On North Korea’s Cyberattack Capabilities
Excellent New Yorker article on North Korea’s offensive cyber capabilities.
Comments
Winter • April 22, 2021 1:49 PM
@Clive
“France, Germany, Holland, Italy, Sweden, UK who have either been caught at it, outed or actually talked openly about their capabilities. ”
I do not see these doing lots of damage to US companies or waging massive desinformaton campaigns in the USA. Their actions are more like those of Israel, doing some spying but always willing to help if needed.
vas pup • April 22, 2021 3:01 PM
Tag – crime
Mexico cartel used explosive drones to attack police
https://www.bbc.com/news/world-latin-america-56814501
“Suspected criminals in Mexico have used
!!!!drones to drop explosives on police, injuring two officers.
Officials think the powerful Jalisco New Generation Cartel (CJNG) is behind Tuesday’s attack in the western state of Michoacán.
In August, two rigged drones were found in the car of suspected CJNG members.
The drones are thought to be the latest weapons in a deadly war between the drugs cartel and the security forces and vigilantes opposed to them.”
Clive Robinson • April 22, 2021 3:22 PM
@ Winter,
I do not see these doing lots of damage to US companies
France has admitted doing economic espionage as it’s less expensive than R&D, and Israel have certainly been caught at economic espionage repeatedly.
The Dutch who have very lax phone tapping legislation are known to spy not just on their own citizens but many many EU and other nations citizens. Why do you think they keep poping up in EU criminal cases with evidence that would be illegal if collected by any other EU nation. Whilst the UK may have written a chunk of the malware that was used against EncroChat and other CryptoPhones, it needed the Dutch and their lax laws to get it onto peoples phones without the legal oversight or required probable cause of other EU nations. It’s why some of the lawyers are trying to get what should be illegal evidence made inadmissible.
Whilst Sweden are a little more circumspect like the UK the divison of services thus regulation alows them to spy on all sorts of people and organisations. Whilst I can not say Sweden does economic espionage, I know darn well from experience that the UK does economic espionage along with the assistance of the US.
Germany is an interesting case when it comes to the economic side of spying, yes they have been involved with it via Siemens and other German companies and assisted the US. The problem is the German oversight has issues and limited scope, hence can be walked around.
Italy is an odd one, nobody including the Italians them selves appear to know exactly what goes on, nor dors it appear they want to either. Thus it’s hard to say what they have got upto in the past and may be still doing now and how arms length it is. One thing that is known is the odd attitude to private cyber spying organisations by the Italian authorities who appear to run a “Don’t get caught and we will not need to look” policy.
JonKnowsNothing • April 22, 2021 3:27 PM
@vas pup
re: Armed small drones
iirc(badly) In the smaller size drones, some years back (2014) a South Afrikan company demonstrated an armed quad copter drone marketed to Local/Regional Law Enforcement agencies. It was new news at the time. (1)
It had 4 outfitted armed delivery systems, each delivery arm had a magazine that refilled the firing platform, each that could be tailored to local needs. Some options were:
- different colored paint balls so the drones could fire into a group of demonstrators and the paint splatter would mark the participants. It was designed to leave a residue on clothing and skin, so normal washing did not remove the tracer.
- Tear Gas delivery
- Munitions (bullets/different calibers)
- Options for other “thrown” projectiles
- video online located on the base of the drone
iirc(badly) There had been a miner’s strike and some nasty responses by the mine owners and their law enforcement buddies. Didn’t matter who was in office, the diamonds and gold must come out of the mines and anyone or group who threatened the diamond/gold delivery timetable got the same treatment they got decades ago.
1, It might have been or similar to:
2014: Desert Wolf’s Skunk Riot Control Copter pepper-spray drone
Clive Robinson • April 22, 2021 3:40 PM
@ vas pup, ALL,
The drones are thought to be the latest weapons in a deadly war between the drugs cartel and the security forces and vigilantes opposed to them.
It’s a logical progression from using drones for smuggling, and they have considerable experience thus are likely to be more successful than certain terrorists.
The real question as to effectiveness is how the payload is delivered. If it’s “a bomb run” where the drone returns, then it is considerably less likely to be successful than if it’s a fly the drone into the target. We know about relative effects on accuracy from WWII planes where mostly bomb drops were done by eye and hand and had very kow accuracy. During Operation Desert Storm it became ubundantly ckear that there was a lack of air to surface capability, where to make up for inaccuracy bombs had to be four to ten times the weight of current bombs which considerably limited on target capabilities. Hence the modern day popularity of Joint Direct Attack Munition (JDAM) Smart Weapons,
https://www.military.com/equipment/joint-direct-attack-munition-jdam
SpaceLifeForm • April 22, 2021 5:56 PM
@ Clive, ALL
Yes, Attribution is hard.
