Phishing Attack Defense: North Korean Hacker Playbook Reveals Assembly Line

By: Jane Wasson | @Area1Security | Area 1 Security

The United States government recently formally charged a North Korean hacker in the infamous 2014 Sony phishing attack. Although the Sony attack is old news, the criminal complaint provides new insight into the hacker’s phishing campaign assembly line that we can learn from to better defend from attacks. The complaint makes it clear that the hacker has a “playbook,” consisting of phishing methods and tactics that easily bypass cybersecurity defenses. These were used and reused again and again by the hacker, over several years, to successfully attack many victims, including entertainment companies, financial institutions, defense contractors, and others. The playbook enabled this hacker to extract information and steal money, inflicting significant damage to victims.

In football, a playbook can make or break a team. If you can get hold of your opponent’s playbook, you have a huge advantage. Instead of waiting for your opponent’s next move, scrambling to respond and hoping for the best, you can preemptively execute a defense that stops opponents in their tracks.

So what lessons can we learn about phishing attack defense by studying the playbook outlined in the North Korean hacker criminal complaint?

Email Authentication can’t protect against phishing attacks.

The hacker established multiple accounts with email service providers, such as Gmail and Hotmail, to send spear-phishing emails to victims and receive exfiltrated data from victims’ systems. Because the email service providers that the hacker used to send their email comply with the latest email authentication standards (DMARC), the hacker’s phishing emails easily passed the victim’s email authentication security checks. Email authentication isn’t a reliable way to protect from phishing email because it’s just as easy for bad guys as it is for good guys to establish and use email accounts that pass authentication checks.

Hackers reuse email accounts across campaigns.

The North Korean hacker used and reused the same email accounts to execute campaigns against multiple organizations and industries, including campaigns against Sony, Bangladesh Bank, Lockheed, and others. By proactively tracking hacker activity and the email accounts that hackers use and reuse to execute attacks, security providers have better insight into malicious sender accounts before phishing campaigns launch and can better protect customers from spear-phishing attacks.

Source: US Criminal Complaint Case MJ18 1479

Hackers use and reuse compromised systems to execute attacks.

The North Korean hacker compromised multiple reputable systems, and then used those systems to execute the attacks. Compromising and using reputable systems to execute attacks helps hackers evade detection by the victim’s security defenses. Security vendors that proactively track hacker activity in the wild can detect systems compromised by the hacker, that they use and reuse for attacks, and can better protect customers from malicious traffic originating from those compromised system IPs or domains.

Hackers continually craft new malware but reuse some code.

The malware used by the North Korean hacker, although mostly unique for each campaign, reused some code across malware payloads. By proactively tracking hacker activity and analyzing associated malware payloads, security providers can discover patterns. Those patterns can then be used by security service providers to analyze customer web downloads and email attachments to detect and protect in seconds against the hacker’s newest, previously unseen malware payloads.

As shown above, the security industry can take a lesson from football strategy: threat actors too have a play book. They figure out the plays that work — those that easily bypass cybersecurity defenses — and use those plays over and over again.

It only takes one click for a phishing campaign to succeed. Effective protection requires security providers taking the offensive: understanding threat actors playbooks, proactively discovering their infrastructure, such as compromised websites, malware payloads and email accounts, and tracking their activity before attacks launch. Only then can security defenses be armed to effectively identify and protect users against inbound attacks originating from seemingly reputable websites and senders.

Area 1 Security is the only security provider that continually tracks threat actors and hunts for phishing campaigns and infrastructure in the wild. Our Area 1 Horizon™ anti-phishing service stops the email, web, and network phishing attacks that other security technologies miss. For more information, please visit our website or register for a demo.