Hacker News new | past | comments | ask | show | jobs | submit login
North Korean campaign targeting security researchers (blog.google)
587 points by todsacerdoti on Sept 7, 2023 | hide | past | favorite | 283 comments



I notice that the getsymbol tool on Github has 214 stars, and no banner to indicate that the tool is malicious. There is a recently filed issue with a link to the Google blog post, but that's it.

If anyone from Github is reading this -- I strongly suggest adding a banner or modal dialogue to warn users about the backdoor in this tool, and any other software with a known backdoor (e.g. forks of the project)


This also serves as a reminder that code hosted on github might be malicious and we shouldn't blindly trust those just because the author seems to have similar interests.. I've done that multiple times :(


That's true, but in this case the code might be fine and the executables they provide on GitHub bogus. It's tricky to keep in mind that GitHub is not a trusted build source.


And the GitHub Actions… oh man… Insert some tool in your build that comes from another random repository, that uploads an artifact to S3 or similar… GitHub’s architecture entirely is the iMessage of source code.


Could you please expand on your iMessage comparison? I don't understand what you're referencing.


The normal thing is to have integration test PRs and other CI actions (which may require access tokens to APIs, inherently or due to naive design) be defined by the incoming branch, creating a vector for an attacker to get access to privileged resources.

For certain parts of integration and testing jobs that are operating on untrusted code, it'd therefore be desired to not allow incoming PRs to change certain parts of the CI configuration (not only including .github/workflows, which can be protected using branch protection rules, but the testing framework).

It's possible to achieve this by splitting up your workflows and using workflow_run but it's non-obvious and finicky enough that I very rarely see it done.

GitHub could make this easier and propose better patterns than they do in their attempt to address the problem[0], which I think could use a 2023 follow-up.

[0]: https://securitylab.github.com/research/github-actions-preve...

---

In this context, an iMessage message <> a GitHub PR, I guess.


I don’t know if I 100% follow or agree with the comparison of iMessage and GitHub actions. But iMessage has had a number of interesting security vulnerabilities over the years in image parsing and deserialization. One example:

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...

Or a story from today:

https://news.ycombinator.com/item?id=37425007

So perhaps the similarity between iMessage and GutHub actions is there are a lot of things that could go wrong. In iMessage it’s a pile of memory unsafe code that was not originally designed to withstand attack. In GutHub actions there is a lot of trust in their parties that could potentially be exploited.


And yet Android had multiple high and critical CVE's reported in the last few days with little coverage:

https://source.android.com/docs/security/bulletin/2023-09-01


This isn't an Android vs Apple article.


Its not an iOS / iMessage article either but it was brought up here and is the point if this current thread.


Where do CVEs tend to show up app-wise in Android? Is it also messaging or some other system service? With iOS its almost always either iMessage, WebKit, and iCloud Calendar


«А у вас негров линчуют»


Coverage is proportional to the number of users :)


> Could you please expand on your iMessage comparison? I don't understand what you're referencing.

https://arstechnica.com/gadgets/2023/09/apple-patches-clickl...

iMessage itself is a dumpster fire that time and again has been proven to be an attack vector.


A lot of useful features are missing from actions/checkout@v3, so people have to either program actions manually, or use ones made by other GitHub users. Actions are build steps, such as opening a firewall before building, preparing a directory, or caching Maven artifacts.

It would be very easy to add a backdoor to one of those build steps.

The comparison with iMessage is that it’s unsafe by design, at the architecture level, because you’re relying on live code made by anonymous people. One day, attack vectors will be found every second day.


It strikes me as the classic NPM disease. Do we really need a reusable action for disabling a firewall, uploading files, etc.? I mean if it comes from GitHub that's fine, but for anything else I would rather verify the solution and copy the code. It works like a low-tech lock file, except changes are always visible inline in Git history, so less chance of lazy programmers missing changes.

I almost laughed when GitHub suggested me an Action for Makefile based projects. The entire build process in my case consists of "make package"...


> if it comes from GitHub that's fine

No it isn't.

It's become normalized but it isn't fine. Whoever thought it was a good idea to download massive amounts of unaudited code at build time to then run it behind your defensive lines should have thought about that a bit longer. CI/CD is great. GitHub/GitLab are great. But combining the two has substantial risks. More so for languages that have broken package management and namespace issues.


You are of course right. I was thinking more in terms of "how do we save clueless developers (and their users) from themselves". They will probably find more ways to shoot themselves in the foot, but any percentage of prevented vulnerabilities is a positive result. Kind of like people trust Google/Apple with their phones.


I think it's safe to say that you can just about give up on that. The IT landscape is a horrific mess and it doesn't look like there is any change in direction on the horizon that will help to rectify that.

If you trust Google or Apple with your phone then I'm fine with that, it's your phone, your life. But I've found that trusting companies to have their incentives aligned with your own or with what's good for the world in general is a structural mistake that will find you disappointed each and every time given a long enough engagement. You can't trust that which you don't own and can't verify.


As a startup delivering executables to customers, I decently trust most programs running in the company: Gimp, Libreoffice, Docker, IntelliJ… There are only 4 major things that download unchecked stuff and run them:

- IntelliJ plugins,

- Maven,

- NPM,

- GitHub Actions.

Jetbrains says it carefully reviews the source code of all versions of all plugins, and Maven has a somewhat decent dependency tree that you can restrict to major actors (Spring-Apache-Google).

Maybe the key to trust would be to have larger pieces of code (such as Spring) with quite a lot of process to check-in code, rather than a thousand NPM packages. The parcellization of OSS didn’t do good for trust.


Yes. Remember that not only security researchers but also developers in general are extra juicy targets because of e.g. their AWS credentials that sometimes aren't kept as secure as they need to be. Heck, even if you're doing proper SSO with 2FA the tokens can be stolen and data proxied/exfiltrated.

At best they can be used for coin mining (running up a huge bill), at worst for stealing private customer data (and then selling/ransomwaring it).


> e.g. their AWS credentials that sometimes aren't kept as secure as they need to be

There is some irony in there.


We have pretty high bars for what we allow in terms of outside dependencies, but that doesn’t mean they do. It’s basically a crap shoot if you choose to do open source at all.


And that includes libraries that you blindly pull down from package managers


The source code itself looks relatively clean; there's autoupdate functionality but it looks like it's gated behind a confirmatory dialog box.

It's much more likely that the binary releases and/or autoupdate binaries are backdoored. If someone compiles their own version, and then clicks to accept the autoupdate, they could be infected. The binary is 15+MB in size, which is far more than enough to hide a small backdoor.


It's the auto-update functionality from a now-suspect URL. The repo has since been taken down, but here's the suspect file:

https://github.com/dbgsymbol/getsymbol/blob/cb4bdedc1a85c308...