If you g(Solarwinds china attack), you will find many articles from early March.
The question is: Both?
Likely.
They have their implants, and may or may not notice another APT already inside.
If I am an APT, and I notice there is another APT already there, I would collect as much evidence as possible and back out. But, maybe they do not back out. Maybe not immediately.
So, it could be that various APT groups are exfiltrating another APT group’s tools, and then doing the RE (Reverse Engineering).
Then, deploy a slightly modified exploit that was built from the exfiltration.
This is why ATTRIBUTION IS VERY HARD.
Clive Robinson • April 23, 2021 12:02 AM
@ SpaceLifeForm, ALL,
So, it could be that various APT groups are exfiltrating another APT group’s tools
Remember that US IC “false flag” code that got released supposadly by mistake?
Well that did the same thing. So wr’ve known for what about a decade now that is what the US IC does, so it is to be expected that other nations ICs do the same.
It’s why I keep talking about ditching SigInt, ElInt and code analysis for atribution and go for HumInt.
The Dutch IC had a nice line on new HumInt methods, that with activating laptop webcams and microphones. But the US do not want HumInt getting in the way of a “good misatribution” so they flapped their gums in public and burned not just that method but several other similar ones in the process[1]. Remember the US on the addmission of one of their seniors “Kills by meta-data” the last thing they want to happen is “inconvenient HumInt” getting in the way of the “workflow”[2]…
[1] When you are aware that people are looking back down the pipe at you, it’s near childs play to stop all such methods working. I’ve mentioned one of many ways before on this blog that I’ve been doing for years for other reasons (mandated, instrumented choke points for “gap crossing”). The reason the methods worked is most “smart people” have “depth not breadth” and are “goal focused” and like the US SigInt policy are “all attack and no defence” in their thinking untill someone tells them… Then the shutters come down very hard and fast and that method is burned till as happens so frequently in ICTsec “people forget” and then the method will start working again with some “new kids on the block” but like elephants the “old guard” allegedly have long memories.
[2] We know from other information that such workflows are highly automated, in part because it keeps humans out of the loop as much as possible. HumInt is “inconvenient” in that it requires humans to go back in the loop, which for some is highly undesirable. Because the big benifit of computers is it’s the new “Only Following Orders”[3] which means “no one is to blaim” just like those RoboDebt/Pay systems which have driven people to suicide.
[3] It appears that the EU is increasingly worried about lack of humans in the loop and are starting to legislate against them in various so far minor ways, but then first steps are the most minor of any journey.
Winter • April 23, 2021 12:30 AM
@Clive
“France has admitted doing economic espionage as it’s less expensive than R&D, and Israel have certainly been caught at economic espionage repeatedly.”
You forgot the USA spying massively on the Europeans, both political and economic, e.g., on Airbus and chancelor Merkel. And not to forget, ECHELON.
PS. Dutch phone tapping laws are indeed a disgrace.
Clive Robinson • April 23, 2021 1:39 AM
@ Winter,
You forgot the USA spying massively on the Europeans, both political and economic
I’ve mentioned it before, I’d give you a link but I could not find it…
It’s also a very touchy subject as it conflicts with the “But we are the good guys” image required to pretend to hold the moral high ground, rather than just admit they “get down and dirty” in the pig-wrestling contest just like everyone else (I tip my hat at the French, not for doing it, but for saying that they do it and importantly why, as it kicks the stool out from under other peoples pretentions).
My father had a very rude comment about those that walk around with their nose in the air, it was almost certainly not original to him but nether the less apt… But I’ll have to politen it up so it’s fit for work 😉
Let’s just say he said it was an indicator that they had done something messy/filthy down below and were trying to distance themselves from the bad odour/taste eminating from it whilst pretending they had not done such a foul thing hence their standoffish manner 0:)
Winter • April 23, 2021 3:32 AM
@Clive
“It’s also a very touchy subject as it conflicts with the “But we are the good guys” image required to pretend to hold the moral high ground, ”
This is just the whole American Exceptionalism that prevents Americans from learning from other peoples mistakes.
