IT Support and Hardware for Clinics
38.5K views | +3 today
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...!

How NSA Hacked North Korean Hackers

How NSA Hacked North Korean Hackers | IT Support and Hardware for Clinics |

The U.S. government's attribution of the Sony Pictures Entertainment hack attack to North Korea stems, in part, from the U.S. National Security Agency having infected a significant number of North Korean PCs with malware, which the intelligence agency has been using to monitor the country's hacking force.

So says The New York Times, which bases its report, in part, on interviews with unnamed former U.S. and foreign officials, as well as a newly leaked NSA document. The document, published Jan. 17 by German newsmagazine Der Spiegel - and obtained via former NSA contractor Edward Snowden - details how the NSA worked with South Korea - and other allies - to infiltrate North Korea. The agency reportedly infiltrated at least some of these computers by first exploiting systems in China and Malaysia that help manage and administer North Korea's connection to the Internet.

According to the Times report, the hacked computers have given the NSA an "early warning radar" against attacks launched by the Pyongyang-based government of North Korea. Related intelligence gathered by the NSA also reportedly helped convince President Obama that North Korea was behind the Sony Pictures hack.

North Korea's Reconnaissance General Bureau intelligence service, as well as its Bureau 121 hacking unit, control the vast majority of the country's 6,000-strong hacking force, some of which operates from China, according to news reports.

Fourth Party Collection

Some of the evidence of the NSA's ability to monitor North Korean systems comes from a leaked NSA document, which appears to be a transcript of an internal NSA question-and-answer discussion that's marked "top secret" and is restricted to the U.S. and its Five Eyes spying program partners: Australia, Canada, New Zealand and the United Kingdom. The document refers to the NSA's practice of "fourth party collection," which involves hacking into someone else's hack, according to a Der Spiegel report.

The document relays an episode that involves North Korea: "We found a few instances where there were NK [North Korea] officials with SK [South Korea] implants [malware] on their boxes, so we got on the exfil [data exfiltration] points, and sucked back the data," the document reads.

Der Spiegel reports that this practice, which is employed by the NSA's Tailored Access Operations team, has been used extensively to undermine many hack attacks emanating from Russia and China and has allowed the NSA to obtain the source code for some Chinese malware tools.

But some attacks against U.S. systems did succeed, and one leaked NSA document says that as of several years ago, 30,000 separate attacks had been detected against U.S. Defense Department systems, 1,600 systems had been hacked, and related "damage assessment and network repair" costs had exceeded $100 million.

The NSA document also discloses that South Korea in recent years has begun attempting to hack into some U.S. government systems.

The FBI has previously said that its attribution of the Sony Pictures hack was based in part on intelligence shared by the NSA, although that attribution did not single out the North Korean government, thus leaving open the possibility that pro-Pyongyang hackers or even mercenaries may have also been involved.

The Role of Botnets

On the attribution front, meanwhile, documents newly published by Der Spiegel - and leaked by Snowden - have detailed an NSA program, code-named "Defiantwarrior," which involves the NSA using infected nodes - or zombies - in a botnet. When such nodes are traced to U.S. computers, the FBI reportedly uses the information to help shut down those parts of the botnet. But when nodes are discovered on computers in countries outside the Five Eyes program, the NSA - according to the leaked documents - may use these to launch attacks against targets. While such attacks might be traced back to the botnet node, this practice reportedly helps the agency launch attacks that are difficult - if not impossible - to attribute back to the NSA.

Did NSA Keep Quiet?

The report that the NSA had hacked into many of the systems employed by the North Korean military, and was monitoring them, has prompted information security experts to question whether the agency knew about the Sony Pictures hack and failed to stop it.

"If the NSA were secretly spying so comprehensively on the networks used by North Korea's hackers, how come they didn't warn Sony Pictures?" asks independent security expert Graham Cluley in a blog post.

