The Evolution of ‘MBR Killer’
Introduction
Information technology, cybersecurity and upper management can gain vital intelligence on threat agents by analyzing existing cyberattacks, as well as the socio-political and economic implications of cyberwarfare by state and non-state actors. Since 2009, the Democratic People’s Republic of Korea (DPRK) has launched several different types of malicious code to gain unauthorized access to networks in the United States’ government facilities and corporations around the country. Since collecting stolen currency remains a primary objective for DPRK in order to fund its nuclear ballistic missile program, examining information regarding the country’s prospective denuclearization has a direct impact on its offensive cybersecurity measures, which in turn identifies the country’s cyber capabilities for analysis by managers at both government and corporate entities.
President Trump has met with North Korea’s Supreme Leader, Kim Jung-un, on three separate occasions throughout his presidency-attempting to create a diplomatic solution between the two countries in regards to denuclearization. The first two summits (in Vietnam and Singapore) were considered positive steps toward denuclearization despite either country refraining from agreeing to any specific measures. The most recent summit, which took place on the border between North Korea and South Korea, has not generated any new security policies but has been recognized as a positive event. Moon Jae-in, South Korea’s President, recently called the summit a potential end to the prospect of military hostility between the two countries. The two leaders met in a demilitarized zone (DMZ) in South Korea in order to ensure their mutual need for protection, reaffirmed their commitment to denuclearization talks, and President Trump became the first President of the United States to step foot on North Korean soil as they met on the border. It has been suggested by members of President Trump’s administration that a fourth summit could take place at the White House later this year.
Critics suggest that while engaging in discussions regarding denuclearization continues to be an effective national security and foreign policy measure, the lack of new policies and regulations has a direct impact on North Korea’s ability to engage in acts of cyberterrorism and cyberwar in regards to its use of offensive cybersecurity measures that generates stolen currency the regime uses to fund its nuclear ambitions. Even though DPRK has shown a commitment to denuclearization by abandoning its nuclear facility east of Pyongyang since 2017, the regime has continued to launch missiles and engage in cyber strategies that remain ongoing despite their talks with the United States. Such intelligence collected on DPRK’s strategic operations would suggest to managers that the regime may not be fully committed to denuclearization since it has not reduced the quantity of cyberattacks launched on networks from around the globe. Instead, DPRK and its hacking organizations represent a greater threat to business operations more than their symmetrical, traditional military operations.
Over the last decade, DPRK has conducted numerous cyberattacks on various state and non-state actors around the world. The regime has launched thousands of cyberattacks used to deny services, collect confidential information, and unethically transfer millions in currency to their bank accounts at financial institutions in various countries (most often occurring in the Philippines and Hong Kong). Even though North Korea has successfully compromised networks with existing versions of malware and other threat agents, the country’s communication with two hacking organizations allows them to develop new malicious code that will give them the ability to gain access to stolen currency in order to fund its nuclear ballistic missile program; they are also on the cutting-edge of creating and deploying malware that is extraordinarily difficult to mitigate, which changes the paradigm of zero-day and advanced persistent threat (APT) cyberattacks.
Managerial Return on Investment (ROI)
From a managerial perspective, there are six key takeaways cybersecurity professionals can obtain through the examination of DPRK’s cyberattacks: (1) ability to identify the types of cyberattacks launched by the regime, (2) the role of computer networks in DPRK, (3) view its offensive cybersecurity as military strategy, (4) specific methods used by DPRK to collect stolen currency for its nuclear program, (5) how to mitigate common threat agents, and (6) how new malicious code impacts network security. Managers should examine DPRK as a threat agent that can launch a variety of cyberattacks including distributed denial of service (DDOS) attacks, as well as multiple versions of ransomware and malware. Computer networks within DPRK are managed collaboratively between a single internet service provider (ISP) and the government in the capital city. There are only around four million people with government authorization to have access to computers with internet capabilities, which is usually reserved for government employees and military personnel; it is illegal for all other citizens to own a computer or gain access to the internet. All cyberattacks are approved by Bureau 121, a military division that focuses on offensive cybersecurity and assist the government in making the final decision to launch particular cyberattacks. Further analysis will provide managers with the types of ransomware and malware used to compromise networks and their capabilities to alter network security. It would be helpful for managers to familiarize themselves, along with information technology and cybersecurity, on the successful mitigation strategies applied to protect networks from current versions of threat agents developed by DPRK, while also keeping in mind how future innovation could potentially change the strategies needed to mitigate the regime’s new developments.
