The Case for N. Korea’s Role in Sony Hack

December 23, 2014 in Security News by News Bot

There are still many unanswered questions about the recent attack on Sony Pictures Entertainment, such as how the attackers broke in, how long they were inside Sony’s network, whether they had inside help, and how the attackers managed to steal terabytes of data without notice. To date, a sizable number of readers remain unconvinced about the one conclusion that many security experts and the U.S. government now agree upon: That North Korea was to blame. This post examines some compelling evidence from past such attacks that has helped inform that conclusion.

An image from HP, captioned "North Korean students training for cyberwar."

An image from HP, captioned “North Korean students training for cyberwar.”

The last time the world saw an attack like the one that slammed SPE was on March 20, 2013, when computer networks running three major South Korean banks and two of the country’s largest television broadcasters were hit with crippling attacks that knocked them offline and left many South Koreans unable to withdraw money from ATMs. The attacks came as American and South Korean military forces were conducting joint exercises in the Korean Peninsula.

That attack relied in part on malware dubbed “Dark Seoul,” which was designed to overwrite the initial sections of an infected computer’s hard drive. The data wiping component used in the attack overwrote information on infected hard drives by repeating the words “hastati” or “principes,” depending on which version of the wiper malware was uploaded to the compromised host.

Both of those terms reference the military classes of ancient Rome: “hastati” were the younger, poorer soldiers typically on the front lines; the “principes” referred to more hardened, seasoned soldiers. According to a detailed white paper from McAfee, the attackers left a calling card a day after the attacks in the form of a web pop-up message claiming that the NewRomanic Cyber Army Team was responsible and had leaked private information from several banks and media companies and destroyed data on a large number of machines.

The message read:

“Hi, Dear Friends, We are very happy to inform you the following news. We, NewRomanic Cyber Army Team, verified our #OPFuckKorea2003. We have now a great deal of personal information in our hands. Those includes; 2.49M of [redacted by Mcafee] member table data, cms_info more than 50M from [redacted]. Much information from [redacted] Bank. We destroyed more than 0.18M of PCs. Many auth Hope you are lucky. 11th, 12th, 13th, 21st, 23rd and 27th HASTATI Detachment. Part of PRINCIPES Elements. p.s For more information, please visit www.dropbox.com login with [email protected]::lqaz@WSX3edc$RFV. Please also visit pastebin.com.”

The McAfee report, and a similarly in-depth report from HP Security, mentions that another group calling itself the Whois Team — which defaced a South Korean network provider during the attack — also took responsibility for the destructive Dark Seoul attacks in 2013. But both companies say they believe the NewRomanic Cyber Army Team and the Whois Team are essentially the same group. As Russian security firm Kaspersky notes, the images used by the WhoisTeam and the warning messages left for Sony are remarkably similar:

The defacement message left by the Whois Team in the 2013 Dark Seoul attacks (left) and the message left for Sony (right).

The defacement message left by the Whois Team in the 2013 Dark Seoul attacks (left) and the message left for Sony (right).

Interestingly, the attacks on Sony also were preceded by the theft of data that was later leaked on Pastebin and via Dropbox. But how long were the attackers in the Sony case inside Sony’s network before they began wiping drives? And how did they move tens of terabytes of data off of Sony’s network without notice? Those questions remain unanswered, but the McAfee paper holds a few possible — even likely — clues.

A LENGTHY CAMPAIGN

McAfee posits that, based on the compile times of the backdoor malware used to upload the drive-wiping malware, the targets in the Dark Seoul attacks were likely compromised by a remote-access Trojan delivered by a spear-phishing campaign at least two months before the data destruction began. More importantly, McAfee concludes that the data-wiping and backdoor malware used in the Dark Seoul attack was but a small component of an elaborate cyber-espionage campaign that started in 2009 and targeted only South Korean assets.

“McAfee Labs has uncovered a sophisticated military spying network targeting South Korea that has been in operation since 2009. Our analysis shows this network is connected to the Dark Seoul incident. Furthermore, we have also determined that a single group has been behind a series of threats targeting South Korea since October 2009. In this case the adversary had designed a sophisticated encrypted network designed to gather intelligence on military networks.

We have confirmed cases of Trojans operating through these networks in 2009, 2010, 2011, and 2013. This network was designed to camouflage all communications between the infected systems and the control servers via the Microsoft Cryptography API using RSA 128-bit encryption. Everything extracted from these military networks would be transmitted over this encrypted network once the malware identified interesting information. What makes this case particularly interesting is the use of automated reconnaissance tools to identify what specific military information internal systems contained before the attackers tried to grab any of the files.”

