North Korea Is Ransomware's New Kid on the Block

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

North Korea is officially in the ransomware business, according to a joint alert warning from the US and South Korean governments. What's lacking from the warning, however, is a sense of the scale and trajectory of DPRK's activities.

The joint alert expands upon a July 2022 alert that warned North Korean state-sponsored cyber actors were using Maui ransomware to target healthcare organisations. Cybersecurity firm Mandiant calls the group in question Andariel, and the US government says it is one of the hacking groups controlled by North Korea's Reconnaissance General Bureau.

The alert's title states that the ransomware attacks are used to "fund DPRK malicious cyber activities". We think that description is a bit weird. Surely there is a broader purpose than just… more cyber operations?

The US government has previously stated North Korea uses cyber activities to "generate revenue for its weapons of mass destruction and ballistic missile programs" and Anne Neuberger, Deputy National Security Advisor for Cyber, even estimated that about 30% of its funds for "missile and other malicious programs" come from cyber attacks.

The alert notes that the group uses a variety of both homegrown and publicly available ransomware tools:

Actors have used privately developed ransomware, such as Maui and H0lyGh0st. Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group.

One concern we've had is that North Korean groups might pivot into ransomware in a big way if cryptocurrency thefts cease being lucrative. These groups have carried out some spectacular cryptocurrency hacks and blockchain analysis firm Chainalysis found they'd stolen USD$1.7bn (yes, that's a b) last year. (Although we're not quite sure how much of that stolen crypto they actually managed to turn into hard currency, but that's another topic.)

Experts we spoke to at specialist ransomware incident response firms aren't convinced this is a huge problem yet, with the caveat that their companies aren't in the attribution business. These companies focus on the specific ransomware incident and the strain of ransomware rather than on the groups behind the incidents.

"We’re more interested in whether we can decrypt it than who created it," Brett Callow, threat analyst at Emsisoft, told Seriously Risky Business. And in the case of Andariel, the promiscuous use of a variety of ransomware tools make it difficult for incident response companies to group activity into a single bucket.

Still, Bill Siegel, CEO of Coveware, told Seriously Risky Business that most ransomware attributed to states is "likely just the person working for the nation state moonlighting as a side hustle".

"It's still very hard to earn the volume of money via individual ransomware attacks (a few hundred thousand $ per attack) that nation states can earn from a single theft from a cryptocurrency venue (a few hundred million $ per attack)," Siegel pointed out.

Our concern about the potential impacts of state-backed ransomware is two-fold. A state-backed group could be both more capable than the average ransomware affiliate and also harder to deter.

Over the last year or so ransomware responses from the US and partner governments have expanded into a portfolio approach using a variety of different tools. These include sanctions, monetary rewards, indictments, disruption operations, arrests where possible, and even applying diplomatic pressure on countries that harbour ransomware criminals.

At one point, prior to the invasion of Ukraine, it at least seemed possible that the Russian government might be encouraged to take action against ransomware groups operating in the country. The links between the government and the crooks definitely exist, but it also seems that they are loose enough that criminals would be handed over on a platter — if the price was right.

That door is now closed with Russia, and it doesn't seem at all likely that diplomatic pressure will work against North Korean operators. Indictments and rewards are also unlikely to be effective, so governments need to bolster or strengthen the options that will work.

Sam Cousins, a sanctions and ransomware expert at anti-financial crime organisation ACAMS, told this newsletter that US sanctions are already disrupting the payment systems that North Korean groups use to move and launder victim funds. Cousins said that US designations against SUEX, Chatex, Tornado Cash and the Hydra darknet market were "part of a decisive effort to disrupt the ransomware payment ecosystem" and that these actions have "certainly impacted North Korean entities".

However, North Korean groups are finding alternatives. After the Blender cryptocurrency mixer was sanctioned in May last year these groups moved funds via Tornado Cash until it was sanctioned in August. They then migrated to Sinbad, a relatively new mixer.

Although this feels a bit like whack-a-mole, mixers are more effective when more people are using them and constant churn in the space will reduce user numbers. It also seems that it may be possible to respond more rapidly when new mixers arise.

For example, blockchain analysis company Elliptic thinks Sinbad is a reincarnation of Blender, a mixer that was sanctioned by the US in May of last year. Some transactions link Sinbad to Blender-associated wallets, and in several ways, the mixer operates identically to Blender. There is scope here for smart analysis that results in more rapid sanctions action.

So it is a positive development that in the last week countries other than the US are starting to use the sanction hammer.

Last week the South Korean government issued its first cyber-related sanctions against North Korean individuals and groups that raise funds for the DPRK's nuclear and missile programs.

In addition to more countries issuing sanctions, countries are starting to coordinate sanctions. Last week the US and UK announced sanctions of seven individuals from the Trickbot cybercrime gang. This was a dual first — the first UK cyber sanctions and the first coordinated sanction announcement with the US.