Found these two forks which are still accessible (and are supposedly up to date with the upstream repo (linked in the comment above) which is not accessible anymore):

https://github.com/bb33bb/getsymbol

https://github.com/clayne/win-getsymbol

here is the same link as in the comment above from one of the forks:

https://github.com/bb33bb/getsymbol/blob/main/GetSymbol/CMai...

the code fetches from `UPDATE_CHECK_URL`, which is hardcoded as:

https://dbgsymbol.com/version

which as of the time of this posting, returns:

"GetSymbol 2.0.3|https://dbgsymbol.com/downloads/2.0.3/GetSymbol.exe"

the GetSymbol.exe file (which is downloadable right now) being presumably the infected file being discussed..!


wow! all mirror repos (I found 5) have since been disabled :-)

you can still see cached bits of the code via github search -> https://github.com/search?q=path%3AGetSymbol%2FCMainDlg.cpp+...

and a tiny bit of the repo's main page in google's cache: http://webcache.googleusercontent.com/search?q=cache%3Ahttps...

and the user's github profile, again from google's cache: https://webcache.googleusercontent.com/search?q=cache:JXXyoV...

the dbgsymbol.com links above still work, obviously.


Github just erasing a repo and forks from existence is scarier than any potential malware that could have been included there. Not the first time they have done this - usually based on copyright accusations, but the reason does not matter - if you must use ShitHub, at least mirror your projects elsewhere folks.


There were also some binary DLLs in the repo (in the x64 directory) which get loaded/executed on first launch and then deleted. I didn’t reverse-engineer to see if there was anything malicious inside of them, but it seemed pretty fishy to me.


Drat, archive.org didn't snag it. Do you happen to have a copy? https://web.archive.org/web/20230000000000*/https://github.c...



Yeah that’s what I’m referring to. IIRC it requires clicking/confirming a dialog to actually run the “update”, although I didn’t look that carefully before it got taken down.


>I notice that the getsymbol tool on Github has 214 stars ...

Analysis of which accounts starred it prior to publicity is probably a worthwhile endeavor. If there's any commonality with other obscure projects, that may be an indicator those accounts could be puppets.


Unfortunately that opens up a whole new can of worms. There are already sites that guess how fake amazon reviews are, maybe we need something similar for github.

I hope an analysis like you proposed could yield some insights to patterns or maybe even enough data to do some machine learning on.


But how do I trust the tool that guesses how compromised a repo is?


You post it to HN and claim that it's safe. If you aren't proven wrong in the next 2 hours, it probably is.


It looks like it just got taken offline


Yep. Page Not Found now.

I just had a look at it like 30 minutes ago and it was still there then.

Here are archives of what it looked like

http://web.archive.org/web/20230907185609/https://github.com...

http://web.archive.org/web/20230907193333/https://github.com...

http://web.archive.org/web/20230907193402/https://github.com...


I think it's better to give an obvious warning and archive it. As a reminder to people.


I reported the repository as malware, guess we'll see what happens with it


> Our review of the account named in your report has concluded. We have determined that one or more violations of GitHub’s Terms of Service have occurred and have taken appropriate action in response.


I'm really curious where the 0-day is in the code of the project honestly


This "UpdateCheckThread" code looks pretty funky, [0]. It downloads some stuff from a URL, writes a file to disk, and creates a process to run it.

0: https://github.com/dbgsymbol/getsymbol/blob/cb4bdedc1a85c308...


If the code is wrapped in

   if (updateDlg.DoModal() == IDOK) { … }
then doesn’t that mean it only runs that code if the user clicks “OK” on the update dialog?

(Edit: I think I understand now. It’s not the code, it’s the update URL that’s the problem, because it’s controlled by NK. So if you run this and blindly click “OK”, then it will download an executable that will infect your PC.)

(Edit 2: Or the issue is not in the source at all, but is in the prebuilt binary.)


It could be that the code is fine but the URL is compromised?


The 0-day is in a popular software package. The GitHub repo apparently contains a backdoor ability to execute code from the attacker. If I had to guess, this would be the software update functionality here: https://github.com/dbgsymbol/getsymbol/blob/cb4bdedc1a85c308...


That's just malware. There's no 0-day here.


That’s what Google is calling it, so I’m inclined to believe them.


"In addition to targeting researchers with 0-day exploits, the threat actors also developed a standalone Windows tool that has the stated goal of 'download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers.'

The attackers used a 0-day but getsymbol is not one.


Yep, that’s what I said.


No it isn’t what you said at all. You said Google was calling malware a zero day and you believe them, but they aren’t doing this.


This is what I said:

> The 0-day is in a popular software package.

(I have no idea what this is.)

> The GitHub repo apparently contains a backdoor ability to execute code from the attacker.

(This is what Google says and I think it’s the autoupdater.)

Is this different than what you feel?


Seems to be some dll:s included. Maybe there?

"But the tool also has the ability to download and execute arbitrary code from an attacker-controlled domain."

Sounds like most software nowadays to be honest. The blog author does not really point out why this code would be more malicious than "normal" or how the code author is known to be Korean.


Does github have that on any repos? If so, I’ve never stumbled across it.


> If anyone from Github is reading this -- I strongly suggest adding a banner or modal dialogue to warn users about the backdoor in this tool, and any other software with a known backdoor (e.g. forks of the project)

I'd also strongly suggest they add a way to flag projects in a way that is appropriate.


What's the point of the warning? Wouldn't Github just removing the offending repo?


Unfortunately, looks like it did.

...which while admirable from one perspective, also effectively destroys the evidence.

I prefer the warning instead.


It also normalizes removing repositories for other reasons.


Content providers have an obligation and responsibility to remove content for a variety of reasons. It's already normalised, as it should be.


It looks like its no longer on Github. Does anyone have the source code mirror? I would love to get a peek on it.


there is an open issue that warns about this


I wonder how legit are some of the most popular download sites: e.g ffmpeg windows binaries [1] are hosted from some random person’s site. Sure you can check the checksum etc but that still doesn’t guarantee any relationship with a specific git commit.

I would just assume that non-gh or official hosted downloads (where reproducible/attested builds are available) are just state actors by default. Am I paranoid? How do Linux/Mac package managers solve this?

[1] https://ffmpeg.org/download.html


Even binaries hosted on an official website can be hacked, if they hack the website and change the checksums. It happened to Linux Mint.

https://www.trendmicro.com/vinfo/fr/security/news/cybercrime....


This is why signing binaries is important.


Why trust Github? The GetSymbol tool has 215 stars there. Looks perfectly legit unless you check the issues.

https://github.com/dbgsymbol/getsymbol


You don't trust Github to not host any malware, and you don't trust Github to not have malicious users.

You trust Github to have reasonably good security, and to not maliciously meddle with user content, so that if you see a repository under github.com/neovim, and you additionally trust the user called neovim, then you can reasonably trust that any repositories under github.com/neovim don't contain malware.


Even when you trust the repo owner, you can't trust their projects. Bad actor could still sibmit a PR with malicious code and it could be merged just by negligence.


> ffmpeg windows binaries [1] are hosted from some random person’s site

The same thing happens with mpv: https://mpv.io/installation/

The Windows download is provided by "shinchiro" on SourceForge.

