North Korean hackers allegedly probing US utilities for weaknesses

Spear phishing emails thought to be affiliated with Pyongyang sent to electricity firms

By John Leyden


Hackers believed to be from North Korea are casing out US electric companies in preparation for a possible cyber attack – so says security firm FireEye.

"FireEye devices detected and stopped spear phishing emails sent on Sept. 22, 2017, to US electric companies by known cyber threat actors likely affiliated with the North Korean government," the infosec outfit reported on Tuesday. "This activity was early-stage reconnaissance, and not necessarily indicative of an imminent, disruptive cyber attack that might take months to prepare if it went undetected."

FireEye has previously detected suspected Nork hackers probing the systems of South Korean utilities. The firm adds that DPRK hackers are yet to display ability to interfere with industrial control systems much less cause power outages. All this probing is nonetheless a cause for concern.

In December 2014, the South Korean government claimed that nuclear power plants operated by Korea Hydro and Nuclear Power (KHNP) were targeted by wiper malware. North Korean hackers were the prime suspects in the attack, the impact of which may have been exaggerated for propaganda purposes. "This incident did not demonstrate the ability to disable operations," FireEye said. "Instead, sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean government."

Reports of reconnaissance on US utilities follow earlier reports alleging DPRK spies stole a large cache of military documents from South Korea, including a plan to assassinate North Korea's leader, Kim Jong-un.

Documents including wartime contingency plans put together with the US were stolen from South Korea's defence ministry. Information on power plants and military facilities in the south also featured among the stolen data, the BBC reports.

Rhee Cheol-hee, a South Korean lawmaker who sis on its parliamentary defence committee, said 235GB of military documents were swiped from the Defence Integrated Data Centre, adding that 80 per cent of these documents have yet to be identified. The South Korean defence ministry has so far refused to comment on the breach, which reportedly dates back to last September.

Chris Doman, a security researcher at AlienVault, said: "The recent North Korea cyber hack may relate to the reported August 2016 compromise of the South Korean ministry of defence. The group behind those attacks are named Andariel and likely a sub-group of the attackers behind the Sony attacks, WannaCry and SWIFT banks. They are very active and we continue to see new malware samples from them every week."

Suspicions that Pyongyang may have stolen intel from South Korea will do nothing to de-escalate tensions with the US, which are already at a 50-year high following the North's rocket tests. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Nice work if you can get it: GandCrab ransomware nets millions even though it has been broken

As it turns out, crime pays incredibly well for some

Acronis: Ransomware protection! Get yer free ransomware protection!

Windows-only but sure, thanks

Got that itchy GandCrab feeling? Ransomware decryptor offers relief

Claw back your stuff without paying asshat for pricey cracker

Florida Man laundered money for Reveton ransomware. Then Microsoft hired him

Former network engineer gets 18 months in the clink

BlackBerry claims it can do to ransomware what Apple did to its phones

Black Hat Workspaces' time machine promises to make quick work of extortionists

Scottish brewery recovers from ransomware attack

Updated Trouble ferments after hackers lock system and Arran with it

Guilty: The Romanian ransomware mastermind who infected Trump inauguration CCTV cams

Mediocre malware operator 'fesses up to DC infection

Ransomware is so 2017, it's all cryptomining now among the script kiddies

Plus: Hackers take crack at cloud, phones come pre-pwned, malware's going multi-plat

Well, well, well. Crime does pay: Ransomware creeps let off with community service

Dutch court goes easy on Coinvault duo

Alaskan borough dusts off the typewriters after ransomware crims pwn entire network

Pen and paper brought back into service