If the NSA did detect signs of the Sony hack planning, reconnaissance and actual attack unfolding, however, then it might have declined to warn the television and movie studio to avoid compromising that monitoring ability, says Europol cybersecurity adviser Alan Woodward, who's a visiting computing professor at the University of Surrey in England. Similar questions have been raised in the past, for example, over the World War II bombing of Coventry, England, by the Germans, and why - if the British had cracked the Nazis' secret Enigma codes - the U.K. government didn't evacuate the city.

Another outstanding question is the extent to which the leadership of North Korea suspected - or knew - that their computer systems may have been infiltrated by foreign intelligence services. "Presumably, the cat is now out of the bag," Cluley says. "These news stories may take some of the heat off the [United] States from some of those in the IT security world who were skeptical about the claims of North Korean involvement, but it also tips off North Korea that it may want to be a little more careful about its own computer security."

Szymon Mantey's curator insight, January 19, 2015 2:28 PM

Poradnik w jak łatwy sposób zostac shakowanym przez skośnookich  w ktorym to kradną nasze dane osobowe a NSA nie ejst wstanie nic z tym zrobić...!

Who Disrupted Internet in North Korea?

Who Disrupted Internet in North Korea? | IT Support and Hardware for Clinics |

Companies that monitor Internet traffic say the Internet went dark in North Korea on Dec. 22, days after President Obama pledged there would be a "proportionate response" to the cyber-attack on Sony Pictures Entertainment that the FBI blames on the North Koreans.

"I haven't seen such a steady beat of routing instability and outages in KP before," Doug Madory, director of Internet analysis at Dyn Research, tells the website North Korea Tech, referring to North Korea's Internet domain abbreviation. "Usually there are isolated blips, not continuous connectivity problems. I wouldn't be surprised if they are absorbing some sort of attack presently."

North Korea lost connectivity around 11 a.m. EST, according to CloudFlare, a provider of performance and security services for websites. Twelve hours later, the Associated Press reported the service had been restored.

Small Internet Footprint

CloudFlare chief executive Matthew Prince says if North Korea was victimized by a DDoS attack, it wasn't necessarily conducted by the United States or another nation state. Prince estimates that the capacity of North Korea's Internet is no greater than tens of gigabits per second. "Given the largest DDoS attacks are an order of magnitude larger than that," he says, "it is conceivable that an attack saturated the connection and knocked the site offline."

Prince says groups much smaller than a nation-state - even an individual - could pull off such a DDoS attack, pointing out that a British teenager pleaded guilty a few weeks ago to launching an attack generating 300 Gbps against Spamhaus, an organization that tracks e-mail spammers.

"That, again, is likely at least an order of magnitude larger than the total capacity of North Korea's link to the public Internet," he says. "In other words, if it turns out it was an attack, I'd be far more surprised if it was a government launching the attack than I would if it was a kid in a Guy Fawkes mask." The Guy Fawkes mask is a symbol used by the hacktivist group Anonymous.

Who's Responsible?

Dan Holden, director of security research at Arbor Networks, told Bloomberg News that it was unlikely the U.S. was behind the outage. "If the U.S. government was going to do something, it would not be so blatant and it would be way worse," he said. "This could just be someone in the U.S. who is ticked off because they're unable to see the movie," he said, referring to "The Interview," the film that Sony yanked after receiving threats from hackers.

State Department spokeswoman Marie Harf wouldn't comment on whether the United States was behind a cyber-attack on North Korea. "We aren't going to discuss publicly operational details about the possible response options," she said at a Dec. 22 briefing, adding that "as we implement our responses, some will be seen, some may not be seen."

The impact of an Internet outage in North Korea would be negligible because so few individuals and businesses in North Korea have access to the Internet. "It might cause short-term pain for the elites that have access to Internet, but it's not going to have a long-term effect," says Adam Segal, director of the program on digital and cyberspace policy at the Council of Foreign Relations, a think tank.

According to the New York Times, North Korea does very little commercial or government business over the Internet, officially registering only 1,024 Internet protocol addresses, though the actual number may be somewhat higher. The United States, by comparison, has billions of addresses.

Other Possible Causes

CloudFlare's Prince offered three other potential causes for the outage, including the North Korean government removing itself from the Internet. "We've seen this before when other countries with low levels of connectivity and governments with high degrees of power over telecommunications have terminated Internet access," Prince says, citing Syria as an example.