The MacOS download is provided by "stolendata", on stolendata.net


Wait until you find out that useful programs like MPV are not developed by giant corporations but by individuals or small teams. Trust something hosted on mpv.io made by the MPV maintainer but freak out when that maintainer delegates release builds for some platforms to someone else he is comfortable linking to. MPV probably also uses many libraries developed by other individuals. A society build on trust is a GOOD thing.


"How do Linux/Mac package managers solve this?"

By building their binaries from source and hosting them on their servers?


Wouldn't help if the source code already has the backdoor in there though. Most people would just download and build a tool off GitHub if it has 200 stars and does what they need.


Github stars are also complete bullshit that can be gamed itself.


It's extremely hard to sneak backdoors in open-source code.

Which is one of the reasons why a lot of people promote that openness.


It's extremely easy to sneak backdoors in open-source code that contains automatic update functionality.


Into a popular repository yes, but into a small tool like that it would most likely be very possible.


Small tool = less code to read through.

If you want to use that suspicious tool, you should at least take a glance at the source code.


In an ideal world that would be the case, but people barely read the README or documentation.


That's on their own fault, and on the alternative closed source scenario nobody would be able to read the source without reverse engineering it first


I did, and on the rare occasion that I need to use a downloaded binary today, still open it in a text editor and scroll through it for a cursory look. Packed -> reject. Bigger than expected -> reject. URLs or other strings, especially obfuscated, not related to expected functionality -> reject. Online AV multiscanners offer a reasonable alternative for those who aren't familiar with this sort of quick-glance RE, although they do have false positives too.


> Online AV multiscanners offer a reasonable alternative

You're right, (not just) online AV multiscanners are also FUD machines that will happily accept malicious programs but reject anything well crafted and optimized because it doesn't like exactly like the shit MSVC craps out with default settings.


>> By building their binaries from source and hosting them on their servers

> Wouldn't help if the source code already has the backdoor in there though

I'm not sure if you're aware but random tools don't just spawn in official package repositories overnight.

There's a vetting process, for both new packages and new maintainers. Also in established distros, packages don't get accepted to official repositories unless it's a critical and highly demanded one.

So yeah, any software can have vulnerabilities, regardless of OS. But stray tools and dubious actors, are pretty much a solved problem in linux distros. The situation on Windows is laughable in comparsion. No need to spread FUD.


The maintainers can be compromised though. Is every single version of every single "vetted" package / maintainer also vetted?


This is a good thing to consider when picking Linux distros. Who are the maintainers, is maintenance done in the open, do they enforce reproducible builds, how is review process done, what are requirements for mainters/packages/releases?

You also have the option of building from source yourself. Some package managers and distros (Gentoo, NixOS, Guix) do this for you.

This is BTW the main reason I wouldn't use derivate distros for anything serious.

Debian's generally trusted in the community - their slow pace come from risk-aversiveness.


> The maintainers can be compromised though. Is every single version of every single "vetted" package / maintainer also vetted?

Pretty much, packaging is not a brainless process. One of the effort that specifically target this is the Reproducible builds project [0], along with many other security measures set by each distro.

There are also usually multiple testing and updates rolling stages.

The best evidence of how effective these measures is its actual reputation and record on the ground.

[0] https://reproducible-builds.org/


Package managers are not the only way to get software. People build software off GitHub all the time.


> Package managers are not the only way to get software. People build software off GitHub all the time.

The question asked by parent comment was:

"How do Linux/Mac package managers solve this?"


Reproducible Builds is the search term/buzzword for this area. It is still in its infancy.


If I don't see a github action I'll usually pass on downloading. But what do you mean by "random person's site"? It's ffmpeg.org - is that not a reliable source?


> But what do you mean by "random person's site"? It's ffmpeg.org - is that not a reliable source?

The concern is that FFmpeg does not provide Windows binaries for themselves, they link to someone else who does.

You could argue that those providers are fine since they're implicitly being endorsed by FFmpeg, but it's not super clear whether they're trustworthy people involved in FFmpeg or randos that opened a GitHub issue saying "Hey I'm providing Windows binaries for people if they want them!"


Oh I see I didn't notice the additional links popping up on hover. Oof, that's not great.


they also link to this repository: https://github.com/BtbN/FFmpeg-Builds


I trust random developers more to host software that does not go against my interests than big tech corporations.


Not really shocking or new but kind of interesting. Why would they use 0days on security researchers. My guess is it's a test with upside. On the one hand if it works on a security researcher, you can go "live" because you got a good one and on the other hand you estimate that in the long run you'll get 1+x 0days out of the deal from said researcher.

As a security researcher it also presents an interesting situation. If you're careful enough and can pretend to be dumb enough, you might be able to harvest fresh attack vectors/0day etc. "for free" but the downside is if you overestimate yourself you'll get pwned.


Security researchers generally have more 0 days.


Also being a security researcher doesn't necessarily mean you're any good at securing your own systems. If you can breakout of the quarantine area of the things the researchers know not to trust, you'll commonly find their own systems are insecure as hell.


Yes exactly. The fun bit is breaking stuff, securing stuff is soooo boring.

There are different mindsets in this game. You want one type of person to find the holes in your system, and a different type of person to protect it.


> Why would they use 0days on security researchers. My guess is it's a test with upside

Or just be after the accesses the targets have...


This is absolutely because NK doesn't want to pay market rate for 0days.


Yeah, all the other sanctioned countries do a much better job at this.


What is market rate for a 0-day?


check the zerodium pricelist for a general guide: https://zerodium.com/program.html


Protection against going to jail is generally part of such a package.


But the tool also has the ability to download and execute arbitrary code from an attacker-controlled domain.

Also known as "automatic updates". Thank you, Big Tech, for indoctrinating the mainstream population into accepting this subservience (or forcing this non-choice on them) --- and now that that subservient and trusting attitude includes security researchers too, it's ironic to see it coming back to bite you.

Some of us knew all along what that attitude was going to lead to, and probably not all of us are security researchers either --- we've just seen all the other negative effects of letting you push stuff to our machines and run it, and put two and two together.


Complete conjecture, but new macOS security update just went up, which includes this tidbit:

> Impact: Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

https://support.apple.com/en-us/HT213906

Not a betting man, but I'd guess that's the vulnerability being discussed.


Good thing I'm not a betting man because I'd have lost:

https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zer...


iPad/iPhone OS got an update too, which mention additional Wallet issues, so it might not be related after all:

https://support.apple.com/en-us/HT213905


There was a just announced discovery of a new NSO zero click exploit in the wild. It's probably for that.


Crazy ty


What I wonder is this: these North Koreans clearly have unrestricted internet access (sort of have to to find 0-days) and they also clearly at least understand English.

How have they not accidentally stumbled across media that shows them all the things their state media doesn't?


"All of our secret agents are loyal patriots, while all of theirs are brainwashed hostages!"

The reality is that like every other country's intelligence services, they would obviously recruit for patriotism. This question is like asking why US intelligence agents who have access to information about the DPRK beyond the propaganda don't defect to the DPRK's superior healthcare coverage, zero school shootings, and better litter management. They don't value those aspects of DPRK society which seem better, and probably don't necessarily trust that they actually are better in X specific circumstance (pretty valid!). I don't see why it would be any different for DPRK intelligence.


