North Korean supply chain attacks prompt joint warning from Seoul and London

The United Kingdom and South Korea issued a joint advisory warning about software supply chain attacks from North Korean (DPRK) state-linked hackers.

The advisory was published Thursday as the nations' two governments announced a new strategic cyber partnership, pledging to work together “to disrupt and deter DPRK malicious cyber capabilities and activities that contribute to its WMD programs.”

It follows several recent supply chain hacks — where a widely-used service is compromised so that the attacker can subsequently compromise the service’s users — being attributed to North Korean state-linked threat actors.

Back in July, JumpCloud — a business that provides identity and access management tools for enterprise devices —was hacked in an incident ultimately targeting cryptocurrency companies.

In March, a similar incident affecting the enterprise office phone company 3CX was allegedly perpetrated by a North Korean state-sponsored group searching for cryptocurrency.

Three incidents involving cryptocurrency companies in June — a $100 million hack of Atomic Wallet on June 2, as well as two June 22 attacks in which cybercriminals stole $60 million from Alphapo and $37 million from CoinsPaid — were conducted by North Korean government hackers, according to the FBI.

Just earlier this week, Microsoft announced it had uncovered another supply chain attack by North Korean hackers focused on espionage, ultimately attaching a malicious file to a legitimate photo and video editing application installer.

North Korea has consistently denied involvement in cyber-espionage activities and cryptocurrency heists, despite evidence presented by both United Nations researchers and prosecutors in the United States.

“In recent years, supply chain attacks from DPRK state-linked cyber actors have steadily increased in volume and have become more sophisticated,” warned the advisory from Korea’s National Intelligence Service and Britain’s National Cyber Security Centre.

“The malicious actors utilise tactics including zero-day attacks and multiple exploits to attack software supply chain products, used by a number of international organisations,” the agencies stated.

The advisory details another incident in March affecting MagicLine4NX, authentication software widely used in South Korea, which was exploited by North Korea’s Reconnaissance General Bureau for espionage purposes.

These attacks “align and considerably assist with the fulfilment of wider DPRK state priorities,” said the advisory, including “revenue generation and espionage, with the theft of advanced technologies across a range of sectors, including but not limited to defence.”

Paul Chichester, the NCSC’s director of operations, said: “In an increasingly digital and interconnected world, software supply chain attacks can have profound, far-reaching consequences for impacted organisations. … We strongly encourage organisations to follow the mitigative actions in the advisory to improve their resilience to supply chain attacks and reduce the risk of compromise.”

Indictments and sanctions

Despite Pyongyang’s protestations of innocence, in 2021 the U.S. unsealed an indictment charging three North Korean hackers — allegedly employed by the country’s military intelligence services — with stealing and extorting more than $1.3 billion from financial institutions and cryptocurrency exchanges around the world.

The indictment detailed allegations about their involvement in multiple cyber activities, including the attack on Sony Pictures and the WannaCry ransomware incident.

At the time, the U.S. Assistant Attorney General John Demers said: “North Korea's operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world's leading 21st century nation-state robbers. Simply put, the regime has become a criminal syndicate with a flag, which harnesses its state resources to steal hundreds of millions of dollars.”

This May, the U.S. Treasury announced sanctions on four entities that employ thousands of North Korean IT workers who help illicitly finance the regime's missile and weapons of mass destruction programs.

The department said North Korea maintains legions of “highly skilled” IT workers around the globe, primarily in China and Russia, who “generate revenue that contributes to its unlawful WMD and ballistic missile programs.”