North Korea's Internet service provider, China Unicom, might have terminated service. "Since North Korea relies on a single provider upstream of the country, if China Unicom terminated access, it would effectively eliminate North Korea's Internet access," he says.

Prince also says that North Korea might have fallen victim to an "unfortunately timed" hardware failure or cable cut. "It's unlikely that North Korea has an up-to-date Cisco support contract, and a critical resource may have failed for innocuous reasons."

No comment yet.!

Sony Hackers Threaten Movie Theaters

Sony Hackers Threaten Movie Theaters | IT Support and Hardware for Clinics |

The U.S. Department of Homeland Security says it has no evidence to suggest that a "terror" threat made by hackers against movie theaters and theatergoers - in relation to the release of the forthcoming Sony Pictures Entertainment comedy "The Interview" - is credible.

While DHS confirms that it's aware of the threat, the agency says in a statement that "at this time there is no credible intelligence to indicate an active plot against movie theaters within the United States."

The response from DHS follows the release of a message from a group that calls itself the Guardians of Peace. "Remember the 11th of September 2001," the group warns. "We will clearly show it to you at the very time and places 'The Interview' be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to. ... We recommend you to keep yourself distant from the places at that time. (If your house is nearby, you'd better leave.)"

The warning was contained in a message posted Dec. 16 to the FriendPaste and Pastebin text-sharing websites, by "G.O.P.," following the group's damaging Nov. 24 wiper malware attack against Sony Pictures Entertainment, as well as its ongoing anti-Sony public relations campaign, which to date has seen the group reportedly release tens of gigabytes of stolen Sony data.

In response to G.O.P.'s threat, Sony Pictures has told theaters that it will allow them to decide whether they want to show the film. On Dec. 16, Carmike Cinemas - the fourth-largest U.S. exhibitor, by number of screens - said it won't show the film, The Wall Street Journal reports.

The Interview, which is due to have its U.S. release on Christmas Day, stars James Franco and Seth Rogan - who also co-directed - as a tabloid TV reporting team who land an interview with North Korean dictator Kim Jong-un in Pyongyang, but who get approached by the CIA to instead assassinate him.

In response to G.O.P.'s threat against theaters and movie-goers, some Hollywood luminaries have responded by publicly pledging to see the film.

No comment yet.!

Congress will hold a public hearing on North Korea's hacking powers next week

Congress will hold a public hearing on North Korea's hacking powers next week | IT Support and Hardware for Clinics |

In the wake of the Sony Pictures hack, Washington is showing a new focus on the threat posed by North Korea. The House Foreign Affairs Committee has called for a public briefing on Tuesday that will examine the country's hacking capabilities, with testimony from the Departments of State, Treasury and Homeland Security. The briefing will focus on steps the US is taking to curtail or protect against the country's apparent capabilities. "There can be no doubt that the Kim regime means America harm," Chairman Ed Royce (R-CA) said in a statement, "and as we saw last month, Pyongyang can deliver on its threats."

President Obama has already ordered new sanctions against North Korea in direct response to the attack, but has also hinted at further measures yet to come, calling the sanctions the "first aspect" of the government's response. Others in Congress are also calling for new defensive measures, resurrecting the controversial CISPA cybersecurity bill. Given the newfound interest in digital defense, supporters see this as the bill's best chance to get through Congress. On Wednesday, FBI director James Comey reiterated his confidence that the nation was responsible, saying, "we know who hacked Sony. It was the North Koreans."

No comment yet.!

Sony: N. Korea Warns of 'Consequences'

Sony: N. Korea Warns of 'Consequences' | IT Support and Hardware for Clinics |

North Korea has denied the Obama administration's allegations that it launched the hack attack against Sony Pictures Entertainment and demanded that a joint investigation with the U.S. into the incident be launched. The secretive communist regime, based in Pyongyang, also promised there would be "grave consequences" if the United States failed to agree to the joint probe.