Impacts within an Organization
Upper management should view DPRK’s cyberattacks as a significant detriment to government and corporate networks. The regime possesses a variety of ways in which to compromise networks including DDOS, malware and ransomware cyberattacks. A best cybersecurity strategy for management would be to gather intelligence and conduct research on the various threat agents developed by DPRK, as well as all other state-actors and non-state actors as a preventive strategy, and a method of gathering information for mitigation strategies and security policy development. Unfortunately, due to the complexity of many of DPRK’s latest forms of threat agents, cybersecurity professionals should identify intrusion of networks by DPRK as early as possible in order to effectively mitigate its malicious code. It would be excellent practice among cybersecurity professionals to constantly update their intelligence and research on DPRK as they are continuously looking for technical ways in which to bring further development to existing threat agents that have already proven to be successful for the regime.
Management Issues and Considerations
A best practice for management and cybersecurity professionals involves training and educating staff to identify unethical forms of social engineering that could affect company networks. Another best security practice for management and cybersecurity professionals regards their ability to continuously conduct research in the open source, as they may find strategies for common threat agents that were launched in other territories and discover ways to prevent or mitigate those threats. Currently there are thousands of sources on the internet describing DPRK’s cyberattacks and best practices for removing them and patching networks. One of the most significant decisions management and cybersecurity professionals need to decide upon concerns the initial components of a mitigation strategy, they should either choose to isolate threat agents by removing systems from the network or attempt to use proxy systems like honeypots in order to collect more data for a forensic analysis and report to upper management.
Although DPRK has developed into a state-actor with capabilities to launch a variety of cyberattacks, it remains the least wired nation in the world. The country’s internet has two outbound communications networks that passes through the Yalu River into China and eastern Russia (Johnson, 2019). Internet traffic remains low throughout the country as only about four million people have a limited access to the internet. Even though there are only a few live networks in DPRK, the country has become one of the strongest state-actors for conducting offensive cybersecurity strategies due to their commitment to develop students (at Kim Il Sung University and Kim Chaek University of Technology) into hackers for their cyber organizations in Pyongyang. United States’ intelligence pinpoints there are between 3000 and 6000 hackers that are trained to participate at three separate locations in Pyongyang to launch their cyberattacks. Since there are only several active networks within the country, the government has the authority to shut down the internet at any given time, which would make DPRK much more difficult to launch a cyberattack against during instances of other state-actors using counterintelligence to cyberattack the regime. From a managerial perspective, it appears that DPRK has a high probability of cyberattacking business networks with efficiency while preventing others from compromising their networks.
Even though DPRK has few networks within its borders, the country’s offensive cybersecurity strategies have become more dangerous than its nuclear program. According to reports conducted by the United States, the regime’s cyber-capabilities far outweigh its abilities to launch nuclear weapons on a large scale. From a managerial perspective, it would be more significant to examine DPRK’s usage of complex ransomware cyberattacks than other threat agents as it poses the most possibility of disrupting business operations. According to Crowdstrike and the Asian Institute for Policy Studies, the regime’s ransomware attacks are state-sponsored fundraisers for the government. Crowdstrike suggests that DPRK will continue to launch cyberattacks against their adversaries including Japan, South Korea and the United States. The cybersecurity firm also highlights the potential vulnerabilities of the United States due to its significant dependency upon computer networks in order to manage its businesses, government operations and protection of critical infrastructure-which suggests that the US is a primary target of various cyberattacks by DPRK. These cyberattacks occur frequently despite diplomatic talks with other state-actors. The report by the Asian Institute for Policy Studies suggests that DPRK also frequently launches DDoS attacks and conduct espionage. The regime carries out its cybersecurity strategies with cyberattacks that are relatively inexpensive with little risk of being subjected to pressure from international organizations.
