Tackling North Korean cyberthreats to business

The DPRK has shown itself to be a capable and undeterred actor in both cyber-focused actions (such as the major Lazarus Group campaigns) and in mixed espionage campaigns such as employment schemes.  
 
Based on reports in the media and information from DPRK agents who have defected from these schemes, such campaigns (although financially lucrative for Pyongyang) involve 3,000-4,500 agents worldwide. 
 
The UK Office of Financial Sanctions Implementation (OFSI) has warned that: DPRK IT workers may gain privileged access to sensitive or critical company information. There is a realistic possibility (40-50%) that this could result in this information being compromised or misused by other malign DPRK cyber actors.  

The OFSI has added that there is a 95-100% chance that UK organizations are being subject to attempted infiltration by DPRK agents. 
 
While serious, the total number of instances where these agents have successfully infiltrated an organization and then been discovered and/or confirmed as a DPRK agent are low relative to other DPRK threats such as cyber-focused ransomware groups.    
 
Nonetheless, despite its relatively low probability such as infiltration is a potentially high-impact risk: 

• Companies that have suffered such a breach may discover that they have inadvertently engaged with an actor from a sanctioned nation, paid a ransom to such an actor and had their corporate secrets stolen.  
• They may now face potentially severe penalties from regulatory bodies due to data protection breaches or sanctions breaches. 
• Making matters worse, the threat of re-compromise is serious – the statistics regarding ransomware re-compromise show a strong possibility that a DPRK agent may use stolen credentials to maintain access.  
   
   

Path to preparedness

  
In the heat of a live incident, returning to business as usual and limiting the initial damage is often a greater priority for organizations that have been breached by DPRK actors than solving for future risks such as re-compromise.   
 
By considering the risks, and options for mitigation, remediation and recovery before an incident, an organization can mitigate the impact of a DPRK-linked breach. 

 
Tighten pre-employment diligence 

A well-considered pre-employment screening process can help identify any potential issues and inconsistencies that may indicate an individual is a DPRK agent. This entails looking for well-publicised indicators and tactics used by such actors at the pre-employment stage and conducting employee due diligence that is appropriate to the level of seniority within the company, and their access. This can further be enhanced by continuing vigilance during employee onboarding.  
 
Even if an organization is unaware of the DPRK agent’s infiltration at the employment stage, leveraging modern cybersecurity technologies, controls and expertise can reduce the risk a DPRK agent poses to a business.  

 
Limit data access 

Reports suggests that many DPRK agents begin to exfiltrate data rapidly after employment due to the risk of exposure. This should generate a lot of noise in systems as they access as much information as possible in as short a time as possible, often leveraging non-standard software/systems to do so.   
  
For example, the use of remote access software and virtual desktops has been an observed method for accessing organizational infrastructure and equipment. Enforcing ‘Acceptable Use’ policies and preventing the running of unauthorized services and programmes on an organization’s system can make it harder for a DPRK infiltrator to operate.   

 
Use permissions structures 

The use of permissions structures and access controls as part of a strong information security stance would limit in the ability of a DPRK threat actor to access sensitive data held by other sections of the business; reports suggest that DPRK agents tend to work in remote IT positions. These controls can not only slow down the lateral movement of threat actors across networks, they can also trigger alerts if the agents request access to systems or data they are not authorised to access. 
 
These permissions should include software approval and installation controls. Research shows DPRK agents install remote desktop access software and sometimes IP KVM or mouse jiggle software to allow them to operate many systems at once.  
  
Modern canary file/token technologies are becoming more available and accessible to companies and the use of these can show what areas, accounts and data the DPRK actor is accessing, alerting IT security teams to the actions of the infiltrator and aiding in rapid triage and logging of suspect behaviour to help build out evidence for a HR or cyber incident investigation.    

 
Conduct cross-speciality security investigations 

 An HR-led investigation into cyber and information security matters can be a fraught and complex exercise. It may require the engagement of employment law specialists and external digital forensic investigators to ensure confidentiality, impartiality and legality. 
 
The retention of logs for the individual being investigated and the systems they may have accessed is paramount in such an investigation. The most critical information will likely be discovered in these logs during analysis, which can be cross-referenced with tactics, techniques and procedures known to be used by DPRK agents. 
 
The timely preservation of logs when an investigation is launched can greatly assist in the accuracy and speed with which an investigation can be conducted, allowing for potentially faster resolution of the matter.   

 
Secure your IT environment 

After concluding an investigation, and the agent exiting the organization, an often-overlooked aspect is to secure the environment. Although the employee’s account access may be terminated shared accounts, keys and credentials should also be cycled. The changing of such shared or commonly accessible credentials will act to prevent the DPRK agent from re-gaining access to the organization’s networks.  
 
Statistics from ransomware cases and systems compromise suggest that 80% of businesses are re-compromised within 12 months of an initial incident, with stolen credentials being a common feature alongside the use of backdoors and exploits left behind from the first incident.   
 
Public data on firms being infiltrated by a DPRK agent and then compromised by DPRK-aligned cyber threat actors (such as the notorious Lazarus Group) is limited. Even so, organizations must prepare for the risk that this secondary compromise may occur slightly later than the common 12 months if a DPRK agent has infiltrated the organization. 

 
Contain data ransom risks 

DPRK agents have added a new tactic to their infiltration and espionage campaigns: data ransom. These ransom demands often come via email (with some proof of data held) soon after the DPRK agent has exited the organization. The agent usually demands a cryptocurrency-based ransom payment to not release the data.  
  
Logs from systems and canary files will assist in clarifying what data has been accessed in a more complete manner, with technical permission structures and policies having limited the availability of data to the DPRK agent. This clarity can assist in decision-making for organizations regarding crisis communications and dialogue with regulatory bodies.  

 
Ensure compliance with sanctions   

Organizations will need to carefully consider their responsibilities with respect to international sanctions as well as possible ramifications under money laundering and counter-terrorism legislation. The UK Office of Financial Sanctions Implementation (OFSI) highlights that organizations employing DPRK IT workers – even inadvertently – could be in breach of financial sanctions.   
 
There are civil and criminal consequences for such a breach of sanctions – and the civil consequences carry strict liability. It is not necessary to demonstrate that the person or organization knew of, or had reasonable grounds to suspect, a sanctions breach. Rather, civil liability (a fine) is a question of whether or not, on the balance of probabilities, a breach occurred.   
 
The sanctions landscape is complex; navigating it can be daunting. Organizations should work with expert advisors to verify whether a breach has, or might have, occurred with reference to the relevant sanctions. Stopping a possible breach is of critical importance, together with legal and technical measures to limit harms and exposures.  
 
The issue of disclosure to regulators and to OFSI is an equally important one and can vary depending on the circumstances and the sector in which the affected organization operate.   

 
Build back stronger 

An organization will likely wish to return to business as usual and put these events behind them as quickly as possible. However, as discussed above, even after a malicious actor (such as a DPRK agent) has been removed, there may still be work to do such as cycling credentials, and undertaking a full assessment of the digital footprint of the organization to ensure potential means for further compromise are closed.  
 
Additionally, a review of pre-employment screening processes could be useful to ensure that such an agent is not employed again and the actions taken within investigations were timely, appropriate and proportionate. 
 
By taking pre-emptive steps to halt a DPRK agent organizations can limit harm and strengthen their overall cyber security posture.