In this case, North Korean hackers targeted Chinese security researchers with Chinese-language lure documents labeled “Securitystatuscheck.zip” and “_signed.pdf,” in the hopes that the researchers would be compelled to click on them. While the documents, which CrowdStrike uncovered in June, contained cybersecurity information from China’s Ministry of Public Security and the National Information Security Standardization Technical Committee, the hacking team was likely sending booby-trapped documents.
Trygve Lie, the previous UN Secretary-General, is reputed to have once quipped that a true diplomat can slash his neighbor’s throat without his neighbour noticing.
The North Korean administration appears to have grasped the task.
According to CrowdStrike information provided exclusively with The Daily Beast, hackers with suspected ties to the Pyongyang government have been targeting Chinese security researchers in an apparent attempt to steal their hacking techniques and pass them off as their own.
The tactic of targeting security researchers in other countries could be particularly useful for the North Korean government. It could broaden Kim Jong Un’s hacking team’s roadmap to outsmarting other hackers around the world. And these operations, Meyers told The Daily Beast, likely make it possible for the North Koreans to steal exploits or learn new hacking skills they otherwise wouldn’t have.
The North Korean hacking gang responsible, which cybersecurity firm CrowdStrike calls “Stardust Chollima”—and which other researchers label Lazarus Group—in all likelihood sent the lures over email, Adam Meyers, vice president of intelligence at CrowdStrike, told The Daily Beast. CrowdStrike does not have access to those emails or the initial routes to victims, but this campaign appears to imitate earlier North Korean hacking missions that used email and social media to attempt distributing malware to security researchers, says Meyers.
“For vulnerability research in particular that would be interesting—it in effect allows you to collect and steal weapons that you can use for other operations. It could also give them insight into new techniques that they’re not aware of and how research is being conducted,” Meyers said. “It also lets you know what the security posture looks like in other countries.”
For North Korea, which runs hacking operations aimed at raising revenue to fund the regime—including its nuclear weapons program—new hacking know-how could make all the difference.
It’s just the latest signal that the North Korean government may be working to obtain new hacking techniques and tools in an effort to run financially motivated hacking operations. But instead of diligent, internal research, this hacking campaign suggests that instead of innovating on their own, they’re straight up working to crib hacking playbooks from security researchers abroad.
It wouldn’t be the first time. North Korean hackers earlier this year ran an elaborate campaign, complete with a fake security research blog, a fake company, and bogus Twitter personas, to try hacking security researchers and collect intelligence on their latest cybersecurity work, according to an investigation published earlier this year by Google. In that campaign, the hackers targeted researchers via Twitter, LinkedIn, Telegram, Discord, Keybase, and email, using aliases such as Billy Brown and Guo Zhang, later lacing malware capable of stealing files on their computers.
But the hackers don’t appear to have stopped. The campaign in China is likely an extension and continuation of that earlier campaign targeting security researchers, with a focus on neighboring China this time around, according to CrowdStrike. Meyers said the hacking branches of the North Korean government are likely being ordered to find ways to fund regime goals, with a focus on, “how do you make sure you have access to the latest vulnerabilities, the latest exploitation techniques, the latest research that’s going on. There’s constantly innovation in that space [and] this helps the North Korean intelligence services improve their capabilities by stealing this type of information,” he said.
In particular, the North Korean hacking team could be interested in obtaining especially sensitive vulnerabilities called “zero days,” which are software or hardware flaws that companies don’t know about and therefore can’t fix, making them especially powerful if they’re used. The vulnerabilities are known as zero days because the companies, if they ever find someone taking advantage, will have zero days to patch. Chinese hackers are prolific at obtaining zero days, making them a ripe target for any hacking team interested in running off with someone else’s find, Vikram Thakur, a technical director at Symantec, told The Daily Beast
Chinese security researchers are a prime target, as “the most number of zero days found by any country in the world is probably China,” said Thakur, who is dedicated to tracking North Korean hacking teams. “In my opinion… Lazarus [Group] or North Korea would have been trying to arm themselves with zero days.” China is, indeed, at the top of its game when it comes to zero days, according to FireEye research. Over the last decade, North Korea used three zero days. But China’s used 20—far more than any other country.
“In case of Chinese researchers, I guess that the attackers are interested in vulnerabilities [and, or] exploits for certain products,” Cherepanov said. Either way, this campaign targeting Chinese language hackers looked particularly determined. One of the best ways to get targets to click on documents laden with malware or spammy links is to instill fear in victims—such as by claiming an urgent task is at hand, by referencing their sensitive information, or by imitating a boss or controlling authority. By referencing Chinese government security authorities, the lures appear to have been very well-tailored for Chinese nationals, and in particular, security experts.
“It’s always hard to know [the] real end goal of attackers,” said Anton Cherepanov, a senior malware researcher at the Slovakia-based cybersecurity firm ESET, who recently found what he thinks is potentially another prong of the broad campaign against security researchers. (Early this month, Cherepanov found a popular reverse-engineering software, IDA Pro, was tampered with—software that is almost exclusively used by security researchers.) At least, China had the most prowess in this department last year. As the thinking goes, North Korea might be trying to ride China’s coattails and change that balance. James Sadowski, a senior analyst in strategic analysis at Mandiant Threat Intelligence, told The Daily Beast last week the number of zero days used has only been creeping up since they first published their report. The count now is at 76, according to Sadowski.