Most North Koreans do not spend much of their lives in front of a computer. But some of the lucky few that apparently faced a remarkable arsenal of hacking techniques last year – a nifty espionage spree that some researchers suspect South Korea did.
Google's Threat Analysis Group cyber security researchers announced today that an undisclosed group of hackers in 2019 used no fewer than five zero-day vulnerabilities, secret hackable bugs in the software, to target North Koreans and North Korea Targeting Professionals Exploited bugs in Internet Explorer, Chrome, and Windows with phishing emails that contain malicious attachments or links to malicious websites, as well as so-called water hole attacks that put malware on victims' computers when they visit certain websites that are infected Visitors had been hacked using their browser.
Google declined to comment on who might be responsible for the attacks, but Russian security firm Kaspersky informs WIRED that it has linked Google’s results to DarkHotel, a group that has historically fought North Koreans has acted and is suspected of working on behalf of the South Korean government.
"It is really impressive. It shows a certain level of operational polishing." [1
South Koreans spying on a northern enemy who often threatens to launch missiles across the border are not unexpected. However, the country's ability to use five zero days in a single spy campaign within a year is a surprising level of sophistication and resources. "It's rare that so many zero-day exploits by the same actor are found in a relatively short amount of time," wrote Google TAG researcher Toni Gidwani in the company's blog post. "Most of the destinations we observed came from North Korea or from people who worked on North Korean issues." In a follow-up email, Google made it clear that a subset of the victims came not only from North Korea, but also from the country. These targets were not North Korean defectors that the North Korean regime often targets.
Within a few hours after Google linked the zero-day vulnerabilities to attacks against North Koreans, Kaspersky was able to address two of the vulnerabilities – one in Windows, one in Internet Explorer – with those specifically tied to DarkHotel. The security company had previously seen that these bugs were exploited to install known DarkHotel malware on their customers' computers. (These attacks associated with DarkHotel occurred before Microsoft fixed its bugs, Raiu says, suggesting DarkHotel doesn't just reuse vulnerabilities in another group.) Since Google has assigned all five zero days to a single hacker group it is very likely that everyone is related to DarkHotel, "says Raiu.
Raiu points out that DarkHotel has long hacked North Korean and Chinese victims, with a focus on espionage." They are interested in information such as Getting documents, emails, and pretty much all of the data from these targets, "he says. Raiu declined to speculate as to which country's government might be behind the group. However, it is generally believed that DarkHotel was commissioned by the South Korean government is working, and the Council on Foreign Relations names DarkHotels alleged state sponsor the Republic of Korea.
It is announced that DarkHotel hackers have been active since at least 2007, but Kaspersky gave the group its name in 2014 when it discovered that the group was compromising hotel Wi-Fi networks to target targeted hotel guests based on their room number. In the past three years, according to Raiu, Kaspersky has found that DarkHotel uses three zero-day vulnerabilities that go beyond the five that are now linked to the group based on the Google blog post. "You are probably one of the most imaginative actors in the world when it comes to zero days," says Raiu. "They seem to do all of these things internally without using code from other sources. That says a lot about their technical skills. They are very good."