The North Korean demands follow the FBI on Dec. 19 reporting that its analysis of the Sony hack attack - based on the tools, infrastructure and techniques used - found that the attack had been launched by Pyongyang. But multiple information security experts have questioned that attribution and called on the bureau to publish detailed evidence to sustain those claims.

Some commentators have characterized the hack attack against Sony Pictures as an act of "cyberwar," although President Barack Obama has strongly dismissed such assertions. "I don't think it was an act of war," Obama told CNN in an interview that was taped Dec. 19. "I think it was an act of cyber vandalism that was very costly, very expensive. We take it very seriously. We will respond proportionately, as I said."

Obama suggested, for example, that North Korea might be added again to the State Department list of countries that sponsor terrorism. The country was first added to that list in 1987 after two of its agents blew up a South Korean airliner in mid-air, killing all 151 people aboard. In 2008, the country was removed from that list by the administration of former President George W. Bush, as part of denuclearization talks.

Sen. John McCain, R-Ariz., the incoming chairman of the Senate Armed Services Committee, has sought to define the Sony hack in stronger terms than Obama. "The president does not understand that this is the manifestation of a new form of warfare," McCain told CNN. "When you destroy economies and are able to impose censorship on the world ... it's more than vandalism, it's a new form of warfare." McCain says he plans to hold hearings on the hack-attack against Sony in the first two weeks after Congress reconvenes on Jan. 3, 2015.

Hack Tied To Film?

Following the FBI publishing its hack-attack attribution, President Obama promised in a Dec. 19 press conference that the U.S. would react "proportionately" to North Korea's actions. "They caused a lot of damage, and we will respond," he said. The hack attack appeared to have been sparked by Sony Pictures comedy "The Interview" - previously due for a Dec. 25 release - about a pair of tabloid TV reporters traveling to Pyongyang to interview dictator Kim Jong-un, who are approached by the CIA to kill him instead.

North Korea has responded to Obama's allegations by not only demanding the joint investigation, but with its National Defense Commission - led by Kim Jong-un - warning that the country's 1.1 million-strong army stands ready to fight the United States. "Our toughest counteraction will be boldly taken against the White House, the Pentagon and the whole U.S. mainland, the cesspool of terrorism, by far surpassing the 'symmetric counteraction' declared by Obama," the commission said in a statement provided to the state-sponsored Korean Central News Agency.

In recent days, the secretive communist regime has also threatened to increase its nuclear capabilities in response to an ongoing United Nations inquiry, which has recommended referring the country's leadership - including Kim Jong-un - to the International Criminal Court, to be tried for crimes against humanity.

Pyongyang previously demanded a joint investigation into the sinking of the South Korean navy ship Cheonan in 2010, in which 46 crew members died. South Korea rejected that request and assembled a team of international experts, who concluded that the ship had been sunk by a North Korean submarine's surprise torpedo attack.

Obama Criticizes Sony

Obama also said it had been a "mistake" for Sony to announce that it would cancel "The Interview" in response to threats from a group calling itself the "Guardians of Peace," which quickly claimed credit for the hack attack, which appeared to have begun as an extortion attempt with no connection to the film. After threatening Sony employees, the group subsequently issued a "terror" threat to all movie theaters and theatergoers that showed "The Interview." But "G.O.P." claimed it would cease leaking stolen Sony data if the entertainment firm canceled the film, which centered on a pair of tabloid TV reporters traveling the Pyongyang to interview Kim Jong-un, who are approached by the CIA to kill him instead.

In a statement uploaded Dec. 18 to text-sharing website Pastebin, meanwhile, G.O.P. revised its demand that "The Interview" never be released, saying "you have suffered through enough threats" and that the studio was now free to release the film, so long as it removed the Kim Jong-un death scene. "September 11 may happen again if you don't comply with the rules," it said.

Sony Pictures CEO Comments

In response to Obama's comments - and sustained criticism from numerous other politicians, entertainers and commentators - Sony Pictures chief executive Michael Lynton told CNN Dec. 19 that the studio had "not caved" to hackers. Rather, he said Sony was forced to shelve the movie, at least temporarily, when theaters said they would not show it. Reversing previous statements made by Sony officials, Lynton said Sony is now exploring other distribution options, including potentially releasing the film via Google's YouTube.

