Report details how North Korean and Russian cybercriminals are cooperating

source:  scmagazine.com

Several companies, media outlets and the U.S. government have accused North Korean state-sponsored hackers of purchasing access to pre-hacked servers from criminal groups. But the connections to specific criminal groups have been a little more tenuous.

Now a new meta-analysis of previous reports from Intel 471 establish a likely connection to TrickBot.

TrickBot, as well as Dridex and TA505, are groupings of attacks linked to different Russian-speaking cybercriminals who sell access to victims’ machines in criminal forums. The North Korean Lazarus Group, which supplements an economy ravaged by sanctions with cybercrime, is known to use a variety of vectors to find initial access.

“I was skeptical about any North Korea / Russian criminal group links before writing this,” said Intel 471 chief executive Mark Arena, who wrote the report. “When open-source reporting is based on one or two instances of TrickBot and Lazarus in the same server, it’s possible that they were two separate attacks.”

Arena read through the various reporting on the overlap between criminal groups and Lazarus, contacted the researchers for information not contained in the reports and solicited additional information from other researchers.

What he found was a very clear chain in the reports showing TrickBot infections leading to malware only used infrequently in Lazarus-type attacks, which appears to be developed by Lazarus using the group’s fairly distinctive code.

Public reporting was less sufficient. A purported connection to Dridex appeared to be a researcher conflating different criminal groups. And when Arena contacted a BAE researcher who had given a presentation proposing a connection between TA505 and Lazarus, that researcher said the presentation was only meant to be taken as a theory. However, in speaking with practitioners who hadn’t made their work public, other people had independent suspicions of a link between the two that no longer appears to be active.

Arena told SC Media that knowing there is a connection between different actors gives defenders a chance to investigate a potential second problem when the first one is found. He added that if North Korea is likely to purchase access from one actor, it is likely to be willing to purchase from others. The choice of vendors shouldn’t be seen as set in stone.

““I was skeptical about any North Korea / Russian criminal group links before writing this…”  –Mark Arena,

source: defense.gov (courtesy of Artemus FAN, Chuck Miller)

 

Today, the Department of Defense announced William (Bill) K. Lietzau as the new Director of the Defense Counterintelligence and Security Agency (DCSA).

“Bill’s leadership experience within the military, government, and industry, combined with his role leading DCSA transformation efforts, make him the ideal candidate to hit the ground running and lead the DCSA,” said Joseph D. Kernan, Under Secretary of Defense for Intelligence and Security. “Bill understands the criticality of the background investigation and security mission, and the necessity to ensure a trusted workforce and protect critical defense information from theft or disclosure.”

Lietzau will replace Acting Director Charles Phalen Jr., who has been acting director since July 2019. Under Phalen’s leadership, the NBIB was successfully transferred from the Office of Personnel Management to the DOD on October 1, 2019. This transfer consolidated 95% of the federal vetting enterprise under a single agency in the DOD. Additionally, he was instrumental in leading a workforce that spans the country to reduce the background investigation inventory backlog, improve processing timelines, and achieve a steady state level of clearances.

“I want to thank Charlie for his dedication and commitment to the DCSA mission, and for his willingness to lead the DCSA workforce through one of the largest organizational transfers in the Executive Branch and positioning the Agency for transformation while maintaining uninterrupted support for all of DOD and its government agency customers,” said Kernan.

DCSA is a strategic asset to the Nation and its allies – ensuring a trusted federal, industrial and affiliated workforce, and enabling industry’s delivery of uncompromised capabilities by leveraging advanced technologies and innovation. The Agency uniquely blends critical technology protection, trusted personnel vetting, counterintelligence, and professional education to advance and preserve America’s strategic edge.