DPRK, TrickBot, and Russian Cyber Threat Actors
Multiple sources have reported on possible links between DPRK threat actors and Trickbot, which is operated by Russian actors. Moreover, evidence indicates that DPRK actors are working with Russian state-sponsored actors for financial gain. This activity runs parallel to increasing cooperation in the military, political, and economic domains. The DPRK is increasingly viewing itself as a sophisticated actor in the Indo-Pacific region unconstrained by international norms.
TrickBot
TrickBot, discovered in 2016, began as a banking trojan and morphed into a Malware-as-a-Service (MaaS) product operated by Russian-speaking threat actors. The TrickBot operators are active in the cyber underground and offer their services to other actors with proven reputations. Accordingly, TrickBot campaigns have been observed in conjunction with Emotet, Ryuk, BokBot, and other malware families distributed by FIN6 and TA505. TrickBot uses a hard-coded parameter known as a gtag, which is likely a campaign identifier. This gtag can be observed in the HTTP traffic associated with a TrickBot infection.
DPRK Threat Actors and TrickBot
NTT Security has observed TrickBot delivering the PowerBrace backdoor, which is attributed to the Lazarus Group. Further, SentinelLabs has observed TrickBot utilizing its Anchor module to drop DPRK-linked tools for data exfiltration and financial gain. Earlier this year, the French information security firm LEXFO published a report indicating that DPRK threat actors used Hermes ransomware, which shares most of its code with Ryuk. These infections are typically initiated through phishing emails containing malicious links, which download TrickBot. Next, TrickBot is used to drop the secondary infections of DPRK-linked tooling, such as PowerRatankba, PowerBrace, and Hermes.
DPRK and Russia Threat Actor Links
Multi-sourced reporting indicates possible overlap between DPRK and Russian threat actor campaigns. Financial organizations have been infected with TA505-linked GraceWire malware and DPRK-linked PowerBrace. Thus, it is likely that coordination between the two state-sponsored groups exists. Moreover, DHS reporting has indicated that DPRK threat actors are working with TA505 for initial access development. In summary, DPRK cyber threat actors have been observed coordinating with TrickBot operators and TA505 in campaigns targeting the financial services industry.
Financial Motivations
The DPRK increased its cyber-crime activities in 2016 and 2017 as United Nations Security Council (UNSC) sanctions became more targeted. The DPRK has targeted banks in South East Asia, Eastern Europe, and Latin America while also targeting cryptocurrency exchanges. To this end, the DPRK has sought the help of outside experts, resulting in the indictment of a cryptocurrency subject matter expert for attempting to collude with the North Koreans. These financially motivated cyber-crime activities align with the offline activities of the infamous Bureau 39, which exists to procure illicit cash for the regime.
DPRK Actions in the Region
When Kim Jong Un took power in late 2011, many analysts debated whether he would be a reforming actor or pursue the status quo. KJU then commenced wide scale purges culminating in the execution of his uncle and the assassination of his elder brother on foreign soil. The DPRK then initiated a flurry of weapons tests in 2017 before engaging with the Trump Administration seeking security guarantees, sanctions relief, and a formal peace treaty. Meanwhile, the ROK government has pursued a policy fixated on inter-Korean cooperation. Further, in recent years, the DPRK has sought to increase cooperation with its largest neighbors, the PRC and Russia.
In 2015, Russia indicated that it wanted to conduct joint military drills with the DPRK. And, following the flurry of weapons testing in 2017 and joint US-Japan-ROK military drills, Russia and the PRC conducted military drills near the Korean Peninsula. Late last year, Russia, Iran, and the PRC held naval drills in the Gulf of Oman following increased tensions between the US and Iran. And later this month, the PRC will participate in the Caucus 2020 joint exercises with Russia and other states.
An Kwang Il, the top DPRK envoy in Indonesia, attended the ASEAN Regional Forum (ARF) last week. While the DPRK has used this forum in the past to highlight security concerns, An instead touched on regional issues concerning Hong Kong and the South China Sea. This indicates the DPRK’s growing confidence in the region aligned with the PRC. This was further demonstrated by KJU’s letter to Xi Jin Ping whereby KJU vowed to support joint efforts to defend socialism with the PRC.
Conclusion
The United States, under President Trump, has pursued a foreign policy strategy of confronting adversarial states in the Indo-Pacific. Consequently, these states have increased their cooperation economically, militarily, politically, and in cyberspace. DPRK-linked cyber threat actors have been observed working with Russian cyber threat actors, who only work with mature actors. This reflects the sophistication of DPRK cyber threat groups in recent years, and likely indicates that DPRK actors will increasingly target organizations for financial gain. Thus, organizations in the financial services industry should include DPRK-linked actors into their threat models, as these campaigns are likely to increase in both numbers and impact.