According to the UK’s National Cyber Security Centre (NCSC), North Korea is using sophisticated techniques to target global organisations through software supply chain attacks.
In a joint advisory, the NCSC detailed the tactics DPRK state-linked cyber actors used, emphasising the growing threat and complexity of such attacks.
Supply chain attacks, a method where malicious actors compromise elements of the software distribution process, have become a favoured tool for DPRK cyber actors. These attacks, often involving zero-day vulnerabilities and exploits in third-party software, allow the actors to access specific targets or indiscriminate organisations through their supply chains.
The NCSC said these attacks are aligned with broader DPRK-state priorities, including revenue generation, espionage and the theft of advanced technologies.
The advisory comes on the heels of a new Strategic Cyber Partnership announced between the UK and the Republic of Korea, underscoring their commitment to collaboratively addressing common cyber threats.
Paul Chichester, NCSC Director of Operations, stated: “In an increasingly digital and interconnected world, software supply chain attacks can have profound, far-reaching consequences for impacted organisations.”
In recent years, supply chain attacks orchestrated by DPRK state-linked cyber actors have steadily increased in volume and sophistication.
These actors employ zero-day attacks and multiple exploits to target software supply chain products used by various international organisations. The NCSC and NIS highlight that these attacks significantly contribute to broader DPRK state priorities, including revenue generation, espionage and the theft of advanced technologies across sectors, including defence.
The targets of supply chain attacks can span multiple well-protected and high-profile organisations, making them an effective means of compromise. Elements vulnerable to compromise include software vendors, managed service providers and cloud providers.
Once compromised, cyber actors can launch attacks, potentially deploying ransomware or causing system disruptions. The use of legitimate software and hardware makes these attacks challenging to detect.
The advisory provides technical details about the malicious activity, presenting case studies of recent attacks from the DPRK. It also offers advice on mitigating supply chain compromises, emphasising the importance of establishing effective control and oversight of supply chains.
The advisory outlines the techniques DPRK state-linked cyber actors employed in recent supply chain attacks, shedding light on their attack flow and modus operandi. One example detailed in the advisory occurred in March 2023, where cyber actors used software vulnerabilities in security authentication and network-linked systems to gain unauthorised access to the intranet of a target organisation.
The attack involved compromising a media outlet’s website and deploying malicious scripts into an article to create a watering hole.
Victims who opened the infected article with vulnerable security authentication software enabled the execution of malicious code, connecting to a command and control server for remote control. The actors then exploited a network-linked system vulnerability to spread malicious code to the business side server, compromising it and stealing information.
The highly sophisticated attack used undisclosed vulnerabilities and legitimate functions for intrusion, demonstrating the actors’ adaptability and strategic planning. The compromise of one supply chain led to the infection of another, highlighting the interconnected and cascading nature of these attacks.