The espionage malware was looking for files that contained specific terms that might indicate they harbored information about U.S. and Korean military cooperation, including “U.S. Army” and “Operation Key Resolve,” an annual military exercise held by U.S. forces and the South Korean military.

A missile launched by North Korea on July 4, 2009.

A missile launched by North Korea on July 4, 2009.

The Dark Seoul attacks were hardly an isolated incident. In 2011, the same  Korean bank that was attacked in the 2013 incident was also hit with denial-of-service attacks and destructive malware. On July 4, 2009, a wave of denial-of-service attacks washed over more than two dozen Korean and U.S. Government Web sites, including the White House and the Pentagon. July 4 is Independence Day in the United States, but it also happened to be the very day that North Korea launched seven short-range missiles into the Sea of Japan in a show of military might. By the time the third wave of that attack subsided on July 9, the assailants had pushed malware to tens of thousands of zombie computers used in the assault that wiped all data from the machines.

The co-founder of CrowdStrike, a security firm that focuses heavily on identifying attribution and actors behind major cybercrime attacks, said his firm has a “very high degree of confidence that the FBI is correct in” attributing the attack against Sony Pictures to North Korean hackers, and that CrowdStrike came to this conclusion independently long before the FBI came out with its announcement last week.

“We have a high-confidence that this is a North Korean operator based on the profiles seen dating back to 2006, including prior espionage against the South Korean and U.S. government and  military institutions,” said  Dmitri Alperovitch, chief technology officer and co-founder at CrowdStrike.

“These events are all connected, through both the infrastructure overlap and the malware analysis, and they are connected to the Sony attack,” Alperovitch said. “We haven’t seen the skeptics produce any evidence that it wasn’t North Korea, because there is pretty good technical attribution here. I want to know how many other hacking groups are so interested in things like Key Resolve.”

A Chollima statue in North Korea.

A Chollima statue in North Korea.

Security firms like HP refer to the North Korean hacking team as the “Hastati” group, but CrowdStrike calls them by a different nickname: “Silent Chollima.” A Chollima is a mythical winged horse which originates from the Chinese classics.

“North Korea is one of the few countries that doesn’t have a real animal as a national animal,” Alperovitch said. “Which, I think, tells you a lot about the country itself.”

The “silent” part of the moniker is a reference to the stubborn fact that little is known about the hackers themselves. Unlike hacker groups in other countries where it is common to find miscreants with multiple profiles on social networks and hacker forums that can be used to build a more complete profile of the attackers — the North Koreans heavily restrict the use of Internet communications, even for their cyber warriors.

“First of all, they don’t have a ton of Internet infrastructure in North Korea, and they don’t have forums and social media which typically helps you identity, for example, whether an attack is from Russians or the Chinese,” Alperovitch said. “In general, the North Korean regime is one of the hardest intelligence targets for the intelligence and cyber attribution communities.”

On Monday, the folks at Dyn Research — a company that tracks Internet connectivity issues around the globe — said its sensors noted that North Korea inexplicably went offline on Monday, Dec. 22, at around 16:15 UTC (01:15 UTC Tuesday in the North Korean capital of Pyongyang). But the researchers stopped short of attributing a reason behind the outage.

“Who caused this, and how?,” wrote Jim Cowie, chief scientist at Dyn. “A long pattern of up-and-down connectivity, followed by a total outage, seems consistent with a fragile network under external attack. But it’s also consistent with more common causes, such as power problems.”

Interestingly, this pattern of downtime also was witnessed directly following the above-described 2013 attacks that targeted South Korean banks and media firms. According to Jason Lancaster, a security researcher at HP, the entire North Korean Internet space suffered a similar outage around the same time as the 2013 offensive against South Korea.

“When they came back online, one of those four [North Korean Internet address blocks] was routing through an Intelsat satellite connection,” Lancaster said. “What caused the 2013 outage? They never was determined the cause. The speculation was that they were under attack, but there was never any proof of that happening.”

Additional reading:

US-CERT analysis of the computer worm used in the attack on Sony.

TaoSecurity Blog: What Does ‘Responsibility’ Mean for Attribution?

