Blurred Lines of Cyber Threat Attribution: The Evolving Tactics of North Korean Cyber Threat Actors
Contents
Blurred Lines of Cyber
Threat Attribution:
The Evolving Tactics of
North Korean Cyber Threat Actors
Seongsu Park, Staff Threat Researcher
APT Research
© 2024 Zscaler, Inc. All rights reserved.
Introduction
Seongsu Park
▪
▪
▪
▪
Zscaler, ThreatLabZ, APT Research Team
Staff Threat Researcher
Formerly, Kaspersky, Global Research and Analysis Team
Mostly tracking North Korea threat actors
APT Research Team
▪ Global threat intelligence team of Zscaler
▪ Tracking and analyzing global cyber threats
▪ Analyzing novel attack techniques
Attribution in Cyber Threat Intelligence
▪
Cyber Threat Intelligence (CTI) is evidence-based
knowledge about adversaries' motivations,
capabilities, and tactics that enables informed
security decisions.
▪
Attribution is the process of identifying the actors
responsible for cyber attacks by analyzing technical
indicators, tactics, and strategic context.
▪
Attribution requires both technical evidence and
analytical judgment to determine who is behind an
attack and why they conducted it.
Challenges in accurate cyber threat attribution
False Flags
Shared Infrastructure
Anonymization Tools
Code and Tool Reuse
Attackers deliberately plant
Multiple threat actors using the
Use of VPNs, Tor, and proxies to hide
Reuse public malware and tools
misleading evidence
same tools and hosting services
true origin
Case #1
The Rise …
Threat Attribution:
The Evolving Tactics of
North Korean Cyber Threat Actors
Seongsu Park, Staff Threat Researcher
APT Research
© 2024 Zscaler, Inc. All rights reserved.
Introduction
Seongsu Park
▪
▪
▪
▪
Zscaler, ThreatLabZ, APT Research Team
Staff Threat Researcher
Formerly, Kaspersky, Global Research and Analysis Team
Mostly tracking North Korea threat actors
APT Research Team
▪ Global threat intelligence team of Zscaler
▪ Tracking and analyzing global cyber threats
▪ Analyzing novel attack techniques
Attribution in Cyber Threat Intelligence
▪
Cyber Threat Intelligence (CTI) is evidence-based
knowledge about adversaries' motivations,
capabilities, and tactics that enables informed
security decisions.
▪
Attribution is the process of identifying the actors
responsible for cyber attacks by analyzing technical
indicators, tactics, and strategic context.
▪
Attribution requires both technical evidence and
analytical judgment to determine who is behind an
attack and why they conducted it.
Challenges in accurate cyber threat attribution
False Flags
Shared Infrastructure
Anonymization Tools
Code and Tool Reuse
Attackers deliberately plant
Multiple threat actors using the
Use of VPNs, Tor, and proxies to hide
Reuse public malware and tools
misleading evidence
same tools and hosting services
true origin
Case #1
The Rise …
IoC
https://dl.google.com/dl/edgedl/chrome-remote-desktop/chromeremotedes
https://secure.naverdomain.r-e.kr/?mod=book&code=a2FyZX[redacted]&
https://buly.kr/ESy8l3Z
https://buly.kr/uTnE2J
https://secure.naverdomain.r-e.kr/?mod=book&code=dG1na[redacted]=
http://gsegse.dasfesfgsegsefsede.o-r.kr/login.php
https://secure.naverdomain.r-e.kr/?mod=book&code=Y2hhaX[redacted
http://address.linkedin.p-e.kr/xls.php
http://gtfydu.surfnet.ca/index.php
http://address.linkedin.p-e.kr`
https://buly.kr/FLXvf9J
[email protected]
ca93591a9441a2ade70821f67292d982
9e94126e8a26efd10b2a5b179d64be90
https://secure.naverdomain.r-e.kr/?mod=book&code=a2FyZX[redacted]&
https://buly.kr/ESy8l3Z
https://buly.kr/uTnE2J
https://secure.naverdomain.r-e.kr/?mod=book&code=dG1na[redacted]=
http://gsegse.dasfesfgsegsefsede.o-r.kr/login.php
https://secure.naverdomain.r-e.kr/?mod=book&code=Y2hhaX[redacted
http://address.linkedin.p-e.kr/xls.php
http://gtfydu.surfnet.ca/index.php
http://address.linkedin.p-e.kr`
https://buly.kr/FLXvf9J
[email protected]
ca93591a9441a2ade70821f67292d982
9e94126e8a26efd10b2a5b179d64be90