By Dr. Wesley McGrew, Senior Cyber Fellow; firstname.lastname@example.org
Yesterday, Adam Weidemann of Google’s Threat Analysis Group published information [ https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ ] about cybersecurity researchers being targeted by a North Korean state-sponsored group. The group targeted the researchers with offers of collaboration and compromised them with previously unseen exploits. Security professionals are attractive targets for advanced threat actors and should take a close look at the security of their own processes and infrastructure.
Vulnerability research is carried out to identify issues with the software code of a program or product that could lead to security issues. Subtle errors in design or programming can lead to a situation where malicious input (e.g., from a user, file, or internet connection) can compromise the confidentiality, integrity, or availability of software. Authentication might be bypassed, data may leak, programs may crash, and in some cases, memory might be corrupted in such a way that the attacker can run their own code within the context of the target program, giving the attacker complete control.
Vulnerabilities are often difficult to identify, requiring specialized skills and a lot of time. The most subtle errors that are the most unlikely to occur from “normal” user input can lead to the most spectacular impact. Vulnerability researchers must be good at reverse engineering and reading code, setting up complex testbeds for automating large numbers of potentially “bad” inputs, and creatively thinking of ways around mitigation techniques employed by hardware, operating systems, and development tools. The results of vulnerability research can be used to develop patches for vulnerabilities or identify areas where defenses can be layered. The same results can also be used to develop code that can attack users and organizations that use the vulnerable product.
State-sponsored groups that operate on the behalf of North Korea engage in espionage and profit-motivated cybercrime. To carry out their missions, they often need control of their targets’ computers and networks. Phishing attacks and other forms of personal manipulation can be used, but these involve interacting with the people that work for the target. A reliable exploit for a vulnerable system at the target can take the uncertainties of dealing with humans out of the equation and provide the threat actor with a foothold on the target network. If it is a “zero-day” exploit—an exploit for a vulnerability that has not been disclosed or patched—then the actor can be even more certain of an operation’s success, and they are less likely to be caught by intrusion detection systems.
In these operations, the North Koreans have adapted the phrase “you have to spend money to make money” and applied it to vulnerability information. They posed as vulnerability researchers themselves and used an exploit for a zero-day vulnerability to target vulnerability researchers that visited the threat actor’s blog. The details of the zero-day vulnerability are not known, but it seems likely to be in the Chrome web browser. It is possible they are using an exploit that they stole in a previous iteration of this kind of attack.
The North Korean operators also solicited known vulnerability researchers with requests to collaborate on projects. The threat actors sent project files for vulnerability research works-in-progress to the targets. The project files were “backdoored” with malicious code that compromised the vulnerability researcher’s computers, potentially enabling the theft of other research and sensitive data. Discussion by victims on Twitter today seems to indicate that the North Koreans had success with both avenues of attack.
I have given a series of presentations at the DEF CON and Black Hat USA conferences on the topic of potential attacks on cybersecurity researchers and practitioners. Security professionals are attractive targets for advanced persistent threat actors for several reasons:
By the nature of security research work, security professionals must often disable or bypass security measures on their own systems for testing and may frequently work with dangerous code of unknown origins. It is very easy for a professional to be overconfident in their ability to identify an attack and protect themselves, and, as a result, take shortcuts in their own security.
Security professionals can take measures to protect themselves, control the flow of sensitive information, and reduce the impact of attacks by advanced persistent threats. Well-funded threat actors can be assumed to have zero-day exploits as well as the time, funding, and capability to have some success with their operations. For the potentially-targeted security service provider or researcher, compartmentalization is the key to reducing the impact of an attack.
Individual projects should have their own virtual or physical computing and networking environments with carefully controlled outside network access. Researchers should have isolated environments for testing that can be quickly and easily destroyed and recreated. Correspondence and public internet research should be conducted on systems isolated from each other (and isolated from the research). Resistance by professionals to using compartmentalization is usually based on the awkwardness of moving data from one compartment to another. Develop policies, procedures, and technical measures that allow for movement in a way that integrates due care, detection, and thoughtfulness in moving potentially-malicious data and programs across domains.
Agencies and organizations that engage cybersecurity services should ask their providers about these measures as well. Frequently, cybersecurity providers do not “practice what they preach”, putting client data and access at risk. Ask your providers how they implement compartmentalization to protect themselves and you in an environment where advanced state-sponsored groups are motivated to act.