My answer to American Exceptionalism is a quote from Otto von Bismarck
“Only a fool learns from his own mistakes. The wise man learns from the mistakes of others.”
Draw your own conclusion on how I look up on Americans who claim to be Special.
No name • April 23, 2021 9:53 AM
Let’s talk about security.
Does anyone have an opinion on the most secure VPN? I’m focused on security.
Second question – what do people here think of Proton services? Mail and VPN. Look at its ownership and location, does anyone see any issue with either? What about their security?
I’m told that Protonmail cannot be used for communicating with many American businesses and that it doesn’t even go through to spam. Is it because it is encrypted? Or is it something else? Is it possibly malicious?
I am not concerned with privacy, just security. But I recognize that there’s no security without privacy.
Thank you all.
Winter • April 23, 2021 4:03 PM
@no name
“I am not concerned with privacy, just security. But I recognize that there’s no security without privacy.”
What kind of security? Or, what is your threat model?
A VPN protects data integrity and hides the content, if done well. That is privacy. I have not seen any reports that Proton mail or VPN do not protect the content of the user’s data traffic. But I could have missed them.
Being located in Switzerland gives some protection against overreaching LEOs. A USA or, eg, French search warrant or FBI letter does not impress Swiss authorities much. Foreign affairs and diplomats have to be involved, which increases cost by a very large factor.
If you want to stay anonymous, that is a different question. For anonymity, from a certain target population, you have to do more than just use a VPN.
Anders • April 23, 2021 5:11 PM
This sums the government hacking nicely up.
hxxps://pbs.twimg.com/media/EzLmgyYVcAQa8tZ?format=jpg&name=small
Clive Robinson • April 23, 2021 5:49 PM
@ no name, ALL,
I am not concerned with privacy, just security. But I recognize that there’s no security without privacy.
There are a few terms that “security” covers, the old “CIA triad” of,
1, Confidentiality – Only users, processes, and systems that are authorised to do so, should be able to do any of the “Create, Read, Update or Delete”(CRUD) options on “data”.
2, Integrity – Data should be maintained in a correct state at all times. No user, process, or system authorised or not, should be able to accidentally, maliciously, or improperly modify it, or modify it without it being detected.
3, Availability – At all alowed times, all users, processes, or systems that are authorized to do so should be able to access correct data.
These days the CIA Triad is seen as not just insufficiently granular, but impossible to achieve in some respects, as well as not realy addressing meta-data and meta-meta-data issues, that are often seen as being more to do with traffic analysis.
For instance Confidentiality covers as a minimum,
1, Privacy
2, Secrecy
3, Anonymity
Each of which in turn have subsets of their own, as well as overlaping each other, quite broadly in some cases.
You need to be aware that at a minimum you will always leak some information to an adversary, which is that a transmission can or has happened “from power on the line changing state”, at some point in time, and in some cases at what place.
Thus you need to specify what exactly you wish to secure at each end of the Shannon Channel, from who, and within what limitations.
In practice most VPN’s offer very little in terms of security especially against traffic analysis, and some will actively collect and in some cases sell information to others. Often it is upto the service user not the provider to find ways to hide message size, frequency of communications, with who, and similar meta-data from an adversary.
Nearly all VPN services I’ve looked at in the past “talk a good game” but when you read the fine print, you will often find much that should disturb you, unless you know how to, and are prepared to, make the necessary mitigations.
Anders • April 23, 2021 6:27 PM
@No name
If you want at least some security,
you must control your VPN end device.
Do not rent a service, set it up by
your own.
You can trust only yourself.
SpaceLifeForm • April 23, 2021 6:28 PM
@ Anders
Spot on. There is always a bogeyman.
Never them.
They never learned the wisdom of Pogo.
This was a paper comic just about 50 years ago, that I saw everyday for some time. It was literally cut from the paper and tacked to the wall in a workarea in the greenhouse where we would do potting work. Never forget.
http://bytesdaily.blogspot.com/2011/04/quote-walt-kelly.html?m=1
[If you scroll down a bit at the link, you will see the spam problem, It’s not just here. Note the timestamps]
SpaceLifeForm • April 23, 2021 7:08 PM
@ Anders
Yes, roll your own VPN.
Problem is that most people do not know what that means.
No name • April 23, 2021 8:43 PM
@All
Cheers for the advice. That’s really helpful.
I think there’s a lot of opportunity for ISP’s and ISV’s to provide end users with security that doesn’t require anyone roll anything? I’ve never been good at that.