Cousins told this newsletter he thought coordinated action would "strengthen the impact".

Although US sanctions are the "most impactful", he said, "...due to the extent of the US financial system and US commerce, there is general consensus that sanctions are most effective and robust when they are coordinated and implemented on a multilateral basis".

There are a lot of countries we'd like to see join in on coordinated sanctions including Australia, Canada, Germany and other bigger economies. At a practical level, when it comes to asset freezes this would increase the number of jurisdictions where cybercriminals' assets are at risk.

Another benefit is that sanctions also discourage victims from paying ransoms, too, or at least make them think twice. We do not support outlawing payments entirely and The Record's coverage of the US and UK Trickbot sanctions does a good job outlining the tradeoffs involved. The official position is that paying ransoms to the named individuals is prohibited, but unofficially there is no intention to punish businesses that think they must pay to survive.

It's hard to know how much of a threat North Korea's ransomware activities will eventually morph into, and what the effectiveness of current counter-ransomware approaches will be in suppressing its rise. For now, at least, the activity is on the margins. Let's just hope it stays there.

For Now, Biden’s Privacy Talk Is All Tip and No Iceberg

President Biden's remarks on privacy protections in this year's State of the Union address received bipartisan support but it isn't clear if all the talk will translate into action.

There's a range of possibilities here from no action at all to passage of the American Data Privacy and Protection Act (ADPPA). We are fans of this legislation, although if you just listened to Biden's speech you wouldn't necessarily think this push is about improving privacy, so much as bashing Big Tech while protecting kids. Per Biden's address:

We must finally hold social media companies accountable for the experiment they are running on our children for profit.

And it’s time to pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us.

Brandon Pugh, Cybersecurity and Emerging Threats Director at the R Street Institute, told Seriously Risky Business he believes lawmakers' recent interest in increased privacy protections is deeper than just Big Tech spite. Pugh said there are "multiple reasons" many members of Congress support a comprehensive data privacy and security law.

"These include providing uniform protections and rights for consumers, consistency for industry, requiring industry to follow baseline standards, increasing America's competitiveness, and strengthening cybersecurity and national security," he continued.

Although not all these motivations are shared by all members of Congress, Pugh pointed to the ADPPA's release from committee in a 53-2 vote as evidence of strong bipartisan support.

There may also be an increasing recognition in Congress that lax data privacy laws are a national security threat, especially when it comes to competition with China. Pugh pointed to a House of Representatives subcommittee hearing early this month where both Pugh and Samm Sacks, Cyber Policy Fellow at New America testified about the need for a comprehensive federal privacy law (ie the ADPPA).

Sacks' written testimony states "Chinese leadership has embarked on an ambitious national data strategy with the goal of acquiring, controlling, and extracting value from large volumes of data". That kind of holistic national strategy won't be countered by banning or forcing the sale of TikTok. Sacks expands on this in her conclusion:

Bans on Chinese software applications are not an effective way to secure Americans’ data. Even if TikTok were American-owned, for example, it and its competitors could still legally sell data openly to data brokers that could transmit it to China’s security services. As a result, American data is shockingly exposed and will remain that way so long as restrictions on data flows only focus on specific companies from countries deemed adversaries.

We've long argued it's time for big changes here, so let's hope this is it.

USA Fights Inflation

Last week we covered the Chinese spy balloon and noted that several previous balloons had apparently transited the US without being detected. The US commander of NORAD said the US military "did not detect these threats" and described the lack of visibility as a "domain awareness gap".

We speculated that defence contractors would be lining up to close this gap, but in news that will no doubt sadden the growth team at Lockheed Martin, the USA was able to tune up its existing detections to identify balloon-like objects. A US official told the Washington Post that adjustments to filters on various sensors closed the gap:

The official, speaking on the condition of anonymity because of the sensitivity of the issue, said that sensory equipment absorbs a lot of raw data, and filters are used so humans and machines can make sense of what is collected. But that process always runs the risk of leaving out something important, the official said.

“We basically opened the filters,” the official added, much like a car buyer unchecking boxes on a website to broaden the parameters of what can be searched.

When you look, you find, and this has led to a string of objects being found and shot down. At time of writing, the US military has now downed three additional objects over the US and Canada since our last edition. It's not clear exactly what these craft were but given the sheer number of balloons launched every year they probably aren't of any intelligence significance (and certainly not alien spacecraft) but were downed because of the potential threat they posed to civilian air traffic.

The US government also announced sanctions for six Chinese firms involved in supporting China's balloon reconnaissance program.

This all makes sense. Although we still think the intelligence value of a single reconnaissance balloon is not huge, allowing China to run a worldwide balloon surveillance program uncontested would be pretty stupid.

