Foiled North Korean attack shows progress since SolarWinds

Foiled North Korean attack shows progress since SolarWinds


With help from Maggie Miller

North Korean hackers were on the verge of causing widespread damage through the software supply chain, but private sector security companies stepped in to stop them. It’s a sign of progress roughly three years after SolarWinds, industry experts say.

HAPPY MONDAY, and welcome to Morning Cybersecurity! You may have heard by now that I received huge news on Saturday: I am now CEO of POLITICO.

My first two moves as commander-in-chief? Commencing prep for the mega party of the century on April 1, 2024 — my one-year anniversary helming the publication — and decreeing that retroactive workplace April Fools’ Day jokes are fair game if the holiday falls on a weekend.

Got tips, feedback or other commentary? Send them my way at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Rep. Mikie Sherrill (D-N.J.), and retired Navy Adm. Harry Harris Jr. appear at a Washington Post Live virtual discussion on “U.S. military readiness and innovation in a new international and technological era.” 11 a.m.

CAUGHT IN THE ACT — If it’s news to you that (likely) North Korea hackers nearly mounted a SolarWinds-sized cyberattack, don’t beat yourself up.

Pyongyang’s attempt to slink into the software delivery pipeline of a widely-used enterprise communications firm named 3CX hasn’t gotten much attention within the Beltway because private sector security companies largely nipped it in the bud. (I also heard there was some news regarding a former president late last week?)

And while the now-foiled campaign offers some alarming signs that Pyongyang is moving up the hacker hierarchy by replicating Kremlin tradecraft, as I reported Friday (for subscribers, alas!), the incident also shows how far the defensive community has come since 2020, when Russian hackers rode the supply chain’s secretive back alley en route to a nine-month jaunt through some nine federal agencies and 100 private companies.

“I think the only reason we’re not looking at a SolarWinds 2.0 is really the response time of the industry,” said Juan Andres-Guerrero Saade, senior director of SentinelLabs, the research arm of security firm SentinelOne.

“Detecting a supply chain attack is really difficult,” added Adam Meyers, senior vice president of intelligence at CrowdStrike. “The fact that we were able to stop this inside of a few weeks, not several months, is a huge win.”

The details — Pyongyang’s hackers first infiltrated the update mechanism for 3CX’s flagship desktop communication software and turned it into a trojan horse for malware — a deft feat that incident response firm Mandiant is now investigating.

For the public, 3CX’s problems only began to surface on March 22, when a subset of its 600,000 customers received a suspicious-looking update to the 3CX software, which triggered alerts in their endpoint security products.

While customers quickly began to voice concern, the updates bore the stamp of approval of a known vendor in 3CX. Because they failed to get much help from the firm itself — whose CEO later acknowledged it was slow to investigate the issue — many customers opted to ignore the red flags, assuming it was a false positive.

Caught red-handed — About one week later, on March 29, the altered 3CX desktop software began to phone home to GitHub repository and, in turn, a slate of suspicious web domains controlled by the North Koreans.

That seven-day “sleep period” seems designed to throw off defenders, said John Hammond, a senior security researcher at Huntress. But given that 3CX users and their security providers already had a close eye on the 3CX app, the security community quickly zeroed in on the “especially shady” new activity.

“On the 29th, the storm kicks up and it becomes clear it was something absolutely worth discussing and tracking,” said Hammond.

“Jig is up” — Within a day, CrowdStrike, SentinelOne and a host of other endpoint security companies had outed the activity, dismantled Pyongyang’s command and control infrastructure, and contacted the U.S. government, said CrowdStrike’s Meyers.

Because it was tracking the same North Korean hackers targeting the energy and financial sectors, said Meyers, CrowdStrike was even able to pin the blame on Pyongyang that same day — a rapid but evidently reliable charge that no one has cast doubt on.

And while the North Koreans could still have a toehold inside some companies who downloaded the malicious software, Meyers argued defenders unraveled the campaign so quickly it’s doubtful Pyongyang will be able to get much out of it — an assessment that other firms and even the U.S. government agree with.

“The National Security Council tasked agencies to provide a rapid assessment of impact across government and critical infrastructure — the agencies assessed the impact was minimal,” a senior Biden administration official told MC via email.