Bureau 121, the hacking division within North Korea’s government that collaborates with military on offensive cybersecurity measures, also carries the responsibility to recruit prospective hackers for the country’s two main hacking groups-APT38 and Lazarus. These organizations form a communications triad regarding cybersecurity in the following areas: Bureau 121 connects cybersecurity strategy with military strategy, Lazarus develops malicious code and frequently cyberattacks cryptocurrency organizations, APT38 also creates new threat agents and specializes in launching cyberattacks against financial institutions. Cybersecurity professionals assert that DPRK poses a significant threat to banks, governments and businesses who could possibly lose millions of dollars due to the regime’s cyber strategies; however, the cyberattacks may also put pressure on individual technology users around the world and potentially damage economies in lesser-developed countries. Bureau 121, sends different commands to each hacking group at any given time. North Korea uses its cyber resources to develop new forms of threat agents, including multiple versions of malware and ransomware. The primary objective is to have one hacking group develop new malicious code with specific qualities, and for the other to scour the open source to discover existing scripts in which they can add further development in order to make them more challenging to mitigate. For large operations, like the 2017 WannaCry ransomware attack, Bureau 121 sends the same commands to both hacking organizations and they work together to implement an offensive cybersecurity strategy.
While DPRK has engaged in many acts of cyberterrorism, the country’s main objective remains to use cyberattacks to fund its nuclear ballistic missile program; cybersecurity experts suggest that DPRK may increase the number of cyberattacks against the United States. Since DPRK and the United States have not made an agreement regarding relief of economic sanctions, the former has no incentive to decrease or halt its cyber operations. After the summit in February, DPRK offered to dismantle an additional remaining nuclear facility in exchange for the United States removing sanctions; however, unfortunately this did not happen as the United States was interested in comprehensive dismantling of all nuclear facilities within the country. President Obama imposed new sanctions against DPRK in 2016 which has put a strain on the regime’s economy, making them more interested in denuclearization talks. Since the implementation of the policy DPRK has stepped up its offensive cybersecurity measures, launching one of the most widespread ransomware attacks in 2017 and numerous malware attacks on financial institutions between 2016 and 2019. DPRK has not offered a reduction of cybercrime and cyberterrorism in exchange for lifting economic sanctions, which could be leveraged during diplomatic exchanges with the United States. A report conducted by the United Nations Panel of Experts on North Korean Sanctions Committee asserted that the regime collected $571 million in stolen currency between 2017 and 2018, which indicates their desire to continue cyber operations despite communicating with the United States on denuclearization. During this time DPRK has launched cyberattacks that have affected hundreds of thousands of computers and networks, broken into healthcare systems, altered business operations and served as one of the greatest threats to critical infrastructure within the United States and around the world.
After reviewing the most notable attacks conducted by DPRK, it is safe to assert that the regime has one of the most effective offensive cybersecurity strategies among countries with similar or more resources like China, Russia and Iran. The regime’s most frequently analyzed cyberattacks include the following: 2009 DDoS attack on United States, 2014 hack on Sony Pictures Entertainment, 2017 WannaCry ransomware attack on Windows-based PCs, and a variety of cyberattacks on the financial sector in many territories resulting in the development of innovative malware that remains difficult to mitigate. Even though the country possesses a small number of computer networks, its hacking capabilities gives them the opportunity to target cyberattacks at territories with a much greater dependency on computer networks.
