We can confirm that FireEye devices detected and stopped spear
phishing emails sent on Sept. 22, 2017, to U.S. electric companies by
known cyber threat actors likely affiliated with the North Korean
government. This activity was early-stage reconnaissance, and not
necessarily indicative of an imminent, disruptive cyber attack that
might take months to prepare if it went undetected (judging from past
experiences with other cyber threat groups). We have previously
detected groups we suspect are affiliated with the North Korean
government compromising electric utilities in South Korea, but these
compromises did not lead to a disruption of the power supply.
We have not observed suspected North Korean actors using any tool or
method specifically designed to compromise or manipulate the
industrial control systems (ICS) networks that regulate the supply of
power. Furthermore, we have not uncovered evidence that North Korean
linked actors have access to any such capability at this time.
Nation-states often conduct cyber espionage operations to gather
intelligence and prepare for contingencies, especially at times of
high tension. FireEye has detected more than 20 cyber threat groups
suspected to be sponsored by at least four other nation-states
attempting to gain access to targets in the energy sector that could
have been used to cause disruptions. The few examples of disruptions
to energy sector operations being caused by cyber operations required
additional technical and operational steps that these North Korean
actors do not appear to have taken nor have shown the ability to take.
In December 2014, the South Korean Government reported
that nuclear power plants operated by Korea Hydro and Nuclear Power
(KHNP) were targeted with wiper malware, potentially linked to North
Korean actors. This incident did not demonstrate the ability to
disable operations. Instead, sensitive KHNP documents were leaked by
the actors as part of an effort to exaggerate the access they had and
embarrass the South Korean Government, a technique we assess North
Korea would turn to again in order to instill fear and/or meet
domestic propaganda aims.
Thus far, the suspected North Korean actions are consistent with a
desire to demonstrate a deterrent capability rather than a prelude to
an unprovoked first-strike in cyberspace; however, North Korea linked
actors are bold, have launched multiple cyber attacks designed to
demonstrate national strength and resolve, and have little concern for
potential discovery and attribution of their operations. They likely
remain committed to pursuing targets in the energy sector, especially
in South Korea and among the U.S. and its allies, as a means of
deterring potential war or sowing disorder during a time of armed conflict.
The number of nation-states developing the capability to disable the
operations of power utilities has increased in recent years. For North
Korea, even limited compromises of power companies would probably be
exaggerated and hailed as a victory by Pyongyang.
North Korea linked hackers are among the most prolific nation-state
threats, targeting not only the U.S. and South Korea but the global
financial system and nations worldwide. Their motivations vary from
economic enrichment to traditional espionage to sabotage, but all
share the hallmark of an ascendant cyber power willing to violate
international norms with little regard for potential blowback.
*** This is a Security Bloggers Network syndicated blog from Threat Research Blog authored by Threat Research Blog. Read the original post at: http://www.fireeye.com/blog/threat-research/2017/10/north-korean-actors-spear-phish-us-electric-companies.html