"We would still like the public to see this movie, absolutely," Lynton said. "There are a number of options open to us. And we have considered those, and are considering them." Sony has also hired a celebrity spin doctor to help it try to recover from the hack attack and negative publicity sparked by the contents of executives' leaked Outlook e-mail spools. Many industry watchers think that corporate parent Sony will sell Sony Pictures Entertainment - formerly known as Columbia Pictures and bought by Sony in 1989 - to rid itself of the ongoing public relations saga.

US-CERT Details Sony Wiper Malware

More information has now come to light on the malware that was used to attack Sony, via the U.S. Computer Emergency Response Team issuing an advisory Dec. 19 about a server message block worm that was recently used to target "a major entertainment company."

"This tool contains five components - a listening implant, lightweight backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool," the alert warns. The worm spreads by brute-force guessing passwords for Windows SMB shares, and "phones home" to a command-and-control server every five minutes. The malware includes file-transfer capabilities, as well as the ability to overwrite a system's master boot record, which can make the system inoperable once rebooted.

No comment yet.!

Destover: Destructive malware has links to attacks on South Korea

Destover: Destructive malware has links to attacks on South Korea | IT Support and Hardware for Clinics |

Backdoor.Destover, the destructive malware that was the subject of an FBI Flash Warning this week, shares several links to earlier attacks directed at targets in South Korea. Some samples of Destover report to a command-and-control (C&C) server that was also used by a version of Trojan.Volgmer crafted to attack South Korean targets. The shared C&C indicates that the same group may be behind both attacks.  

Volgmer is a targeted piece of malware, likely used by a single group, which has been used in limited attacks, possibly as a first stage reconnaissance tool. It can be used to gather system information and download further files for execution. Significantly, the version of Volgmer which shares a C&C with Destover was configured specifically to attack South Korean targets and will only run on Korean computers.

Destover also share some techniques and component names with the Jokra attacks against South Korea in 2013. However there is no hard evidence as yet to link the attacks and a copycat operation can’t be ruled out. Links also exist to the Shamoon Attacks, with both attackers using the same, commercially available drivers. However, in this instance it appears highly unlikely that the same group was behind both attacks and instead it would appear that the Destover attacks copied techniques from Shamoon.  

Destover in action
Destover is a particularly damaging form of malware that is capable of completely wiping an infected computer. It was the subject of an FBI Flash Warning earlier this week after at least one variant of it was understood to have been used in a high profile attack.

There are several malicious files associated with the FBI Destover report:

  • diskpartmg16.exe
  • net_ver.dat
  • igfxtrayex.exe
  • iissvr.exe

Diskpartmg16.exe is the first file that is created on an infected computer and, when executed, it creates the files net_ver.dat and igfxtrayex.exe.

When “diskpartmg16.exe” is run, it connects to a number of specific IP addresses within a set IP range, as well as computer names in the format “USSDIX[Machine Name]”. This indicates that this variant of Destover was not intended to be indiscriminate and the malware had instead been configured to only attack computers belonging to one particular organization.

The destructive payload of Destover is carried by igfxtrayex.exe. In certain instances, when run, it will:

  • Delete all files on fixed and remote drives
  • Modify the partition table
  • Install an additional module(iissvr.exe)
  • Connect to a number of IP addresses on ports 8080 and 8000.

Iissvr.exe, meanwhile, is a backdoor which listens on port 80. Once an attacker communicates with the compromised computer, this file displays a message, which reads:


“We’ve already warned you, and this is just a beginning.

We continue till our request be met.

We’ve obtained all your internal data including your secrets and top secrets.

If you don’t obey us, we’ll release data shown below to the world.

Determine what will you do till November the 24th, 11:00 PM(GMT).

Post an email address and the following sentence on your twitter and facebook, and we’ll contact the email address.

Thanks a lot to God’sApstls [sic] contributing your great effort to peace of the world.

And even if you just try to seek out who we are, all of your data will be released at once.”

Via Paulo Félix
No comment yet.