One of DPRK’s first instances of cyberterrorism occurred in 2009 when the regime conducted a distributed denial of service (DDoS) attack on US government websites beginning on the fourth of July weekend. The cyberattack affected 27 government agencies in the United States and South Korea, as well as taking down commercial websites through distributed denial of service attacks. The United States conducted a forensic analysis on the DDoS cyberattack and pinpointed that hackers in Pyongyang gained unauthorized access to around 65,000 computers and flooded government and commercial websites with traffic that caused them to slow down or stop functioning properly. Infected websites and networks in the United States appeared at the Pentagon, Treasury Department, Secret Service, White House, Federal Trade Commission and Transportation Department. From a managerial perspective, developing security policies which prepare organizations for DDoS cyberattacks can assist cybersecurity professionals with effective preventive measures as well as sound mitigation strategies.
Managers should also prepare for cyberattacks similar to 2014 hack on Sony Pictures Entertainment, as DPRK displayed how it can target networks within private organizations at any given time without any regulations to prevent them from launching malware attacks in other countries. The Department of Homeland Security assisted Sony in its forensic examination and mitigation strategies, discovering the hackers point of intrusion, leaked company documents and destroyed stored data. DPRK decided to launch the cyberattack after the government sent a letter to the United Nations requesting the banning of a Sony produced comedy entitled “The Interview”, which shows a depiction of United States operatives assassinating the country’s Supreme Leader-Kim Jong Un. The attack caused more than $35 million in damages to Sony and exposed many of its confidential information to competitor studios. It is important for cybersecurity and management to include strategies for handling this type of malware attack in order to preserve the integrity of company information.
In 2017, DPRK launched the most widespread ransomware cyberattack in history with its WannaCry malicious code. The ransomware exploited a vulnerability in the Windows operating system, which caused it to infect more than 300,000 PCs. While the regime collected millions in currency and cryptocurrency during the four days in which Microsoft had been mitigating the ransomware, cybersecurity professionals should devise strategies with upper management in order to reduce or prevent the number of infected machines. Such an attack could pose a significant risk to private sector entities, government networks, and critical infrastructures. The cyberattack spread quickly due to its ability to encrypt hard-drives and launch EternalBlue, a leaked NSA hacking tool which allowed WannaCry to swiftly move to as many computers as possible on networks. Forensic analysis indicates that the initial intrusion of WannaCry ransomware did not involve the bypassing of authentication or email phishing campaigns, instead the malicious code was spread by connecting to vacant server message block (SMB) ports on a computer, which led to the rapid expansions of the ransomware to all systems on a network. A best cybersecurity strategy that management could implement would regard using all of its available ports on computers or at least closing the vacant ones in order to remove the potential vulnerability.
While the development of weapons of mass destruction by DPRK has slowed down over the years, it is safe to assert that the government has become increasingly more interested in conducting widespread attacks on financial infrastructures in many territories around the world. According to FireEye, a cybersecurity research firm, DPRK stopped its nuclear development for much of 2018; however, the regime continued its hacking operations in order to gain access to unauthorized currency. The report indicated that the regime has illegally collected hundreds of millions of dollars through cyberattacks from 2014 to 2018. The cyberattacks were conducted by complex ransomware, many of which were developed in Pyongyang, and have negatively impacted networks in more than 11 countries. DPRK remains an active global threat for prospective cyberattacks on any company, government or critical infrastructure in any location. FireEye asserts that the Department of Homeland Security (DHS) and Department of Defense (DOD) of the United States has pinpointed DPRK as one of the most potentially dangerous state-actors from a cyber perspective-similarly to Iran, Russia and China. DHS contributed to the report and identified that DPRK has increased cyberattacks on ATM systems in various countries including smaller territories in Central and South America, Asia and Africa-which affected networks in 23 different countries.
