As Kim Jong Un became the first North Korean leader to step into South Korea, his generals continue to oversee teams of increasingly advanced hackers who are actively targeting the financial, health, and entertainment industries in the US and more than a dozen other countries. The so-called GhostSecret data reconnaissance campaign, exposed Tuesday by security firm McAfee, remains ongoing.
Last month, McAfee reported finding Bankshot, a remote-access trojan attributed to Hidden Cobra—a so-called advanced persistent threat group tied to North Korea—infecting Turkish banks. In this week’s report, the security firm said the same malware was infecting organizations all over the world. McAfee researchers also found never-before-seen malware that was infecting the same organizations. One tool included many of the capabilities of Bankshot, including its ability to compromise computers that connect to the SWIFT banking network and permanently wipe data from infected computers. The tool also had digital fingerprints found in Destover, the name given to malware that was used in the Sony Pictures intrusion.
Server seizure, listening malware
Coinciding with the McAfee discovery, according to a ThaiCERT advisory published Wednesday, Thailand officials seized a server inside the Thammasat University in Bangkok that was being used to communicate with computers infected in the GhostSecret campaign. The server used the same IP address range that was used in the Sony Pictures hack. Thai officials are in the process of analyzing the server now.
McAfee also found another previously unseen piece of malware dubbed Proxysvc. It appears to be part of a covert network of implants that listens over the TLS port 443 to gather data and install additional types of malware. It came to light when undisclosed sources found it on March 22 in an unknown entity in the United States. McAfee has since found it infecting organizations in 11 countries. In all, GhostSecret has been found targeting 17 countries or regions, including the US, Thailand, China, and Hong Kong.
“This analysis by the McAfee Advanced Threat Research team has found previously undiscovered components that we attribute to Hidden Cobra, which continues to target organizations around the world,” McAfee researchers Ryan Sherstobitoff and Asheer Malhotra wrote in Tuesday’s post. “The evolution in complexity of these data-gathering implants reveals an advanced capability by an attacker that continues its development of tools.”
It’s not particularly surprising that North Korea, or any other nation, would continue to spy on countries even as it makes public overtures for peace.
“It would be highly unusual for any country to cease intelligence gathering operations in the midst of some of the most important talks in their history,” Sergio Caltagirone, director of threat intelligence at security firm Dragos, told Ars. Previously, he was a senior threat intelligence analyst at the US National Security Agency. “In fact, we would expect espionage activity to grow during periods of negotiation.”