McAfee report on Dark Seoul attacks (PDF)

HP Security: Profiling an Enigma – The Mystery of North Korea’s Cyber Threat Landscape (PDF)

RHSA-2014:2031-1: Important: kernel security update

December 22, 2014 in RedHat Security Advisories by News Bot

Red Hat Enterprise Linux: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. CVE-2014-9322

RHSA-2014:2030-1: Important: kernel security update

December 22, 2014 in RedHat Security Advisories by News Bot

Red Hat Enterprise Linux: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. CVE-2014-9322

RHSA-2014:2029-1: Important: kernel security update

December 22, 2014 in RedHat Security Advisories by News Bot

Red Hat Enterprise Linux: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5.9 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. CVE-2014-9322

RHSA-2014:2028-1: Important: kernel security update

December 22, 2014 in RedHat Security Advisories by News Bot

Red Hat Enterprise Linux: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.2 Advanced Update Support. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. CVE-2014-9322

Alleged Counterfeiter “Willy Clock” Arrested

December 22, 2014 in Security News by News Bot

In September 2014, I wrote about receiving a package of $500 in counterfeit U.S. currency from an unknown sender, after mentioning in a blog post about a rash of funny money resellers flooding underground cybercrime markets. Last week, U.S. authorities announced the arrest of a Texas man charged with leading the international counterfeit currency operation from a location in the Republic of Uganda.

Counterfeit $100s and $50s from "Willy Clock," allegedly the online alias of a Texas man living in Uganda.

Counterfeit $100s and $50s from “Willy Clock,” allegedly the online alias of a Texas man living in Uganda.

U.S. prosecutors say 27-year-old Ryan Andrew Gustafson – a.k.a. “Jack Farrel” and “Willy Clock” — is a U.S. citizen currently residing in Kampala, Uganda. Gustafson was arrested on Dec. 16 by Ugandan authorities and charged with conspiracy, counterfeiting, and unlawful possession of ammunition.

The defendant and his alleged accomplices are suspected of passing approximately $270,000 in fake U.S. currency in Uganda. In total, Ugandan authorities say they seized some $1.8 million in funny money from Gustafson’s operation.

The U.S. Secret Service, which investigates currency counterfeiting, said the investigation began in December 2013 when agents were alerted to the passing of counterfeit notes at retail stores and businesses in the Pittsburgh area. A press release from the Justice Department outlines the rest of the investigation:

“Agents determined that an individual identified as J.G. had passed these notes and was renting a postal box at The UPS Store on Pittsburgh’s South Side.  On Feb 19, 2014, law enforcement learned that J.G. received three packages addressed from Beyond Computers, located in Kampala, Uganda.  Agents executing a search warrant on the packages found $7,000 in counterfeit $100, $50 and $20 FRNs located in two hidden compartments within the packaging envelopes.  A fingerprint on a document inside one of the packages was identified as belonging to Ryan Andrew Gustafson.”

Jack Farrel's Facebook page. The U.S. Secret Service alleges that Farrel is Gustafson, a.k.a. counterfeiter "Willy Clock."

Jack Farrel’s Facebook page. The U.S. Secret Service alleges that Farrel is Gustafson, a.k.a. counterfeiter “Willy Clock.”

“The Secret Service subsequently worked with Ugandan authorities to identify the source of the counterfeit [cash].  Their efforts led to A.B., who admitted to sending the packages, explaining that an American named “Jack Farrel,” and another person, provided him the counterfeit notes to ship.  Based on information provided by A.B., the Secret Service used facial recognition to identify Jack Farrel as Ryan Andrew Gustafson.”

The government says Gustafson sold the bills through the Tor Carding Forum, a cybercrime shop that is unreachable from the regular Internet. Rather, visiting the Tor Carding Forum requires the visitor to route his communications through Tor, a free software-based service that helps users maintain anonymity by obfuscating their true location online.

Willy Clock’s phony currency wasn’t only available via Tor. By the middle of 2014, ads for his funny money were showing up on regular, Internet-based cybercrime forums. One reseller of Willy Clock’s notes even set up his own sales thread on Reddit.

Once again, it appears that sloppy operational security contributed to an arrest of an alleged bad guy. According to the government’s complaint (PDF), the email address that Gustafson provided on his U.S. passport application was the same one he allegedly used to maintain a Facebook account under the Jack Farrel alias. Investigators found that Gustafson also used the same Internet address to access his real Facebook page and the Farrel account. Another Facebook page tied to the Jack Farrel identity says the accused was in Uganda as a project associate at the U.N. refugee shelter program.