NCSC-NIS joint cybersecurity advisory warns of DPRK-linked hackers targeting global software supply chains

The National Intelligence Service (NIS) of the Republic of Korea (ROK) and the U.K. National Cyber Security Centre (NCSC) have collaboratively identified cyber hackers linked to the Democratic People’s Republic of Korea (DPRK), targeting widely used software supply chain products utilized by global government organizations, financial institutions, and defense industry companies. These hackers have been observed leveraging zero-day vulnerabilities and exploits in third-party software to gain access to specific targets or indiscriminate organizations through their supply chains. 

In response, the NIS and NCSC jointly released last week a Cybersecurity Advisory (CSA) to enhance preventive measures and raise public awareness. The CSA details the tactics, techniques, and procedures (TTPs) employed by DPRK state-linked cyber actors in their global supply chain attacks, accompanied by recommended preventative measures to mitigate the risk of such incidents. The NCSC and the NIS consider these supply chain attacks to align and considerably help fulfill wider DPRK-state priorities, including revenue generation, espionage, and the theft of advanced technologies. 

The advisory provides technical details about the malicious activity, case studies of recent attacks emanating from the DPRK, and advice on how organizations can mitigate supply chain compromises. Organizations are urged to put security measures in place to reduce the chance of systems and data being compromised. 

“In an increasingly digital and interconnected world, software supply chain attacks can have profound, far-reaching consequences for impacted organisations,” Paul Chichester, NCSC director of operations, said in a media statement last week. “Today, with our partners in the Republic of Korea, we have issued a warning about the growing threat from DPRK state-linked cyber actors carrying out such attacks with increasing sophistication.”

Chichester called upon organizations to “follow the mitigative actions in the advisory to improve their resilience to supply chain attacks and reduce the risk of compromise.”

Ahead of the release of the NCSC-NIS advisory, Microsoft Threat Intelligence disclosed that it had uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. 

“This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload,” the research team identified in a company blog post. “The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.”

Microsoft attributes this activity with high confidence to Diamond Sleet, a North Korean threat hacker. The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet. More recently, Microsoft has observed Diamond Sleet utilizing trojanized open-source and proprietary software to target organizations in information technology, defense, and media.

Although the advisory from NCSC and NIS did not explicitly mention the Lazarus Group, it did highlight two supply chain attacks that occurred in March of this year, which researchers have attributed to actors based in North Korea.

“Supply chain attacks are a highly effective means of compromising numerous well-protected, high-profile targets. Several elements of the supply chain have proved susceptible to compromise, including software vendors, managed service providers, and cloud providers,” the NCSC-NIS advisory disclosed. “From here, an actor can indiscriminately target a number of organisations and users, and their attacks can be expanded or shifted to a ransomware attack to demand money or cause a system disruption. It can be hard to detect these attacks as the actors are using legitimate software and hardware.

It added that with the level of the threat likely to increase, organizations should establish and put in place relevant security measures to safely manage the security of the products and to build resilience to attacks. 

In March this year, hackers used the software vulnerabilities of security authentication and network-linked systems in series to gain unauthorized access to the intranet of a target organization, the advisory detailed. “It used a software vulnerability of the MagicLine4NX security authentication program for the initial intrusion into an internet-connected computer of the target, and exploited a zero-day vulnerability of the network-linked system to move laterally and gain unauthorised access to Information,” it added.

The attack flow shows the procedure of serial complex attacks on two supply chain products. The cyber actors compromised the website of a media outlet, deployed malicious scripts into an article, and created a watering hole. The malicious scripts were implemented to work when certain IP ranges were connected. When victims opened the infected article from an internet-connected computer, which was installed with the vulnerable security authentication software, the vulnerable software executed the malicious code. The victim’s computer then connected to the command and control (C2), and the attackers used the C2 to achieve remote control over the infected computer.

The advisory disclosed that the hackers were able to access an internet-side server from an internet-connected PC without permission through a network-linked system vulnerability and exploit the data synchronization function of the network-linked system to spread malicious code to the business-side server. The actors then compromised the business PC with malicious code to steal information.

“Malicious code installed on the business PC had two C2 servers, the first of which was the business side server of the network-linked system, which acts as a gateway in the middle, while the second C2 is located on the external internet,” according to the advisory. “This malicious code was able to exfiltrate initial beacon data and download and execute encrypted payloads.” 

Additionally, the malicious code then attempted to move from the internal server of the network-linked solution to the external server to send the initial beacon to the C2 server but was blocked by the security policy of the solution. If it hadn’t been blocked, large amounts of information stored in the internal network could have been leaked.

The NCSC-NIS document also noted that in March, it was widely reported by both SentinelOne and Sophos that the Desktop App software distributed by 3CX had been compromised and contained malware affecting both macOS and Windows operating systems. This constituted a significant global supply chain attack. The security incident was later confirmed by 3CX. In June, the NCSC published a malware analysis report on the macOS malware used in the 3CX supply chain attack, named Smooth Operator. 

In April 2023, the NCSC published advice on its website regarding the 3CX Desktop App security issue. “The negative impact was limited because the malicious update was quickly detected by endpoint detection and response solutions. This advisory encourages organisations to follow the advice published by the vendor to uninstall the software if you are running an affected version.”

As supply chain attacks can happen at any scale and at any point, a wide range of measures should be established. The NIS and the NCSC recommend implementing the mitigations relating to the supply chain life cycle, as well as management and technical security measures, to deter supply chain threats.

On the management security front, organizations must enhance their awareness of supply chain cyber security, promote understanding of the issue; and provide training on cybersecurity regularly to help employees spot malicious tactics and attacks, and report them. They must also identify threats to the organization’s supply chain. Determine threat priorities, and assess impacts when malicious cyber activity occurs, to eliminate the blind spot. Furthermore, they must check the access point to critical data and identify members and supply entities who have the authority to access to minimize access privileges.

From a technical security standpoint, organizations must make sure to install security updates to maintain the most recent version of software, operating systems, and anti-virus, to mitigate threats from known vulnerabilities. They must adopt two-factor authentication for the administration and operation login policies, to prevent unauthorized logins from unauthorized users. 

The U.K. NCSC articles multi-factor authentication for online services and Device Security Guidance provide relevant advice and suggest monitoring network infrastructure so that traffic from supply chain software applications is trusted but any anomalous traffic can be detected.

Earlier this month, the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, and the Deputy Director of the Republic of Korea’s National Intelligence Service (NIS), Baek Jong-wook, signed a Memorandum of Understanding (MoU). The deal highlights the areas of collaboration between the two countries, as outlined in the bilateral Cyber Framework signed by President Joe Biden and Republic of Korea President Yoon Suk Yeol in April.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.