As the saber-rattling between US President Donald Trump and North Korean leader Kim Jon-Un continues, reports have surfaced that the DPRK had plans to hack the American power grid, while also successfully targeting the South Korean Ministry of Defense.
The US grid attack was a spear phishing gambit, according to a report from FireEye to private clients that was obtained by NBC News. Emails containing fake invitations to a fundraiser delivered malware in the form of attachments—however, the attack was ultimately unsuccessful and no disruptions were logged.
"Phishing attacks are something that electric companies prepare for and deal with on a regular basis, often in coordination with security experts and industry stakeholders,” Scott Aaronson, a top security official at the Edison Electric Institute (EEI), an industry trade group, said in a media statement. “In this case, the delivery of safe and reliable energy has not been affected, and there has been no operational impact to facilities or to the systems controlling the North American energy grid."
EEI’s cyber-consultant, Robert Lee, told NBC News that "any targeting of infrastructure by a foreign power is a concerning thing," but that North Korea and other adversaries "are far from being able to disrupt the electric grid….This activity represents initial targeting, and if disruptions are even possible they would be very minor," he said.
Other experts had a different take: “Don't be fooled by people saying we shouldn't worry because the hackers haven't compromised any of our industrial control systems,” Phil Neray, vice president of Industrial Cybersecurity with CyberX, told us. “The easiest way for adversaries to get into our control networks is to deploy password-stealing malware onto the computer of a control systems engineer, and then use their legitimate credentials to directly access the control systems they're after. This immediately bypasses any perimeter protections you might have on the network such as firewalls."
He added that targeting US energy companies with phishing emails isn't new, but this is the first time the tactic has been tied to North Korean actors rather than Russian or Iranian actors.
The rate of attacks from the isolated but cyber-intensive country will likely only increase as American-DPRK relations continue to deteriorate.
"It doesn't seem like a phishing attack deserves too much attention these days—especially one that was unsuccessful in penetrating target networks,” Eddie Habibi, CEO of PAS Global, told Infosecurity via email. “The fact that it was North Korea isn't a big surprise nor that power was in the crosshairs. What is worth noting is that as tensions continue to rise with North Korea, we should expect the intensity of cyber-attacks aimed at US critical infrastructure to rise as well.”
He also stressed that this could be potentially dangerous: “[Critical infrastructure] is ill prepared for the consequences of [attacks] that provide access to the process control networks where you find systems that control volatile processes or ensure worker safety. These systems are often 15 or 20 years old and consequently do not adhere to today's secure by design principals. They are also not visible to security personnel, which makes detecting and reacting sufficiently to compromise difficult at best. Exploiting these systems can lead to loss of production, shareholder value, and even life under certain circumstances."
Meanwhile, a fresh report has surfaced alleging that hackers from North Korea stole a large cache of military documents from South Korea in September last year, including a plan to assassinate Kim Jong-un, wartime contingency plans developed with the US, plans for the South's special forces and information on significant power plants and military facilities.
The South Korean defense ministry has so far refused to comment about the allegation, but the BBC reported that Rhee Cheol-hee, a South Korean lawmaker, verified the heist. He said that in all, 235 GB of of data was taken from the country’s Defence Integrated Data Centre.
“The recent North Korea cyber-hack may relate to the reported August 2016 compromise of the South Korean ministry of defense,” said Chris Doman, threat engineer at AlienVault, said via email. “The group behind those attacks is Andariel, and likely a sub-group of the attackers behind the Sony attacks, WannaCry and SWIFT banks. They are very active, and I continue to see new malware samples from them every week.”