One of DPRK’s most commonly used forms of malware today has been developed by previous source code made available in the open source in 2016. Carbanak, a non-state actor that many cybersecurity professionals suggest are operating from within the borders of Russia and Ukraine, was developed in 2014 in order to cyberattack financial institutions in Russia. In its first year, the non-state actor developed several versions of malware to deploy on their targets, the most popular of which became known as the “Buhtrap” (which received its name from the Russian word ‘Buhgalter’ which stands for ‘accountant’). The “Buhtrap” collected $25.1 million after launching 13 successful cyberattacks on Russian banks between 2015 and 2016. However, before the turn of the year, Russian financial institutions discovered ways in which to identify and mitigate the “Buhtrap” more effectively. Carbanak, abandoned the malware and made its source code available on the internet in 2016 (without putting the information onto the dark web). A DPRK hacking organization collected the source code and requested the opportunity to further develop the malware in order to make it more challenging to mitigate. The hackers discovered that the original source code was comprised of raw assembly language, PHP, C and C++. While raw assembly language appeared to be somewhat of a strange decision to use for malware development, the hackers did not remove it from the source code, instead they brought new development to the “Buhtrap’s” original four files and added 14 new modules. DPRK named the new malware “MBR Killer” for its ability to shred the master boot record, mask communications and transfer of currency, and launch an executable file (kill_os.exe) which uninstalls the malware and removes its digital fingerprints from log files and other parts of operating systems that use dates and timestamps on system downloads. “MBR Killer” is one of the most frequently used malwares by DPRK, and much of the intelligence available on the malicious code describes its capabilities through examining the cyberattacks of Redbanc (the company responsible for managing all the ATMs in Chile) and Bank of Chile. DPRK used inappropriate social engineering in the form of sending a malicious download to an interview candidate through Skype for a fake job interview in order to gain access to their Redbanc credentials. After bypassing authentication, they could see the number of bank accounts and currency available within them, the hackers were also able to get the credentials for an account at Bank of Chile and illegally wire $10 million from the account.
Upper management and cybersecurity professionals have a greater chance of mitigating both version 1 (“Buhtrap”) and version 2 (“MBR Killer”) malware if they use the following three-step process: isolation, identification, and implementation. The United States Computer Emergency Readiness team endorses an 11-step process for mitigating malware like the “Buhtrap” and “MBR Killer”. A best practice would be to isolate the threat agent as soon as it’s detected, conduct a forensic analysis in order to acquire data regarding the malware’s capabilities and the ways in which management can prevent future infection, and implementing cybersecurity measures that will remove the threat agent and monitor networks to ensure protection. Ultimately, all of this data must be compiled in order to deliver an informative report to upper management who will use its contents to make improvements to security policies that will make networks more secure at government and corporate entities.
Comparison with Related Technologies
A third version of the malware could use algorithms to automate the 14 new modules within the “MBR Killer” and change the paradigm for ideal cyberattacks to be a combination of a zero-day attack and an advanced persistent threat (APT) simultaneously. Both version 1 and 2 of the malware currently needs to receive a command from a hacker in Pyongyang in order to run any of its executable files; however, if these commands become attached to algorithms they can run independently as the source code can provide conditional statements that will allow the malware to essentially remove its presence within a certain time period. The dream scenario of any hacker is to be a zero-day attack and an advanced persistent threat (APT) simultaneously. Automation could change this by creating “ticking time bomb” scenarios in which hackers can illegally wire currency and collect stored data without leaving much to examine through forensics. This puts pressure on cybersecurity professionals and upper management to identify threat agents as soon as possible in order to use a comprehensive mitigation strategy to remove such threat agents.
It remains a vital component of cybersecurity strategy and policies to ensure that organizations install technologies that promote network security like firewalls, intrusion detection prevention systems, anti-virus software, virtual private networks (VPN) and levels of encryption. These are the most important technical components enhancing network security at any company. While many threat agents can be isolated by removing the point of entry from computer networks, the latest form of malware by DPRK has the capability to uninstall itself and remove its digital fingerprints after the command is made by a single hacker in Pyongyang, which makes it significantly more difficult to conduct a forensic analysis and an effective mitigation strategy.