It just struck me that it’s now 22 years that I’ve been using the same equipment/services to protect myself when working from home. Something is very wrong with that.
If we don’t make security accessible it never will be.
Clive Robinson • April 24, 2021 2:22 AM
@ No name, ALL,
An important point from the ABC News article on the long painfully slow Solarwinds issue is,
“The intruders in the unrelated hack of Microsoft Exchange email servers disclosed in March — blamed on Chinese spies — used wholly different infection methods.”
(Emphasis mine)
Whilst the same basic failing source “Microsoft” was to blaim and in fact Microsoft it’s self got more seriously attacked than they have admitted or I suspect even know. The real important point that is getting “brushed over” is,
It was at least two and possibly more sets of independent attackers.
But if every one realy wants to know what the “root cause” of the problem is, –because it infects the entire software industry, not just Microsoft and it’s near monopoly on OS and Office– it is rather simple,
Baked in conveniance that grows unmanagably.
Products these days only sell if these two primary requirments are met,
1, It should be as users currently do.
2, It should require no extra paid for training and certification.
These are the same two reasons why the Boeing 737 MAX disaster happened.
These “customer requirments” always end up creating a mono-culture that has decade old failings so “baked in” that it’s near impossible to get rid of “historic issues” in what is glibly called “backwards compatability”.
Which amongst many many dangers includes “Fall Back Attacks” where a “Man in the Middle” can by using “auto negotiation” failings reduce security from the best there is available to the worst lowest common denominator which can and has been “no security” without the user or system owner being aware of it. As such we need to stop this backwards compatability issue[3].
Having warned about these issues repeatedly over the years including the perils of “single passwords” and by extension “Single Sign On”(SSO)[1] I’m not surprised they have happend (no do I suspect were many “older hands”).
Which also unfortunately means,
Expect more of these sorts of attack or vulnerabilities.
[1] The root cause of this is a “human failing” that has been known for a very very long time and the reason Bank Card PINs are only four digits long. It realy hit me in the mid to late 1990’s when trying to switch OnLine Financial Transactions from “authenticate the communications channel” which is a very weak security model and easily subverted to a stronger “authenticate the individual transactions” model that is quite a bit stronger[2]
[2] Neither,
1, Authenticate the communications channel,
2, Authenticate the individual transactions,
Are sufficient these days, you also need to,
3, Authenticate the user environment,
As well.
But importantly all three authentications must be fully orthogonal and independent to each other. Which means “No Single Secrets” and “No Common Methods” at all levels, with importantly no negotiable downgrading for older systems[3].
[3] The implication of no “backwards compatability” in security is,
1, All systems should be continuously upgradable to the same higher level of security.
A requirment that can only happen if it is,
2, Put in place by regulation enforced by legislation (Mandatory Standards).
Something that is now so long overdue it’s a significant industry wide embarrassment. It’s also something I’ve banged on about for some years now, in that NIST should stop it’s “crypto competitions” untill it has come up with a standard for a “Secure Open Extensible Security Framework” to be built into all products. With regulation requiring it be “built in” befor products are placed on the market. Because history tells us that even crypro standards have a relatively short shelf life compared to many common products that have quater to half century expected service lives (think of very expensive or risky upgrades such as utility meters, medical electronics that get put in you by some form of surgery, or safety systems such as navigation equipment in remote and dangerous places).
Mr. Peed Off • April 25, 2021 3:35 PM
@ no name
“I’m told that Protonmail cannot be used for communicating with many American businesses and that it doesn’t even go through to spam. Is it because it is encrypted? Or is it something else? Is it possibly malicious?”
I have not had any problems with protonmail. Ignore fud. All email is about as secure as a post card.
Weather • April 25, 2021 9:21 PM
I type of hinted at this before, but if you created the exploit, you know what the normal flow is, so after injection or the temp cmd shell closes ,don’t call exit, fix the program and give it at least minimal data to keep functional.
After a process crash a memory snap shoot gets taken, plus network traffic, you pretty much blow up the door, and now try to be stealthy after.
But then they aren’t the ones who found the exploit.
name.withheld.for.obvious.reasons • April 26, 2021 12:56 PM
26 APR 135 EDT — Site Attack?
Looks like chunked code spread across multiple comments, haven’t completed deconstructed the elements of the comments that appear to be a combined method of payload and code extraction from multiple comments. Don’t know if this is a WordPress based attack on clients, but it looks highly suspicious. More to follow…posting off topic deliberately for obvious reasons.