“The jig is up,” said Chester Wisniewski, field CTO applied research at security firm Sophos. The campaign “is effectively neutered at this point.”

Word of caution — Nobody thinks the industry’s response was flawless, let alone that the supply chain is as secure as it needs to be.

Savvier hackers could have bought more time inside victims’ networks by testing their malware against top security products, pointed out Wisniewski. Or the North Koreans could have leveraged 3CX to launch wide-reaching ransomware or wiper attacks, observes a recent essay from Joe Slowik, a threat intelligence manager at Huntress.

“It’s still very much a kind of terrifying situation,” said SentinelOne’s Guerrero-Saade. “It shows just how many different layers there are to the things that we rely on, to the supply chain in general, and how weak a lot of those are.”

But a win is a win — Still, there’s a prevailing sense that defenders did much better than they would have because this happened in the new era of cybersecurity: that is, post-SolarWinds.

“It’s not our first rodeo anymore,” said Huntress’ Hammond.

NEW YEAR, NEW ATTACKS — Russian cyberattacks aimed at Ukrainian organizations are evolving and increasing as the second year of the invasion drags on, though Ukraine and its allies have adapted to respond to these threats, officials said Friday.

A senior U.S. defense official, speaking anonymously as a condition of a background briefing with reporters, said that “on a daily basis, we see, and have information shared with us, about efforts to continue to compromise various Ukrainian networks,” including the Ministry of Defense and critical infrastructure.

Despite the U.S. sharing “thousands” of indicators of compromise to help Ukrainian defenders root out vulnerabilities and attacks, the official noted that “we haven’t seen really any slowdown, and I don’t think we will see that” of Russian attacks.

These warnings track what Ukraine is reporting publicly. Ukraine’s Computer Emergency Response Team responded to more than 300 cyberattacks and cyber incidents in January and February of this year, with civil infrastructure remaining a key target for Russian hackers, and more than 2,000 cyberattacks were aimed at Ukrainian organizations in 2022.

This does not mean Ukraine is losing the war in cyberspace. While the defense official stressed that Russia is “adapting” its tactics in both the cyber and kinetic warfare spaces, the official said they believed that Russia was not as prepared at the start of the invasion to hit Ukrainian infrastructure with cyberattacks, as was widely feared.

“My belief is that had the Russians had the ability to significantly shut down Ukrainian infrastructure via cyber, they wouldn’t have wasted kinetic munitions on that,” the official said. “As a general common sense military tactic, I don’t believe you would reduce something to rubble if you had the ability to neutralize it in other ways.”

DRIP DRIP OF KREMLIN CONTRACTORS — A Russian company that launched disinformation campaigns on behalf of the Kremlin also helped Moscow monitor and surveil its citizens.

The latest information on 0Day Technologies, published Saturday on the personal blog of Recorded Future analyst Clement Briens, comes just a few days after a consortium of investigative media outlets published a bombshell investigation into another major contractor, Vulkan.

Coming in quick succession, the two investigations — both aided by leaks — shine new light on the web of public and private entities supporting Moscow’s cyber operations, and just how reliant the Kremlin is on private companies.

Quick refresher — 0Day Technologies’ questionable business dealings came to light following a 2019 leak of corporate documents courtesy of Digital Revolution, a Russian hacktivist group.

In May 2022, cybersecurity firm Nisos used those documents to show 0Day Technologies built a botnet to help Russia’s domestic intelligence agency amplify online disinformation.

What’s new — Briens’ new research, which relies on open source methods, indicates that the firm provided digital surveillance capabilities to Russian government agencies, private companies and even an indicted FSB hacking team.

That surveillance work mainly supported SORM, Russia’s notoriously invasive surveillance system, says Briens.

The company, which often hid behind Moscow State University for procurement and recruiting purposes, he concludes, developed “a suite of tools from deep packet inspection to analysis, including social graphs for identifying dissidents and lawful intercept of social media and messaging apps.”

Jen Ellis and Jeff Greene are joining the Institute for Security and Technology as adjunct senior policy advisers. Jason Kitka and Bryson Bort are also joining the think tank as adjunct senior technical advisers.

One of the better April Fools’ Day jokes of the weekend: