North Korean hackers allegedly probing US utilities for weaknesses

Spear phishing emails thought to be affiliated with Pyongyang sent to electricity firms

By John Leyden

Posted in Security, 11th October 2017 17:01 GMT

Hackers believed to be from North Korea are casing out US electric companies in preparation for a possible cyber attack – so says security firm FireEye.

"FireEye devices detected and stopped spear phishing emails sent on Sept. 22, 2017, to US electric companies by known cyber threat actors likely affiliated with the North Korean government," the infosec outfit reported on Tuesday. "This activity was early-stage reconnaissance, and not necessarily indicative of an imminent, disruptive cyber attack that might take months to prepare if it went undetected."

FireEye has previously detected suspected Nork hackers probing the systems of South Korean utilities. The firm adds that DPRK hackers are yet to display ability to interfere with industrial control systems much less cause power outages. All this probing is nonetheless a cause for concern.

In December 2014, the South Korean government claimed that nuclear power plants operated by Korea Hydro and Nuclear Power (KHNP) were targeted by wiper malware. North Korean hackers were the prime suspects in the attack, the impact of which may have been exaggerated for propaganda purposes. "This incident did not demonstrate the ability to disable operations," FireEye said. "Instead, sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean government."

Reports of reconnaissance on US utilities follow earlier reports alleging DPRK spies stole a large cache of military documents from South Korea, including a plan to assassinate North Korea's leader, Kim Jong-un.

Documents including wartime contingency plans put together with the US were stolen from South Korea's defence ministry. Information on power plants and military facilities in the south also featured among the stolen data, the BBC reports.

Rhee Cheol-hee, a South Korean lawmaker who sis on its parliamentary defence committee, said 235GB of military documents were swiped from the Defence Integrated Data Centre, adding that 80 per cent of these documents have yet to be identified. The South Korean defence ministry has so far refused to comment on the breach, which reportedly dates back to last September.

Chris Doman, a security researcher at AlienVault, said: "The recent North Korea cyber hack may relate to the reported August 2016 compromise of the South Korean ministry of defence. The group behind those attacks are named Andariel and likely a sub-group of the attackers behind the Sony attacks, WannaCry and SWIFT banks. They are very active and we continue to see new malware samples from them every week."

Suspicions that Pyongyang may have stolen intel from South Korea will do nothing to de-escalate tensions with the US, which are already at a 50-year high following the North's rocket tests. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Acronis: Ransomware protection! Get yer free ransomware protection!

Windows-only but sure, thanks

Got that itchy GandCrab feeling? Ransomware decryptor offers relief

Claw back your stuff without paying asshat for pricey cracker

Cryakl ransomware antidote released after servers seized

Don't pay the miscreants – don't even fix a price

Less than half of paying ransomware targets get their files back

Shock revelation: criminals prove to be untrustworthy

Enterprise backup bods treat kit for ransomware code lurk

Hoping to purge it of backup attack loops

City of Atlanta's IT gear thoroughly pwned by ransomware nasty

Updated Data gone with the wind as attacker goes full Sherman

Scammers become the scammed: Ransomware payments diverted with Tor proxy trickery

Of course this does nothing for victims' encrypted files

Internet hygiene still stinks despite botnet and ransomware flood

Millions of must-be-firewalled services sitting wide open

RDX removable disk has ransomware protection begging to be bypassed

RansomBlock tech stops unauthorised access and changes to data

Police anti-ransomware warning is hotlinked to 'ransomware.pdf'

This (probably) isn't a spear phishing attack but we were too afraid to verify