> defect to the DPRK's superior healthcare coverage, zero school shootings, and better litter management.

I can't believe you're glorifying the DPRK without mentioning that they celebrate Tax Abolition Day since eliminating it in 1974.


Is that true? That is pretty funny if so. The DPRK should start running tourism ads in libertarian newspapers.


Yeah — other than the famines, forced labor, summary executions, and mandatory dictator cult it’s probably a great place.


If you're a member of an elite cyber-intelligence military branch who knows, it might not be as bad.

The USA is also great if you earn 200k/y as a software developer.

If you're a teacher, not so much.


Yeah, teachers in USA are forced to be teachers and don't have food on regular basis /s


It's not that it's a great place, it's that an individual who is deep into the indoctrination (from a lifetime of exposure) might not be as aware of the realities of their world vs the outside world, even with Internet access.


You think the North Korean intelligence community is not aware of the content of Western media?

They probably are aware. There are other means of keeping them in line, both carrot (privileges within DPRK) and stick (consequences for them and their loved ones if they step out of line.)


I don't think there are many options here:

- They can't get to X freer country as that's just difficult for all North Koreans

- They likely can't just stop hacking for carrot and/or stick reasons. They are likely closely monitored.

- Maybe some people drink the kool-aid. I'm sure these people are very well compensated.


They are likely closely monitored

Imagine getting a week of solitary confinement for trying to read a Korea Times article.

https://m.koreatimes.co.kr/pages/article.asp?newsIdx=358723


Also pay the writers, I need another season of severance :'(


I think it's mostly the control from the first 2 points you mention. They are often working from China, where the authorities will not help them. "Well compensated" in North Korea terms means not starving and your family has not yet been sent to a forced labor camp. Escaping means your family suffers terribly.


They probably see the crazy shit the western propaganda machine pumps out about them and are reassured. That is not to say NK is absolved of wrongdoing, however.


Honestly true. They are probably patriotic, far from the larger problems, have cognitive dissonance (“im not living in a dystopian shithole because that would be hopeless “, etc. All it takes is one glaring mischaracterization by western media and their beliefs that they are misunderstood by the West are confirmed. They probably even know of many of the bad things that happen but are able to rationalize it.


On the contrary, DPRK has a long history of threatening people's families to keep them in line.

The simplest explanation here is also the most cruel:

https://news.ycombinator.com/item?id=37425542

https://en.wikipedia.org/wiki/Prisons_in_North_Korea

https://en.wikipedia.org/wiki/Hoeryong_concentration_camp


Maybe we went a tad too far with Ukraine propaganda. Five Eyes, if you hear me, maybe turn that down a notch for a while, you’re getting as credible as Colin Powell’s words at the UN Security Council, and kids will remember.


The excellent BBC podcast The Lazarus Heist talks some about the lives of North Korean hackers: https://www.bbc.co.uk/programmes/w13xtvg9/episodes/downloads

They're closely monitored where they work and often have threats against their family.


This is well worth listening to. Great podcast.


North Americans and Western Europeans are incredibly naive about how authoritarian states work.

All authoritarian states will end up having a caste sysem hierarchy. The upper caste have it just as good a people in the West and in modern times they will have unfiltered access to the Internet. They have zero reason to revolt because they have everything then need.


They rarely have it just as good as in the West. But being on the top in your society can make you gloss over a lot.


Yep, even a lot of Western political demagoguery is telling people they have it good compared to some unfortunate others, so that the politicians can avoid having to actually make things better.


Solzhenitsyn wrote an autobiographical novel about it: https://en.wikipedia.org/wiki/In_the_First_Circle


To give you some perspective, there exists a Spaniard who joined NK: https://en.m.wikipedia.org/wiki/Alejandro_Cao_de_Ben%C3%B3s


They probably do, but I don't think there is much they can do if they care about their family's well being


They do. But what would they do with that information?

People in the late USSR were in a similar situation. Even without necessarily knowing all the details, the average person, and certainly the intelligentsia and people working in the intelligence services, had a growing awareness of the absurdity of it all, how different the rest of the non-Communist world was, and so on. Something similar is true in China, today. A person in China who wishes to inform themselves about China's history or recent offences against human rights, can at this point, do so, and fairly easily.

But... then what? Can't talk about it. With whom would it be safe? Can't tell others what you've learned. Can't discuss your perspective.

In my view it was not the truth that destroyed e.g. the USSR. It was allowing people to organize independently of state control. That, plus truth, was fatal. Both the Chinese and North Korean ruling parties have learned that lesson. It doesn't actually matter if a significant proportion of the public knows the truth. They can know the truth, alone, in isolation, unable to act on it.


You have people living in the free world believing everything around them is a lie. Finding yourself an interpretational perspective as an observer that would spare you from reconsidering core values comes relatively easy.


The state tightly controls who gets internet access. The agents would be thoroughly vetted, and/or given a life they could not otherwise have and an implicit threat to their family's well being if they were to misbehave. They probably do have some idea of what life is like outside their country, but are either conditioned to look down on it or terrified of trying to escape.


Life is probably not bad in North Korea, than the propaganda lead you to believe. Especially if you remain loyal and are a valuable asset.


You're joking right? North Koreans are literally starving to death.

https://www.cnn.com/2023/03/03/asia/north-korea-hunger-famin...


Those people probably aren't "valuable assets".


That's not applied for such hackers


> Life is probably not bad in North Korea, than the propaganda lead you to believe.

If this were the case then it would not be necessary for them to shoot people trying to leave.


The East Germans did that, too


how much of what you think you know about North Korea is verifiably true?

how much of what we think we know about our own governments is verifiably true?


I wonder what the chances are that a security researcher would execute a Windows binary they receive over chat from a rando. This isn't even security 101, just common sense at this point.

If anything, I'm sure it gave researchers a chance to play around with the binary in a secure environment. They wouldn't even need to reverse engineer it, since the source code was made public by the attackers. Good guy black hats!

Speaking of, can someone find the exploit in the linked repository? I'm curious what it does, but can't bother with going through all files. TFA could've linked to it, as well as mention how they determined this project is linked to NK hackers...


More often than you'd think.

Young infosec practitioners are encouraged to get certifications, OSCP, eJPT, etc. A lot of these cert mills require that you pwn known boxes. This gives rise to discord servers where you can "help eachother". Some of this help is in the form of binaries or obfuscated source code.

They run it on their pentest job laptop, you know, the one with the SSH keys to their report writing box. They get pwnd, and now DPRK has access to a bunch of US civilian corporate data and weaknesses.

I may have actually witnessed this.


That isn't what they said the threat was; they were sent a document that exploited a 0-day in whatever program reads it.


Ah, I misunderstood, thanks.


> how they determined this project is linked to NK hackers

If they have enough confidence to attribute and not disclose how/why, one can fairly guess they don't want to burn sources or indicators which might still be useful moving forward but likely won't be if disclosed...