Weather • April 26, 2021 1:36 PM
@name
The base64 comments look like heap spraying, the the strange graphics the crash. Does the base64 comments thrown in ida have shellcode instruction?
name.withheld.for.obvious.reasons • April 26, 2021 7:33 PM
@Moderator – Please indulge, there are apparently some issues with some data being pushed to this blog site. It is the current Friday squid that is in question.
From oldest thread to the last;
Looks like referencing, indirect load of stub data to the next two threads, then a binary graphic data tag at the end (but could mask converted data).
Have yet to dump the totality of the threads in their parts, that’s the next exercise. Doesn’t look like base64, lots of high end byte addresses on the last two comment segments, for example (CC9A CC9B CC9A CC9A). That’s from memory, have to get back to you. Have another high-order activity to attend to for the next three hours.
Yes, does look like shell escape code (terminfo type using termcap?) and there is font manipulation but it’s not clear the context; is it for the shell code or is it ‘escape’ the termcap and then injecting the font code?
Will update
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Clive Robinson • April 22, 2021 11:35 AM
@ ALL,
First of, there is nothing special about North Korea’s cyber capabilities, most other countries if they have the technical chops, or the money to buy exploits from (in)security companies can have similar.
Heck the US via the NSA set up teams in certain middle east countries to give them similar capabilities that ended up being used to kill a major US Newspaper journalist.
The only thing special is the Orwrllian “four cyber horsemen” list thought up by the US State Dept contains them.
The list being,
1, China
2, Iran
3, North Korea
4, Russia
And have done for so long now, most should realise it is not a threat list but realy a political list.
Most Sys/Net Admins who are any good at there job can give you a list of countries that are actual threats to them (as in having already been attacked from them). And lets just say such lists are fairly lengthy in most cases.
So by all means get uptodate on NK’s capabilities but don’t forget all those European Nations like France, Germany, Holland, Italy, Sweden, UK who have either been caught at it, outed or actually talked openly about their capabilities. Likewise don’t forget Australia, Canada, Egypt, India, Israel, Pakistan, South Korea, Taiwan, US, and oh so many more. It’s probably easier to make a list of countries either not doing it or have no aspirations to doing it, which is very probably about as close as you can get to “none”.
So why the US political list, well it’s almost directly out of George Orwell’s 1984, to distract the population from what their own government is upto. Thus anger the citizens may feel can be directed away and made the fault of a distant nation, it can be manipulated and twisted by propagander so the anger the citizens should feel against their own government turns instead into praising them for their glorious efforts defending the nation from that foreign nation full of nasty little ugly people portrayed in posters and the like. Or in more modern times manipulated MSM and social media…
If you think maybe not, then ask yourself a question, “Why only one cyber-existential-threat nation at a time?” followed by “Why only one of four that get swapped from time to time?” Read 1984 to get the answers, but “long answer short” the politicians are playing you and they do not want to split the anger they have manipulated as it disipates what the get from the manipulation.
And we’ve seen it work almost perfectly. What stopped it recently was an unexpected joker, of the compleate ineptitude shown over a pathogen that they turned into a pandemic in about six weeks of inaction or toadying to political friends and paymasters…
Even the “Cyber Security Firms” who used to happily play along as that helped open the door to tax money, are shying away from it and for good reason, it was damaging their credability.
As was shown with previous accusations against NK, by the US, that turned out to be totally wrong, attribution is hard very hard and shooting from the hip as US politicians and thus the MSM does is not exactly helpfull.
As we’ve seen with SolarWinds the “Cyber-Security-firms” were very cautious, but the US Politico’s jumped in without any evidence at the time with a knee jerk “It wos Russia wot dunit”, you can be reasonably assured if “China” was the favoured political horseman at the time then they would have said “It wos China wot dunit”…
The thing to do is “Get to know ALL your enemies” and their tactics, motivations and likely targets, as a first step. Then when something happens with extream caution examin the evidence and try to verify not with ElInt or SigInt or these days OsInt, but where possible HumInt, remain cautious because as we know atleast the UK and US have “false flag tools” they use to try and mislead people. Heck the Russian’s were a little shocked when they apparently mislead the US over thr olympics with the US claiming NK. It was not as though the Russian’s were even trying to run a false flag operation, they were trying to send a message, but US politics of the time got in the way…