We think there is a broader lesson here about re-examining assumptions. Ironically, both the US and the PRC — from opposing perspectives — were operating on the faulty assumption that balloon surveillance wasn't a problem.

Three Reasons to be Cheerful this Week:

1. Hack-to-trade Russian convicted: Vladislav Klyushin, owner of the Moscow-based M-13 cybersecurity firm, was convicted of hacking two US firms to steal earnings information about publicly traded companies before it was released. This information was used to trade stocks and earned Klyushin and his co-conspirators USD$90m over about two years. One of his co-defendants, Ivan Yermakov, has previously been indicted twice — for interference in the 2016 US election and for his role in hacking various anti-doping organisations. Klyushin was arrested in Switzerland, but Yermakov and three other co-conspirators remain at large.
2. Google to give away 100,000 security keys: Google has announced that it will give away 100,000 Titan security keys globally to high-risk individuals throughout 2023 at no cost.
3. Surveillance software victims can sue the Kingdom of Bahrain: The UK High Court has ruled that two activists who were allegedly targeted by FinSpy surveillance software can sue the Bahraini government, which is thought to be behind the infections.

Sponsor Section

Seriously Risky Business is supported by the Hewlett Foundation's Cyber Initiative and  corporate sponsor Proofpoint.

Okta and Passwordless Authentication

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.

In our latest demo, Brett Winterford and Harish Chakravarthy demonstrate to host Patrick Grey how Okta can be used for passwordless authentication. These phishing resistant authentication flows — even if they are not rolled out to all users — can also be used as a high-quality signal of phishing attempts that can be used to trigger automated follow-on actions.

Shorts

Show Me The Money

Blockchain analytics company Chainalysis has examined the cryptocurrency wallets associated with the Trickbot sanctions mentioned above. There are a couple of interesting findings.

The Trickbot administrator, Stern, has received payments linked to several different ransomware variants including Conti, Ryuk, Karakurt and Diavol. Chainalysis also finds that "strains related to Trickbot" have extorted at least USD$724m worth of cryptocurrency over their lifetimes.

Section 702 Renewal

Section 702, sometimes described by US officials as the "crown jewel" of US surveillance programs, will expire at the end of the year unless Congress renews it. Section 702 is the part of the US's Foreign Intelligence Surveillance Act which allows US intelligence agencies to compel service providers to help conduct targeted surveillance of foreigners outside the US.

On one level, Section 702 is just smartly taking advantage of the US companies straddling the globe when it comes to the internet and telecommunications generally. Being able to compel assistance from US telecommunications and internet giants is a huge enabler for US intelligence that other countries don't and can't have. It's a strategic advantage.

It's also, however, an opportunity for surveillance abuses and a recently declassified compliance assessment report found that "notwithstanding a focused and concerted effort by FBI personnel to comply with the requirements of Section 702, misunderstandings regarding FBI’s systems and FBI’s querying procedures caused a large number of query errors".

Both Lawfare and Wired have articles examining the Section 702 renewal from different perspectives and both agree that the FBI's access to the data is problematic. The Lawfare article's title says it all: If Congress Wants to Protect Section 702, It Needs to Rein in the FBI.

Mental Health for Sale

If there is any doubt that the US's data privacy regulation is lax, a new report describes how it is possible to buy mental health data from data brokers. These brokers claim that all sorts of data is available and can even be linked to names and email addresses and provided with minimal vetting of the purchaser.

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In our last "Between Two Nerds" discussion Tom Uren and The Grugq examine the Russian and Western ideas of how to use cyber operations in war. How do they differ and which way is beter?

From Risky Biz News:

Dragos year in review: ICS security firm Dragos has published its year-in-review report. Loads to unpack, but the company says it tracked 2,170 vulnerabilities impacting ICS/OT equipment last year and that ransomware attacks against critical infrastructure sectors continued to increase. [Some of the report's findings are summarised in Cyberscoop]

Russia wants to absolve patriotic hackers from any criminal liability: The Russian government is exploring the possibility of absolving Russian patriotic hackers from criminal liability for attacks carried out "in the interests of the Russian Federation."

The head of the State Duma Committee on Information Policy, Alexander Khinshtein, told reporters at a press conference on Friday the exemption would be granted to individuals located abroad and within Russia's borders alike. (more on Risky Biz News)

SIM swapper sextortion: Amir Hossein Golshan, a 24-year-old from Los Angeles, used SIM swapping to hijack the Instagram accounts of social media influencers. According to court documents, Golshan extorted the hacked victims for money but also for sexually explicit content, such as striptease videos. Authorities say they discovered a Coinbase account in Golshan's name that held $423,575 in funds but also a bank account that received $23,790 in Zelle payments referencing Instagram account names and verification procedures. The FBI says that in some cases, Golshan also tried to extort some of the victims into going on real-world dates. [Read the original report in Motherboard]