> the threat actors sent a malicious file that contained at least one 0-day in a popular software package

i.e. not executables


It became an executable :)


Security 101 is that everyone will fuck up at some point. _Everyone_.

If the security researcher's environment isn't well designed (which absolutely happens, whether it's via budget or inattentiveness,) then the attacker can get to a delicious creamy filling very fast.


I’m not a security researcher but I would definitely do it if they seemed like a decent person who I had totalling to for a while and were running an open source project


I worry about how nonchalantly researchers attribute these campaigns. They never tell you their methodology for their attribution, but it's always the attribution that non-technical people pay the most attention to.

Look at this article for example. The first two words are the attributed actor. Yet there is absolutely no way to prove it. Attribution on the Internet is really, really, really difficult. We don't know how difficult it is because we have no independent method to determine when we're right or wrong. And we would be foolish to think that attribution is never politically motivated.


Citlab partners with various private data brokers to obtain commercial security intelligence, you'll see them referenced within their reports at times.

Based on this, I generally assume that their attribution is accurate. However, if you take a step back and view it objectively, it appears quite hypocritical, given the privacy-invasive origins of this intelligence.


I’m surprised that NK can have such weak computing education at the population level and still find enough high level hackers and cybersecurity people to do these things.


From what I've read from NK experts: they intentionally and intensively create hackers. If you are a child in NK who shows skills in mathematics then you will be monitored and if you are good enough you will be sent to a special mathematics school, where you learn pretty much nothing else. After that you are sent to the one technical university to study computer programming intensively for years. If you pass muster then you will be shipped to China, from where you'll use the better internet access to do anything from steal MMORPG gold, phishing attacks or find zero days. It sounds like a bleak life of 12 hours, constant pressure to deliver and living in cramped dorms. So, a bit like Silicon Valley ;)


A bleak life for sure, but probably still many times better than normal life in NK.


Wealthy/connected North Koreans are educated at many top Western and Chinese schools. Heck, the dictator at the top went to middle/high school in Switzerland.


They are almost certainly pulling on talent pools from one of the neighboring nations.


You can say China, they cannot kill you over the internet... yet.


They probably said "neighbouring nations" because they're also including Russia. (Russia has a few miles of border with North Korea)


I would bet money that near all of all the imported hackers come from China and not Russia.


> Upon discovery, all identified websites and domains are added to Safe Browsing to protect users from further exploitation.

dbgsymbol.com is NOT showing up with warning in Safe Browsing on my Brave browser. (warning, unknown vector)


Safe browsing is there for Google to spy on you easily, not to detect hacks.


Safebrowsing uses a privacy preserving hash prefix algorithm to match against urls.[1]

1 - The first 4 bytes of all url hashes in the blocklist are cached in the browser.

2 - When there is a match, you request of Google the actual urls on the blocklist.

3 - Client side your browser blocks loading the url.

Google only knows that the site had a hash collision with the first 4 bytes of something in the blocklist.

I, personally, think that's a fair price for otherwise free malware protection. It's also built into Firefox and on by default. [2]

[1] https://developers.google.com/safe-browsing/v4#update-api-v4

[2] https://wiki.mozilla.org/Security/Safe_Browsing


I wonder if TAG publishes data for security researchers targetted by western government backed actors.

Does anyone have any links for that, or do we just autoaccept that FBI/CIA/GCHQ/Mossad do it and it's fine, because they are in our group?


How did they determine the threat is coming from North Korea?


From the article: "The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits."


Got it. Missed that part. Thank you. Looks like a pure assumption. According to CyberProof [1] and CloudFlare [2], the majority of attacks originate from China and the United States. North Korea is not even making it to Top 10. That's why I asked.

[1] https://blog.cyberproof.com/blog/which-countries-are-most-da...

[2] https://blog.cloudflare.com/ddos-attack-trends-for-2021-q4/


North Korea is a nice foil, because then you don't have to cast aspersions onto trading partners.

"Look, see? NK. We even copied some Korean words into the comments."


Isn't NK a small china protectorate anyways?


The NK government-backed hacker groups mostly operate in China.


Someone of you may enjoy this[0] podcast on the North Korean Lazarus Group.

[0] https://www.bbc.co.uk/programmes/w13xtvg9/episodes/downloads


Are we supposed to download this and run on our computers?


The podcast seems to be available on Spotify and similar.


Lifetimes ago as an intelligence officer I spent years tracking DPRK activities and developments.

People shouldn’t underestimate their technical capacities or ability to recruit smart hard working people.


> People shouldn’t underestimate their technical capacities or ability to recruit smart hard working people.

People hear about third-world living conditions and deprivation and say "aww, cute" as though it's sticks and rocks they're launching into the sea of Japan. They have money...it's all poured into the military.

I don't understand why the media downplays them so heavily.


    > third-world living conditions [...]
I know that the phrase has gained an orthogonal meaning since the cold war, but if we use the original one it's funny to call what's arguably the only remaining second-world country "third-world".


I mean if we're going by the original definitions, I think Laos, Vietnam, and Cuba are also still second-world though none of them are bizarrely neo-Stalinist the way North Korea is.


Are they really Stalinists? I would have guess Maoists, but then again, I wouldn't know the difference.


North Korea is Juche.


North Korea was generally more aligned with the USSR than the PRC. Kim Il Sung and Mao were on the way up at the same time, and were both students of Lenin and Stalin.


>I don't understand why the media downplays them so heavily.

Because in the same way as morale can be a force multiplier, an extreme lack of it can be a force divider. Combine that with their (very likely) inability to sustain even a regional war for more than a few weeks, their antiquated equipment, and their largely unsuccessful domestic military developments, and it's not hard to write them off as largely a non-threat, whether or not this is truly the case.

The major downside is that even if they only manage to sustain for a few weeks, that's plenty of time to level Seoul and inflict damage on cities further south should they decide to make a push against the ROK, and this is what shouldn't be downplayed.


I’d bet they’re prepared to do a ton of damage to South Korea via cyberarms more than traditional weaponry too. Eg cut power to the country for days on end. They’ve clearly got 0days and aren’t afraid to use them.


If 'cyberarms' are as potent as you think they are, then how come Russian cyberarms haven't done much damage to Ukraine?


Since 2014, nations with a strong vested interest in Ukraine not falling threw a lot of resources at strengthening the country's infosec.

Also, during a kinetic conflict where you're invading, it's often more strategically valuable to lie dormant in their networks than it is to scorch them, a la America sitting inside of Iraq's phone networks and just listening.

There's a lot of work being done now to change it [1], but I've heard from multiple cybersecurity grunts in critical infrastructure that they just assume foreign APTs are in their networks. Strategically, why in the world wouldn't they be? There's basically no downside other than burning TTPs. We should damn well expect the NSA to have their fingers in every foreign pot they can reach.

[1] To be fair, there was a lot of work before too. But now people are more scared.


So, you believe their nuclear weapons don't work?


