Information Warfare: Hackers Versus Bounty Hunters

Archives

:

September 6, 2020: In early August 2020 Israel revealed that it had prevented a hacker attack on one of its defense firms and prevented any damage. Earlier ClearSky, an Internet security firm, reported that the Lazarus Group, a major hacking organization associated with North Korea, had been conducting a major spear phishing (spear fishing) campaign directed at specific individuals in defense firms worldwide including Israel. This may be what alerted Israel to the threat. Using the attack profile provided by ClearSky Israel apparently detected one such Lazarus Group hack into an Israeli firm and disrupted this hacking effort.

This ambitious and worldwide Lazarus campaign has been called Dream Job because it uses social engineering efforts against key people in defense firms to make them believe the Lazarus Group operators are recruiters representing major American defense firms seeking to fill very well-paying jobs that the target is somewhat qualified for. Lazarus Group put an impressive amount of work into this effort, which began in 2019 with gathering considerable current background information on the dozens of individuals targeted for the spearfishing and then updating that information while the victim was being cultivated.

The Dream Job operation employed techniques that have become standard for similar large-scale attacks. The main element is not hacker software but the exploitation of human error. Despite widespread awareness of this approach, similar campaigns enjoy continued success with attacks via the Internet against specific civilian, military, and government individuals using psychology, rather than just technology.

This sort of thing is often carried out in the form of official looking email, with a file attached, sent to people at a specific military or government organization. It is usually an email they weren't expecting but from someone they recognize. This is known in the trade as "spear fishing" (or "phishing"), which is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends files and information from the email recipient's PC to the spear fisher's computer. For the last few years an increasing number of military, government, and contractor personnel have received these official-looking emails with a PDF document attached and asking for prompt attention. Spear fishing still works if the hackers can compile a large amount of personal information on the targets and then use it effectively. The Dream Job effort was well designed because no job was ever actually offered and that gave the Lazarus Group operative a realistic opportunity to break contact without raising suspicions. Apparently, some Internet security analysts did detect the Dream Job attack pattern but not before it was active for nearly six months. The Dream Job campaign apparently began early in 2020 and it is still unclear how many firms got penetrated.

The Dream Job script involved just sending an email to determine if the recipient was interested in the “dream job”. If not, that was the end of it. If there was interest there would be further discussions via email, WhatsApp or even phone calls and eventually documents would be sent, as email attachments. The first documents would be clean (no hidden malware included) so as not to alert any suspicion or detection from attachment screening systems many firms now use. Once the recruiter was seen as a trusted correspondent the attachment with the malware would be sent and this would be the key to penetrating the classified network of the firm the Dream Job applicant worked for. Such recruiting techniques are quite common in high-tech industries and most of the enquiries don’t work out. The Dream Job social engineering plan had already prepared numerous plausible reasons for ultimately rejecting, or ending the recruiting effort for an individual.

ClearSky did not reveal the details of how it detected Dream Job, but this often done by using software to seek specific information from clients that might reveal patterns indicating a possible spearfishing campaign. Being successful at this is one of the reasons so many Internet security companies are in business. These firms also collect a lot of useful information about hacking groups. The Lazarus Group is either a part of the North Korean Cyber War forces or is a China based hacker group that has done a lot of freelance hacking for North Korea, which is mainly interested in obtaining untraceable cash, not tech secrets.

Nevertheless, earlier in 2020 the United States offered a $5 million reward for useful information on North Korean hackers and the North Korea hacking program in general. The North Korean hackers have been concentrating on raising cash for the North Korean ballistic missile and nuclear weapons programs. Their favorite targets are banks and other financial organizations, including those that handle cryptocurrency. It is estimated that the program has taken about $2 billion so far. In the process North Korean hackers take control of PCs and local networks by infecting individual computers and having the infected machine mine new cryptocurrency when idle. Similar intrusion methods are used to encrypt hard drives and demand ransom to regain access to the data. For users without adequate backups they must either pay or remain unable to use their data.

This is not the first time bounties have been offered to catch hackers. In late 2019 the U.S. imposed sanctions on Lazarus Group, Andariel, and Bluenoroff, three known North Korean hacker groups. The problem with catching these hackers is the lack of information on where these groups operate from and who the key personnel are. Thus, the new bounties program. Some individuals are known but these are non-North Koreans who have provided support services for the North Korean. These support individuals were often unable to identify North Korean hackers. To further complicate matters, most of the North Korean hackers operate from locations in China, where the Internet infrastructure is better suited for hacking targets around the world. The North Koreans pay Chinese police for protection and are not bothered by the secret police because the North Koreans supply the Chinese with useful information they have stolen from South Korea, Japan and other Asian and European nations. Sometimes North Korean hackers operate outside of China and information on where and who these hackers are would be very valuable. North Korea is aware of the danger, and the temptation for some of these hackers to flee. Each hacker group is assigned a security team whose main job is to keep the hackers from misbehaving or fleeing.

The U.S. has experience in successfully using rewards to obtain key information on bad actors. The American rewards program has been in operation since 1984, and after 2001 the rewards for key Islamic terrorists got larger and larger. Since the 1980s the program has paid out nearly $150 million to over a hundred informants. These rewards were often accompanied by the relocation of the informant and family to safer locations, sometimes the United States.

The larger rewards created a lot of new problems making the program work. The key problems were getting information about the rewards to potential informers and developing methods for making contact with potential informers, get the information and make arrangements for payment. Methods were developed and most were kept secret for obvious reasons.

While it is difficult to reach known North Korean hackers in China, the U.S. has gained experience in this sort of thing while using the rewards program for known Islamic terrorists in Pakistan, or Afghan areas heavily guarded by the Taliban. More Pakistanis and Afghans began taking advantage of the reward program and living to spend the money because the Americans found ways to overcome the obstacles. That made the Taliban leadership, on both sides of the border, very uneasy. For example, the U.S. has given Pakistan's main intelligence agency; ISI (Inter Service Intelligence agency), tens of millions of dollars for rewards, since September 11, 2001. The money was a reward for the capture or killing of wanted Islamic terrorists. The live ones were turned over to the United States. Pakistan says it captured over 600 of these terrorists, but the actual number is believed to be greater. The U.S. did not look closely at exactly who got the reward money.

By the late 1980s the United States was offering rewards of one to seven million dollars for information leading to the capture of terrorists, and lesser amounts to those who provided evidence against a terrorist or provided good information about a planned terrorist act. By September 11, 2001, five major terrorists had been captured because of this program. Over $6 million was been paid out in over 20 cases. Some 42 percent of the informants requested security protection and another 42 percent sought relocation for themselves and family members to another country or region to avoid retaliation.

Since then, the number of high-value people captured with this program has more than tripled and the amount of money paid out has increased even more. However, one problem with the reward program is that it does not pay attention to the realities of international terrorism. Most major terrorists, like Osama bin Laden, are well protected and hidden. Sure, there are people who know where they are and can get in contact with people around the bad guy. But an operation to nab one of these men requires a getting the message out to those who have the information, and providing informants with a realistic way to call in and then collect.

North Korea hackers and hackers, in general belong to a different culture, or many different cultures. To make a rewards program work, you must adapt to the culture potential informants live in. It is known that North Korea has over a thousand hackers based in China, accompanied by a large contingent of secret police to ensure that none of the hackers defects. So far that security system appears to have worked. Yet even North Korean secret policemen have been corrupted and more of them are taking bribes. So there is an opportunity here for a rewards program to work. Yet if it does it may be a long time, if ever, that the details become public knowledge.