Concerns for Management and Potential Applicability
In an effort to better prepare an organization for the prospect of intrusion by DPRK threat agents, it would be a best security practice to identify effective mitigation strategies that could defend networks against DPRK’s popular cyberattacks before hackers have the ability to gain unauthorized access. In addition, an effective cybersecurity best practice would be for management staff to provide technical resources to IT and cybersecurity professionals to assist them in identifying threat agents early in order to prevent DPRK hackers from remaining unnoticed on computer networks while attempting to transfer stolen currency, stored data and observing communications applications. A key component of defending networks while ensuring the applicability of security policies requires management staff to design and develop effective IT and cybersecurity strategies that assign specific roles and responsibilities to give staff the authority to implement sections of the security policies in order to enhance an organization’s capabilities to defend against DPRK cyberattacks.
Advantages and Disadvantages
The following nine best security policy strategies should be implemented by upper management and cybersecurity professionals in order to protect networks at financial institutions: refrain from clicking on suspicious links, use secure web browsing, beware of downloading malicious code while surfing the web, protect mobile devices, create strong passwords, lock up computer terminals when appropriate, protect computers with updated anti-virus software, be aware of inappropriate use of social engineering, educate staff on security policy and company data. These best security practices are sound, proven strategies that can improve any policy after the threat agent has been mitigated and traffic monitored for its possible return. In addition, Gartner’s top seven security and risks trends for 2019 highlights additional components that can become best practices for developing security policies: inform stakeholders and upper management of data regarding vulnerabilities and risk assessments, improve threat detection and response, prioritize data security effectively, use biometrics whenever possible for authentication, consider collaborating with an outside cybersecurity firm in order to assist with policy formation, ensure policy contains measures to enhance cloud security, use a continuous adaptive risk and trust assessment (CARTA) strategy in order to encourage cybersecurity staff to always highlight areas in which companies can promote network security. These security components can have a direct impact on the three essential takeaways from collecting intelligence on DPRK’s threat agents and forming effective security policy: (1) upper management should view DPRK’s offensive cybersecurity strategies as potential threat agents to exploit company vulnerabilities through malware, ransomware and DDoS, (2) early detection and prevention are two strategies that can make it more efficient to mitigate DPRK’s cyberattacks, (3) collect as much intelligence on threat agents during the mitigation process in order to better prepare for future cyberattacks with the same or modified version of the malware. From a management perspective, the advantage of analyzing DPRK and its threat agents, provides organization’s with resources for implementing effective cybersecurity policies and mitigation strategies that can assist companies with identifying threat agents, collecting intelligence, conducting a forensic analysis, and discovering the best security measures for removing malicious code and restoring network security. The most significant disadvantage presented by DPRK concerns its future innovations of malware that will have a direct effect on the amount of time and resources needed for cybersecurity professionals to effectively defend networks from intrusion through cyberattacks.
Conclusion
DPRK has the reputation of being a state-actor that uses unethical cyberattacks, which are a part of the regime’s offensive cybersecurity strategy that funds their nuclear program. DPRK uses a variety of cyberattacks that can affect government, corporate and personal area networks; the regime has the potential to affect telecommunications networks around the world. The open source contains a variety of information on past and present DPRK threat agents, which serves as an ongoing resource for management, IT and cybersecurity professionals. The regime’s cyberterrorism capabilities far exceed its traditional military strategies. The country frequently develops challenging malicious code through a communications triad between Bureau 121, APT38 and Lazarus. Since DPRK is the least wired country in the world, it presents challenges for other state-actors to launch a cyberattack against them because there are very few networks in the country. It would be accurate to assert that DPRK’s offensive cybersecurity strategies are more of a significant threat to governments and businesses than its nuclear program. From a managerial perspective, it appears that DPRK has similar capabilities to more populous state-actors like China, Iran and Russia.