Probably not, with insufficient confidence to assume that is the case


That's a strange assumption when many countries were able to independently verify nuclear tests between 2009 and 2017. The largest of which had a bast yield 4 to 12 times the nuke dropped on Nagasaki.


These tests happened. Most experts suspect that their success rates were far below claimed outcomes. But the important question is can you put the bomb on a weapon, launch it, and detonate it at the target. I think probably not very successfully. I also suspect they’re not stockpiling these things as claimed.

I also don’t think it matters because they would be pretty dumb to use them. I’m of the mindset that they will most likely simply collapse at some point and the nukes will become unmaintained and useless.


> I don't understand why the media downplays them so heavily.

There are a few reasons that interlock.

- The DPRK government is a mob family with sovereign status and nukes. Most folks in western countries don't have a strong sense of what that means - looking through the lens of mostly free nations, it is hard to imagine the realities on the ground, and they fill in the blanks with what they know about bureaucratic states.

- Lots of western folks, but USians in particular, are extremely ignorant and incurious about Asia and asian cultures. This amplifies the above problems and tends to lead to ridiculous ideas being believable.

- DPRK's propaganda encourages some of this. Their interests are served when people in the west are thinking about their nukes and ignoring the hacking that pays for them. A side order of "we're so mean and crazy we starve our people" helps stoke the mad-man authoritarian archetype.


> why the media downplays them

Perhaps you meant the media for some specific country, but news media in Japan do seem to take North Korea quite seriously, and missile launches frequently ends up being the first headline on NHK world news.


> They have money

And much more of it after crypto gained popularity. Darknet Diaries went through investigating some of their hacks. Amounts from one can be more than entire GDP of a small country. Some crypto is washed through Macanese etc banks but most is just used to pay for weapons and stuff directly.


They absolutely do not “have” money in a meaningful sense. They are very poor and the past few years have been much harder than decades past.


> I don't understand why the media downplays them so heavily.

And I don't understand why the media upplays them so heavily, as some kind of peer threat capable of meaningful force projection.

(Well, I do understand it, someone needs to keep pounding the drum to keep this country on a forever-war footing.)


Feels like a weird post to make in the comments section of an article in which NK performed an active attack campaign...


Not weird when you consider what is, and what is not a proportionate mitigation of a threat.

When someone gets mugged on your street, you can consider taking precautions. If your response is to roll out half a mile of barbed wire, electric fencing, and landmines all through the perimeter of your property, I would say that is absolutely 'upplaying' the actual level of threat.

Most Americans' understanding of the actual threat posed to the US by NK is ludicrously upplayed. NK is a credible offensive threat to SK, but that's a very limited problem for anyone living in Nashville, Tennessee.


I mean, the response here was a blog post, which doesn't feel particularly upplayed. I also virtually never hear about NK from anyone or fear of NK from anyone day to day, nor do I hear about it particularly often from policy makers. No one is campaigning on fear of NK that I have seen.

Perhaps TN is just a radically different world, I'd frankly believe it, but I haven't seen anything too significant at all. The last time people were really concerned about NK for like... 3 days, I think it was ~2012 or so.


> I mean, the response here was a blog post, which doesn't feel particularly upplayed.

I wasn't criticizing the blog post, I was responding to a comment in this thread that claimed that for some strange reason the danger of NK is systemically underplayed by the media.

I argue that no, the media more typically overplays it, much like it overplays the threat from other non-peer nations. I'm assuming you don't feel like the news is telling you that Iran is a threat either... Which would put you in an informed minority.


Can you give an example of media overplaying NK?


NK seems to be getting disproportionate media attention compared to other dirt poor and authoritarian countries.


>ability to recruit smart hard working people

including non-nationals?


Of course. There are a lot more capable fish in the pond than the ones with the connections to a Western company, plus the capable fish in a Western pond but nobody talking to them because the onus is on the fish. You probably know people who are better programmers than people you work with who don't earn as much as people more socially savvy or placed, and who might want to also pay off a mortgage after 30 years.


Put a gun to someone's head and you'll find that they're capable of just about anything.


Put a gun to someone's head, and they suddenly become less capable. A small amount of stress is good for productivity, but excessive stress destroys cognitive abilities.


Even better, do it to their children, and literally everybody else who is important in their lives.


Probably more carrot than stick. NK hackers who can bring in millions to the state from crypto hacking, ransom etc likely live more comfortably than manual laborers.


Yeah, just look at what engineers here in the States are willing to do for money they don't really need


Both really. In NK the stick awaits all who stop chasing the carrot.


Probably way less comfortably than if they could move to a civilized country though.


But they can't, so it's a moot point.


> technical capacities or ability to recruit smart hard working people

Of course, there are different senses of "recruitment". The best recruits don't know they even have been..

The take-away here is that it's 99% social engineering and 1% a script-kiddy payload drop. Their SE play is based on our innate ability to be recruited, because we want to be. Because we spend our school and college days being conditioned to want to be valued, to feel needed, to look for validation and reward, to make beneficial connections and sell ourselves. Self commodification/reification is the beating heart of capitalism.

They're smart to use that against us, by reaching out to security researchers, who (from personal experience) often feel isolated and/or undervalued.

After all it's just "international collaboration" , right?

Without due diligence in checking out new contacts (especially if they contact you to discuss things that they know interest you and then stroke the ego of your specialism) recruitment is easy.

In the end you can't easily know whether that charismatic voice on the phone is really from your government, from Google, from a fellow researcher who wants to "share and collaborate"... and you probably wouldn't know what would constitute a credible proof of identity.

Intelligence agencies could do well to spend a little money on benevolently watching out for commercial, civic, academic or hobbyist researchers who are valuable targets and sending a polite heads-up when the packets start arriving from N Korea.


[flagged]


I can't speak for the general public but my own impression of the country is that its nuclear weapons and isolation make it incredibly dangerous, and the problem is only getting worse as their arsenal increases.

Plus they have pulled off a number of hacks that became mainstream news so I would expect plenty of people to think that North Korea has competent software developers.


What really makes me nervous about the DPRK is just how successful they have been at getting the rest of the world to prop them up. Successful models get imitated.

Intuitively, we'd expect Kim to envy Putin, but at some point it occurred to me that the opposite notion seems to be better at explaining the behavior we've seen lately from Russia. If Putin's agenda were to turn Russia into a nuclear-armed failed state that the rest of the world has no choice but to prop up with aid in perpetuity, it's hard to see what he would be doing differently.


So what IS the threat from North Korea to Americans or anyone not sharing a border with them exactly? They won't launch nukes at anything outside their own borders unless Kim wants his country turned into a smoldering crater. The only real threat anyone should worry about is cyber attacks, which could be an issue if targeted at infrastructure, but not something i stay awake at night worrying about.

I find it interesting that 2 years ago people like you would be moaning about how COVID-19 is being used to "scare" people, and we should ignore US "propaganda" about death rates in the US and worldwide. But now apparently North Korea IS a threat and we should all be scared of Kim starting a nuclear war.

