McAfee Report Points to Cyber Collusion Between China, North Korea

A report by McAfee released today suggests organized cybercriminal organizations operating out of China and North Korea may be colluding more.

“Operation Oceansalt Attacks South Korea, U.S., and Canada with Source Code from Chinese Hacker Group,” details how a hacker fluent in Korean recently leveraged a Seasalt malware variant identified 10 years ago to launch five attack “waves” that compromised enterprise systems within South Korea (the primary target), the United States and Canada across multiple vertical industries. Seasalt’s development was attributed to Comment Crew, one of the first entities to be identified as an organized team of cybercriminals operating out of China.

Oceansalt makes it possible to send system data to a control server and execute commands on infected machines. McAfee as yet has not determined the ultimate purpose the actions might serve, but it has determined the initial attack vector involved spear-phishing using two malicious Microsoft Excel documents. McAfee also surmises the attackers have knowledge of South Korean public infrastructure projects and related financials.

A second round of malicious documents, this time in Microsoft Word, carried the same metadata and author as the Excel documents. The content was related to the financials of the Inter-Korean Cooperation Fund. The malicious activity first appeared May 31 in South Korea. Further telemetry indicates organizations outside of Korea have fallen victim to this attack as recently as Aug. 14, including organizations in the investment, banking and agricultural sectors in Canada and the United States.

Raj Samani, chief scientist for McAfee, says the existence of Oceansalt doesn’t mean that Comment Crew has re-emerged after several years of being dormant. Rather, it’s probable an individual or group of hackers who are fluent in Korean has appropriated a technique originally developed in China. That’s not enough to prove there is any collusion at the nation-state level, but it does show cybercriminals operating in that area of the globe have found some way to gain access to a technique that originated in China. To McAfee’s knowledge, the original Seasalt code has never been made public, he says.

Malware aimed at critical infrastructure such as power plants is especially troubling because the goal usually is not to steal intellectual property. Rather, in the event of war, one of the primary goals is to cripple the enemy’s infrastructure as a precursor to any potential invasion.

Of course, Oceansalt could be yet another “false flag” operation designed to make it appear that any attack using this code is emanating from North Korea. Samani says Oceansalt is significant because it indicates cyberattackers who speak flawless Korean might have access to vast trove of malware developed in China. Of course, North Koreans and Chinese citizens travel across their respective borders frequently, so there’s more than a good chance one or more cybercriminals is fluent in both Korean and Chinese.

Regardless of the ultimate source, however, Samani says cybersecurity professionals should view Oceansalt as another example of how organized cyberattackers have become when it comes to sharing intellectual property. In fact, he says the hope is that once IT and business realize how much bad actors are collaborating, they will become even more motivated to share cybersecurity intelligence among themselves and appropriate government agencies.

Michael Vizard

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 766 posts and counting.See all posts by mike-vizard

Secure Coding Practices