Attacks against software supply chains are increasingly attractive to North Korean intelligence services.
DPRK supply-chain attacks.
Microsoft describes a supply chain attack by the North Korean threat actor Diamond Sleet.
Diamond Sleet (formerly known as “Zinc”) is implicated.
Redmond reported late last week that “Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.”
Pyongyang’s increased attention to supply chains.
Separately, the UK’s National Cyber Security Centre (NCSC) and South Korea’s National Intelligence Service (NIS) have issued a joint advisory warning of North Korean hackers’ increased focus on software supply chain compromise. The advisory notes, “The actors have been observed leveraging zero-day vulnerabilities and exploits in third-party software to gain access to specific targets or indiscriminate organisations via their supply chains. The NCSC and the NIS consider these supply chain attacks to align and considerably help fulfil wider DPRK-state priorities, including revenue generation, espionage and the theft of advanced technologies.”
Supply-chain attacks as an economy of force.
Ken Westin, Field CISO at Panther Labs, commented on the attractiveness of supply-chain attacks to the North Korean services and other threat actors. Such attacks have much more widespread effects than many of the alternatives. “North Korean APT groups continue to target the software supply chain because it’s proven to be successful repeatedly, instead of targeting individual systems, they infect software upstream giving them potential access to a larger number of systems,” Westin wrote in emailed comments. “They continue to increase the level of sophistication in these attacks with strong knowledge of the tooling and techniques of modern DevOps teams. Most organizations are not monitoring their DevOps processes for these types of attacks and lack mechanisms to detect when code may be compromised. I predict more threat groups will follow this approach to infect a larger number of systems downstream as well as improve methods to bypass rudimentary security measures.”