The last couple of years drove a lot of people to conspiracy theory channels, and it's affects are starting to show.


We detached this subthread from https://news.ycombinator.com/item?id=37421831.


those things aren't mutually exclusive. North Korea is a malnourished country, evidenced by the pretty stark fact that South Koreans are now so much taller that South Korean women are approaching the height of North Korean men.

It's just that if you pump a quarter of your entire GDP into nukes and hackers you can still be decent at it even if your people are starving.


How does anyone know the average heights in NK?


[flagged]


"Ending the war" requires handing South Korea over to DPRK based on their conditions and they still claim their government has rightful jurisdiction over it.

I mean the war is effectively over. It's been a cold war since the "cease fire" has been adhered to. It's not like they're going to stop trying if we agreed to take down the DMZ. Their entire culture is based around reunification and defeating the evil Americans.


You could equally say ending the war means handing NK over to SK because that's what South Korea's constitution says.

Less flippantly, "ending the war" means reaching a mutual agreement that preserves the two Korea's current territories: nobody sane is using the term to mean anything else.

(BTW, South Korea did push for officially ending the war multiple times, IIRC. It's just that North Korea remains uninterested. Same for the US - probably because they don't see the deal happening realistically.)


Right, which is why I said its effectively what we have now (a situation that preserves their current territories), AFAIK, the situation barely effect SK life. It's just neither side believes the minute they stop pointing weapons at each other's borders the other side won't take advantage, and as far as I know, prior attempts to sit down and end the war officially require the other side basically give a full surrender. There's also a Chinese interest in keeping DPRK (it was Chinese MiGs American fighter pilots engaged in the actual war and I assume currently supplies DPRK with arms in a similar role to the US and SK) as a buffer zone, and a source of cheap labor and source for human trafficking in some cases. So both countries have a larger country/acting ally disrupting the politics.


This would cause immediate conflict with China. Imagine China showing up to liberate Mexico from the drug cartels.


This is such a strange take it borders on satire.

Could you elaborate on if you genuinely think this would resolve the issues the DPRK experiences?


> maybe the US should end the korean war

Takes two, not just the UN side, to end the war.


You can't be serious.


[flagged]


It's not that hard to verify given the people who have risked their life to escape the country and spoken openly about the conditions there.


Video evidence snuck out of the country frequently shows obviously malnourished people, even military soldiers, who are supposed to get special privileges and access to food look pale and show obvious signs of malnourishment. That said, they're a model for carbon footprint reduction.


A few years ago during the 2016 Democratic primaries, Bernie Sanders was roundly mocked by mainstream media for saying NK was a top threat due to their disengagement from the international processes.

https://www.youtube.com/watch?v=8M4CoEodUTI


You won’t really find anything interesting from this repo aside the update functionality that was likely used for downloading the payload. The topic of interest is the payload that TAG obviously can’t disclose because vendors are fixing whatever bug was behind this 0day

Unsuprisingly, TAG is light on details..


A lot of this is talking about attempts during 2022 which was known about a year ago in the security community when it first came out. It's just more of the same as best I can tell, just because they were caught, doesn't mean they stopped trying.


Evidence for attribution to North Korea?


> The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits.

At minimum the payload.


1. DPRK does an actual cybercrime, shellcode/payload eventually gets discovered and disseminated among researchers

2. Script kid acquires said code, makes slight modifications

3. Script kid deploys the malware

4. Cybersec person @ Google is promoted for uncovering major APT operation, big news story

How do you prove that this is sufficiently implausible?


As shown in the Snowden leaks, The United States was in development of exactly this capacity and its essentially impossible to attribute attacks to nations like this. Anyone who claims to be able to is either ignorant or lying.


Marble Framework, if anyone is interested


i dont think proof is on the table here. you just have to speculate, and make an educated guess.


I agree, but all the incentives are aligned with making sensational attributions:

- Attackers don't want to get identified, so they won't help

- Defenders, or their bosses, don't want to admit they got owned by a "skid"

- Researchers want to pad their resumes with Serious work, not random skid nonsense

- Media wants sensational stories


"SoUrCe?"

This is clearly comment bait. If you've done any type of opsec before you know the legal hurdles.

This is coming from someone (me) who personally saw North Korean IP blocks visit malware research articles via combing the server IP logs and verifying the block.


This seems like a disproportionately mocking tone for the original comment made.


Attributing cybercrime is never a slam dunk unless you have physical evidence: devices, people, etc. /var/log/*/access.conf is not that.

Virtually everything on the wire can be spoofed. Someone in Kansas could own an elaborate network that includes DPRK IPs. And that would be a desirable red herring for any independent criminal.

WikiLeaks taught us that the CIA has tools for spoofing their payloads as Russian, Chinese, Iranian, etc.

It very well could be a DPRK actor, but let's please not kill perfectly valid discussion around attribution.


> It very well could be a DPRK actor, but let's please not kill perfectly valid discussion around attribution.

I'm starting to believe that "killing perfectly valid discussion around attribution" is part of the game itself, after all we have at least two persons in this HN comments thread (the OP, and some other guy above who explicitly said that he worked for intelligence) who have worked directly for or adjacent to (I guess that's how the OP got to see those NK-related IP blocks) Western government agencies that handle this sort of stuff.


Given it's an official Google blog post related to a nation-state threat actor, somebody asking for valid attribution could be a way attackers try to:

1) Derail the conversation 2) Find out ways to further cloak their footprint

IMO if you've worked in the field, you know it's a dumb question meant to invoke something.

"Look! We've succeeded! We've dragged out 'w0z_' and have identified him as a possible (x)!"

Sadly, I am a nobody who happened to see DPRK not tunnel to a VPN.


> somebody asking for valid attribution could be a way attackers try to: 1) Derail the conversation 2) Find out ways to further cloak their footprint

Really? What does it take to sprinkle North Korea over my code? Is having the North Korean equivalent of JIS in strings enough? I mean, how could there possibly there be any footprint of anything. Does gcc leak info into the binary that my Debian system does not have in the first place? You need to get these guys when they are bragging to their friends. You can't look on the trails they leave behind ...

A lot of cyber security smells like bullet forensics.


If it matters I didn't mean to direct my comment at you personally (obviously, as I don't know you), but instead it was meant to target the generic security person who says that he/she has gotten in the "vicinity" of such state-sponsored attacks.

Back to the subject at hand, and taking a more general view, trusting a big Pentagon-contractor [1] (and not only) such as Alphabet on the subject of other countries' cyber-attacks against the US (and its Western allies) is just futile.

[1] https://www.reuters.com/technology/pentagon-awards-9-bln-clo...


Are you really that naive? Google don't even reveal how their search engine scores the web pages they index, and you want them to tell you the evidences of NK being behind this or how they figured that out? You are free not to trust them if you choose.

It's particularly ironic because in this case social media was used to gain access to the researcher's computer:

In one case, they carried on a months-long conversation [on X], attempting to collaborate with a security researcher on topics of mutual interest

HN is another perfect place for that to happen. How do we know that pphysch (or me jryle70) isn't a NK's agent trying to get more information about the technique employed in this case?


help me think like a blackhat. what is the end game for this? attempting to see what knowledge researchers have to be able to detect, circumvent, etc what the "bad guys" are up to? attempting to dox, smear the research(er)?


