In crossing the threshold of unmasking an alleged Lazarus Group member last week, the Department of Justice showed the efficacy of combining private digital forensics with the long arm of the law. Yet if history is any guide, experts say outing the alleged hacker will do little to curb North Korea’s behavior. Instead, research believe the group will likely clean up its operational security and continue to evolve.
In the years that Eric Chien, technical director of Symantec’s Security Response, has been tracking the Pyongyang-linked hacking group, “all we’ve seen is an escalation,” he said. “They’ve only gotten more bold and more experienced in their attacks.”
The charges announced Thursday by the Justice Department against North Korean computer programmer Park Jin Hyok showed slip-ups in Park’s operational security, known colloquially as OPSEC. For example, investigators were able to tie email accounts apparently used by Park’s front company in China to spearphishing and reconnaissance conducted ahead of some of Lazarus’s alleged hacking operations.
Hyok’s work was tied to the infamous 2014 hack of Sony Pictures and 2017 WannaCry ransomware incident.
The exposure of the Lazarus-linked email accounts will force the group to set up new infrastructure, according to Chien. “If they’re smart, if they’re reasonable, you would expect that they would basically stop using Hotmail and Gmail accounts,” which could be the subject of search warrants, he added.
Benjamin Read, FireEye’s senior manager for cyber espionage analysis, told CyberScoop that the North Korean hackers have steadily honed their tactics in recent years, and that that evolution will continue. He believes the malicious-activity indicators that appear in the complaint have probably long been ditched by the group.
“If there’s a domain or a hash that gets published [the group] stops using that,” he said. (FireEye tracks a threat group it calls TEMP.Hermit, which largely overlaps with Lazarus.)
Lazarus has a deep bench
The Justice complaint draws extensively on research from Symantec and Mandiant, FireEye’s incident response unit. While private researchers had used digital forensics to tie the group’s attacks to computer infrastructure in East Asia, revealing the true identity of the hackers had proved elusive.
“People have always believed that the actors themselves were both in places like North Korea and also in China,” Chien said. “But sitting where we are, just looking at zeros and ones inside of binary code, we can’t really see that. We can see the attacks originating from certain machines and certain regions, but that doesn’t mean that the people are physically sitting there.”
Security researchers, after all, don’t have the subpoena power of law enforcement, which proved effective in building a case as FBI agent Nathan Shields was able to access online accounts allegedly used by Park from companies like Google.
Collaboration between U.S. law enforcement and heavyweight cybersecurity companies will continue to be crucial to prosecuting criminal hacking cases. But effectively deterring a group as brazen as Lazarus is another story.
Neither Read nor Chien expected the North Korean hackers to tone down their activity in response to the Justice Department complaint. There was no downturn in hacking after the United States blamed North Korea for the destructive attack on Sony Pictures and for the WannaCry ransomware, according to researchers.
In terms of putting a dent in Lazarus’s operations, the charges will do little. It is unlikely that Park will ever see the inside of a U.S. courtroom. And there could be many more hackers like Park in the group: Chien estimated that Lazarus’s ranks are in the “low hundreds” in terms of personnel.
It might take less high-profile acts than criminal charges to frustrate Lazarus. The group does not use the most sophisticated tools on the market, and patching known vulnerabilities could help thwart some of their activity.
“On the technical side, these guys aren’t the most advanced,” Chien said. “We definitely see [nation-state groups] that are head and shoulders above what these guys are doing.”