Reports of malware campaigns invariably focus on two critical conclusions: attribution and who was the intended target of the attack. It is challenging to draw swift conclusions on the former, due to the use of false flags designed to divert attention from the true source of the attack.
Those swift conclusions are modified as more information becomes available, and it is much later before we achieve transparency on the campaign. Whilst this is a challenge it doesn’t of course prevent considerable discussion and publication of theories.
A recent publication from McAfee and Intezer details significant research into malware campaigns that are suspected of originating in North Korea. The analysis looked into possible connections. The following graphic is a high-level overview of these connections between specific malware families or hacking tools. Thicker lines denote more frequent connections.
This graphic demonstrates clear links. Certain connections may be significant, while other campaigns or tools have less in common.
Connecting the dots
The research shows that the reuse of code goes back as far as 2009. The WannaCry ransomware/pseudo-ransomware family from 2017 has code samples observed in Mydoom in 2009. Other examples include connections between Operation Troy and Dark Hotel, as well as other malware campaigns.
Not all examples focused on campaigns attributed to the Lazarus group. Code appearing in the NavRAT and Gold Dragon malware families, as well as a campaign targeting the South Korean gambling industry, were attributed to Group 123. This research shows that these three campaigns are much closer to one another than we previously thought.
What does this mean?
We can see that 2009 was a significant year in terms of capability for the adversary/advesaries, with so much of the original code reappearing in later campaigns. It is imperative that cooperative work such as this combined analysis continues so that we understand the evolution of these adversaries.
The security community needs to avoid the traditional approach of quickly determining attribution based on initial indicators. We must focus on a more scientific approach to understand where attacks originate. The security industry is quick to create elaborate names to label specific threat actor groups, which implies these groups are working independently to fulfil their strategic objectives.
This research from Intezer and McAfee suggests such independence may not be accurate; the elaborate groups appear to be more collaborative than we thought. We often talk about the security industry to work closer together and whilst initiatives such as No More Ransom, Cyber Threat Alliance, and others are a tremendous start what is clear is that more is needed to combat adversaries that are innovating and investing on further destructive attacks.