1. Spy on researchers, harvest 0-days before they're published, monetize them (selling 0-days, spreading ransomware, etc), 2. Sell info/research to publish academic research before the victim does, 3. geopolitical leverage, 4. blackmail researchers to get more of the above, 5. use 0-days found by others for global dragnet surveillance, which translates to money and political power, 6. plant (dormant) code in critical infrastructure internationally for geopolitical leverage / future war. 7. inject any code into any repo that the researchers have access to or that the researchers are known to make use of (tools), 8. economic espionage / accesss to high-tech international IP

Just kind of what the NSA does really with the exception of monetizing on ransomware?


Given the crazy shit the CIA has been documented to get up to, and the fact that the NSA has similar lack of oversight of agents in the field, why do you think that there isn't any monetizing on ransomware going on?


I'm thinking they are hoping to find exploits that the security researcher(s) are working on, and may not be known to others (use a 0-day to steal other 0-days).

I'd presume that a decent security researcher's laptop would have much more valuable things on it, compared to Bob the Waiter's laptop.

Educated guess. Grain of salt, etc...


I don't know - I think primary research on these things might be easier than sifting through all the "exhaust" on someone else's laptop to figure out what they've discovered.


On difficult targets this is unlikely to be the case.


yeah although there might be easy things like correspondence on a bug report embargo


Total speculation, but:

> North Korean threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package.

In the past, actors would release something, watch it spread, and see what reports back. Sometimes detonation would be limited to certain IP ranges or institution types, but broad deployment would quickly put itself on the radar of security researchers and someone would sound the alarm.

I'm thinking this targeted approach works like doctor-shopping: you find the most paranoid people you can and see if you're able to exploit them. If you pull one over on them, then the unsuspecting won't stand a chance. If they do catch on, you run away, iterate on your approach, and try it against another researcher who doesn't know you're making the rounds doing this.


Super common spear phishing in modern times, back a few decades-ish chinese plants would attend military convferences, or would monitor those from the US who went to said conferences, then would "follow-up" with an email talking about how they met and talked about "some program or weapon that person was in the know of" on a superficial level and stroke their ego a bit... then phish them with malware based on that supposed meeting and ego stroking...


I’m pretty sure that ransomware and other tactics that largely end with a significant crypto transfer is their end game. Evidently, they are really good at it - $1.7 billion in 2022.

So anything to slow down the researchers are my guess. Keep the drain open, so to say. Just my two cents.

https://www.cbsnews.com/amp/news/cryptocurrency-hackers-stol...


It states clearly in the article the goal was to acquire debug symbols for Ms, Citrix, and others with the goal of reverse engineering. If you have been following Citrix, their Netscaler product has been the subject of multiple high severity vulnerabilities, and they sit in mission critical networks. From here the most likely move is their most common, ransomware, the proceeds from which they use to fund parts of their military.


That was the stated legitimate purpose of the GetSymbol software by its creators. As far as I understand, this data is freely available and the GetSymbol software makes it easier to download rather than having to go to multiple different websites.

The ultimate purpose of the malware embedded within the GetSymbol software is what is not known.


That was the decoy behind the secondary infection vector, not the motivation.


I'm skeptical given the ms attack involved stealing keys from core dumps


The speculation I've seen is that they're intending to steal someone's research, weaponize it, and using it against their adversaries.


Do you understand why [foreign government] would want to spy on Raytheon, Lockheed, General Dynamics?


Security researchers often have the most access to stuff at big companies.


I don't know about that. I work in security, as a service to customers, but we have a running gag about "the real security people" who give you a phone call if you accidentally step off the path on your work machine.


I don't work in security anymore, but when I did, access tended to be... loose. Outside of security, there hasn't been a single job (of quite a few) where I didn't have root access.

At one of the hosting companies I worked at -- for example -- I was able to download the root password of every linux host and the domain password for every windows host as a proof of concept for a project. Nobody told me to stop but as a courtesy I did end up telling the manager of the internal SOC that it was possible. He was pretty floored. Apparently they setup monitoring for single queries of passwords, but since my queries returned more than one result, it wasn't "caught".

So yeah. Lots of access.


also the research they are doing; I would guess most researchers know of vulnerabilities counter parties would be very interested in weaponizing


Did anyone manage to snag a copy before it was pulled ? I'd like to generate some SIGMA rules against it. Any other detection engineering ideas?


If I ever got a security role I would never list my title on LinkedIn as security.


This is a very curious notation:

> 23.106.215[.]105


bold move, trying this on sec professionals. Might actually be a good thing if it forces them to take their own advice.


[flagged]


Why tf would you post an unsanitized link to a malware executable here?

edit: nice edit to the parent. the original was a github link to the .exe file.


Because we assume our fellow users here are not morons and aren't going to download a file from virustotal.com that says "2 security vendors flagged this file as malicious" and run it and get infected.

You'll note that the github.com link was also published upthread, and is even more malicious.

In linking to the binary, I can download it and run it through radare2/ghidra/idapro and do some static analysis on it for myself.


The link was edited, the original was to the .exe with little commentary and the link was cut off so the filetype wasn't apparent.


Most of us don't run Windows, this is HACKER News not PEBKAC News.


This is doubly concerning: Not only for researchers, but also for the public.

I always imagined the North Koreans to be at a technical level where they would be the ones consuming published exploits more so than imagining their own. This article means that they are advanced enough to focus on suppressing knowledge rather than consuming what is publicly available.


You should certainly update your perception of NK then. They stole more crypto than anyone else in 2022. [1]

1 - https://www.reuters.com/technology/record-breaking-2022-nort...


> You should certainly update your perception of NK then. They stole more crypto than anyone else in 2022.

I never heard of anyone stoling crypto, so you might be right. /s


In the world of (cyber)espionage I can't ever tell what's true and what's exaggeration, but I'm under the impression North Korean hackers have been deemed a serious threat for many years now. In other words, this is not news...


There is an interesting podcast called Lazarus Heist that covers this stuff.


Second this, produced by BBC https://www.bbc.co.uk/programmes/w13xtvg9

Gave a lot of insight and background into North Korean hackers, how they operate, how they live and so on. I was familiar with their operations from before, like the SWIFT hack from being in the infosec field. But I still learned a lot.


DPRK’s top 1% live what amounts to an upper middle class life, and tend to educate their children abroad.

My understanding is that they even have access to an unfiltered Internet supplied by China. The threat of extermination of their families if they step out of line politically seems to keep those people in check.


I would think they are kept in check the same way the upper middle class is kept in check pretty much everywhere in the world. They live a very comfortable life style and have no interest in doing anything that would jeopardize that.


That's a latent function present to varying degrees in every society (who wants to rock the boat if you're having a good ride?), whereas the threat to one's family is more of a manifest function, sociologically speaking.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: