python developers use daily. North Korean hackers managed to slip malicious code into this global repository by poisoning certain packages, specifically those who aim to target Mac and Linux users. And the evidence suggests that they were mainly after cryptocurrency mining, but that's probably just the tip of the iceberg because if you really think about it unlike targeted spear phishing attacks which really attack specific individuals here they're going after poisoning the water supply, if you will. So anyone who downloads these compromised Python packages could be affected. And when you compromise a developer's machine or endpoint you're potentially getting access to every system that developer touches or the companies they work for. And this is why it's extremely challenging to remediate because you have the whole I guess subject of supply chain attacks or how to trust open source code or third party code and that alone is a major risk and remediating it can be an extremely challenging task to solve.
David Moulton: Let's change gears a little bit. In your research were there any sectors or industries that you saw that were really frequently targeted by North Korean cyber attacks? I know you mentioned technology or the tech sector, but are there others that really stood out?
Assaf Dahan: Yes. I think what makes North Korean threat actors I guess so menacing on the -- in the global I guess aspect is that they have multiple groups and subgroups that with -- each group has its own unique set of tools, infrastructure, and also targeting. So while certain groups would go after financial gain and let's say crypto, some groups would go after banks, some groups would go -- would target IT companies. Some groups would go after governmental organizations or military or defense. So you have a really broad type of targeting here and I think going back to what I said at the beginning why it should be relevant to most organizations is exactly the financial targeting because it can come from ransomware. It can come from crypto mining or crypto theft. It could be stealing of IP. It could be just gaining access to an unauthorized access to a certain organization network. So the targeting is very broad. We do see a lot of their efforts going after western and namely U.S and European companies. And yes. We see the tech industry being extremely targeted.
David Moulton: Are there things that these organizations, you know, that are in the high risk sectors or in the geographical area that you described can do to protect against some of these attacks?
Assaf Dahan: I guess that's the million dollar question. That's what everyone wants to know. So let me give you some practical run down of defending against North Korean cyber attacks. So let's start with the good news. The good news is there's a lot that we can do here. The first rule of defense, at least in my defense doctrine, is know thy enemy. And that's why we, you know, Palo Alto and the Cortex threat research team, we keep publishing really detailed research on the North Korean threat actor tactics, techniques, malware, and so on. When you understand, when you profoundly understand, how these hackers operate you can anticipate their moves much better and defend against them. But in a more -- in a broader way I guess a key insight here is that North Korean hackers often go for the low hanging fruit. While they're capable of really I guess sophisticated attacks like zero days and whatnot, they typically start with simpler approaches. Think, I don't know, unpatched servers, basic social engineering, and common or known vulnerabilities. They're more likely to try the doorknob than pick the lock if that makes sense. So what does this I guess -- what does it practically mean for an organization? What can an organization do? First I guess you want to layer your security. Don't rely on any single solution. I would really put extra emphasis on social engineering training. So also enforce identity management solutions. Enforce MFA. Adhere to strong password policies. And of course this cannot be stressed enough. Keep your systems patched and updated and harden your internet facing systems. I know that a lot of these things sound like the basics, but it's really about that. Like I truly believe that good basic security practices and IT hygiene can actually reduce most of the attack vectors. So in many cases you don't need fancy tools to stop them from penetrating your organization. You just need to be I guess thorough or good with the basics. [ Music ]
David Moulton: You know, something you said earlier that I thought was interesting and I want to come back to it was that the North Koreans had demonstrated some offensive cyber capabilities that could be used for more destructive purposes. Are there any potential scenarios that concern you the most when you're considering their offensive capabilities?
Assaf Dahan: There are two things. One is a sequel of WannaCry. Let's say there will be another worm like ransomware, like a rampant worm like ransomware, that can cause unthinkable damage on a global scale. And a second thing would be the targeting of critical infrastructure because when push comes to shove I think that North Korea would not hesitate to at least attempt or try to bring down critical infrastructure of its political or military opponents.
David Moulton: Assaf, given the complexities and the severity of all the threats that you've described, how important is global collaboration and threat intelligence sharing in combating North Korean cyber operations?
Assaf Dahan: I think that is always important regardless of the threat or the origin of the threat. I think as an industry and as a community working together, collaborating, really brings a better result. There are a lot of initiatives that exist within the cybersecurity or the infosec community. Some of them are led by governments. Some of them are completely civilian. And as threat intelligence or threat researchers we are part of a lot of these initiatives and knowledge sharing helps us as a community stay ahead of the threat, I guess, and really improve our detection and mitigation capabilities.
David Moulton: Assaf, with your background on both the offensive and defensive sides of cybersecurity, what do you think the key human factors are that make defending against North Korean hackers so challenging?
Assaf Dahan: Well, I guess if we're talking about human factor I always say -- and based on my experience that the human factor or the human link is the weakest link in the chain of cybersecurity. You can have the best products out there, but it only takes a certain individual to click on a link, open an attachment, reveal to a caller the password for their Okta you know because these things happen all the time. So the human factor here when it comes to social engineering is crucial because the technology that we have today, especially I can speak about Palo Alto's, but in general we see it across other vendors as well, the technology is great. We are able to detect and prevent a lot of the stuff that we're seeing. But the one thing that is still very challenging is the human aspect of cybersecurity attacks. And that is usually has to do with social engineering. And the only thing to I guess fight it is by raising awareness, doing a lot of social engineering trainings, and also maybe with the introduction of, you know, new technologies such as LLMs which can also worsen some aspects of social engineering because they can come off as very convincing, but on the flip side you can use LLMs and gen AI technology for defensive purposes as well. So it's going to be interesting, but if I had to put my money on this it's really combating social engineering attacks. The rest the technology is quite good at detecting and preventing.
David Moulton: Assaf, thanks for a great conversation today. I really appreciate you diving into some of the insights on the North Korean threat actors that you and your team have been researching and publishing on and unpacking some of the forces behind their cyber activities.
Assaf Dahan: Thank you so much, David. I had a great pleasure. I had a blast. Thanks for having me. [ Music ]
David Moulton: That's it for today. If you like what you heard, please subscribe wherever you listen to your podcasts and leave us a review on Apple Podcast or Spotify. Those reviews and your feedback really do help us understand what you want to hear about. And if you want to reach out to me directly at the show, email me at threatvector@ paloaltonetworks.com. I want to thank our executive producer Michael Heller, our content and production teams which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then stay secure, stay vigilant. Goodbye for now.