SAN FRANCISCO >> North Korean hackers who have targeted American and European businesses for 18 months kept up their attacks last week even as President Donald Trump was meeting with North Korea’s leader in Hanoi.
The attacks, which include efforts to hack into banks, utilities and oil and gas companies, began in 2017, according to researchers at the cybersecurity company McAfee, a time when tensions between North Korea and the United States were flaring. But even though both sides have toned down their fiery threats and begun nuclear disarmament talks, the attacks persist.
In 2017, Trump mocked Kim Jong Un as “rocket man” in a speech at the United Nations, while North Korea tested missiles capable of delivering a nuclear warhead to the United States. The attacks began soon after that. Though the two sides failed to reach an agreement last week, Trump struck a conciliatory tone toward his North Korean counterpart.
The revelation of North Korea’s most recent hacking activity adds new details to the tensions surrounding the summit last week, which ended abruptly without any deals. After their first meeting, 15 months earlier, North Korea had agreed to stop test-firing its missiles.
“For 15 months, they haven’t tested weapons because of this negotiation, but over those same 15 months they have not stopped their cyberactivity,” said Victor Cha, Korea chairman at the Center for Strategic and International Studies in Washington.
With the help of an unnamed foreign law enforcement agency, the McAfee researchers gained access to one of the main computer servers used by the North Korean hackers to stage their attacks.
The McAfee researchers said they watched, in real time, as the North Koreans attacked the computer networks of more than 100 companies in the United States and around the world. Last month, they expanded their targets to companies in Turkey, operating from a block of internet addresses traced to Namibia, one of the few countries that maintains friendly relations with Pyongyang.
“They are very, very, very active. It’s been nonstop,” said Raj Samani, McAfee’s chief scientist. “We’ve seen them hit in excess of 100 victims.”
The exact motive of the attacks was not clear. They were well-researched and highly focused and, in many cases, aimed at engineers and executives who had broad access to their companies’ computer networks and intellectual property.
McAfee, which is based in Santa Clara, California, would not name the targets of the attacks and said it would be alerting victims and government authorities Monday. But the firm did provide a map of North Korean hackers’ targets.
The vast majority were in the United States, with the most frequent marks in Houston, an oil and gas hub, and New York, a finance hub. Other major targets included London; Madrid; Tokyo; Tel Aviv, Israel; Rome; Bangkok; Taipei, Taiwan; Seoul, South Korea; and Hong Kong. Russia and China, two countries that have maintained cordial relations with North Korea, were relatively untouched.
North Korea, like the United States and many other countries, has long been accused of using hackers to further its national interests. In 2014, apparently in retaliation for a movie that mocked Kim, North Korean hackers hit Sony Pictures Entertainment. They destroyed Sony’s computer servers, paralyzed the studio’s operations and eventually leaked embarrassing emails from executives, in what would become a playbook for the Russian attacks and leaks of emails before the 2016 elections.
North Korean hackers have been tied to attacks on banks all around the world for financial gain — a rarity among government-affiliated hackers but not surprising for a country ravaged by economic sanctions. The “WannaCry” attack, which paralyzed more than 150 organizations around the globe in 2017, was also traced to North Korea.
Cha, of the Center for Strategic and International Studies, said cyberattacks remained the “third leg” of North Korea’s overall military strategy. “They’re never going to compete with the United States and South Korea soldier to soldier, tank for tank,” he said. “So they have moved to an asymmetric strategy of nuclear weapons, ballistic missiles, and the third leg is cyber, that we really didn’t become aware of until Sony.”
Since the Sony attack, McAfee’s researchers said North Korea’s hackers had significantly improved their capabilities: They are much better at hiding their tracks and researching their targets. And in many of the attacks McAfee witnessed, North Korean hackers had done their homework.
They scoured the Microsoft-owned business site LinkedIn, for example, to find the profiles of industry job recruiters. They sent emails that appeared to come from those recruiters’ accounts, often in perfect English, promoting job opportunities.
When a target clicked on an attachment or link in the email, the hackers gained access to the target’s computer.
“The campaign was clearly really well prepared,” said Christiaan Beek, McAfee’s senior principal engineer and lead scientist. “It was very well researched and very targeted. They knew the individuals they were going for, and they drafted emails in such a way that their targets clicked on them.”
The tools they used to implant malware in the recent attacks, which McAfee’s researchers called “Rising Sun” because of a reference in the code, were also starkly improved.
Though the implants shared code with previous North Korean attacks, McAfee’s researchers said the hackers added new functions to lift data off infected machines. They also went to great lengths to delete their digital movements and encrypt their traffic.
Beek and Samani said their team at McAfee was able to follow the hackers’ movements only because of their access to the North Koreans’ server. “The more code we saw, the more links we could see to more and more attacks,” Beek said.
Considering other recent North Korean hacking campaigns that McAfee’s researchers have tracked — notably against the 2018 Winter Olympics and a separate spate of attacks on banks last year — Beek said North Korea showed no signs of slowing this activity.
Security experts said the attacks would have to be addressed at some point if the two countries should continue talks.
“Their very aggressive cyberactivity will have to be addressed in future discussions,” Cha said. “They are extremely active and, it’s clear to me at least, they’ve stopped missile testing because of the ongoing negotiations, but they’re not stopping in cyber.”