Unprecedented Announcement by FBI Implicates North Korea in Destructive Attacks

There is a curse that is purported to translate to an old Chinese Proverb - “May you live in interesting times.” These past few weeks have certainly been that. Today we have an unprecedented announcement from the US Government. For the first time they are directly linking a cyber attack to an action from a foreign government - specifically North Korea. This is distinctly different from the indictment of five PLA officers by the US Department of Justice early this year as neither the Chinese Government nor the PLA were directly accused of destruction. CrowdStrike has been tracking the actor behind these attacks under the cryptonym of Silent Chollima and has deemed them responsible for intrusions dating back to 2006. The vast majority of these attacks have been conducted against South Korea, including intrusions into their government and military systems to steal sensitive information, as well as destructive attacks against their financial and media sectors. The first major destructive attack that we detected from Silent Chollima occurred on July 4, 2009 when large DDoS attacks were launched against over thirty websites in the U.S and South Korea, including those of the White House, Pentagon, and major e-commerce and financial services companies. In the later phase of the attack, Silent Chollima actors deployed a wiper malware on thousands of machines in South Korea that resulted in large scale data deletion and temporary incapacitation of those machines.

 

For the next five years, Silent Chollima actors repeatedly launched similar data destructive attacks against South Korean businesses and government organizations. These attacks had distinct similarities with the malware used against Sony. CrowdStrike has had significant visibility into the activities of this actor and has also seen them target US Military installations in South Korea, specifically searching for keywords related to military planning on the peninsula. This event however is the first time we have observed them launching a data destructive attack against a U.S.-based organization. Another thing that makes this unprecedented is the action that the theater chains and studios are taking to suppress release and stop production of movies about North Korea. This is the first time that I can remember where a victim of a cyber attack has been forced to take an action in the physical world against their will, which sets a very dangerous precedent. You can bet that every other country, criminal group and hacktivist/terrorist organization is watching this incident very carefully and taking notes about how far you can push an organization through a data destructive cyber attack and doxing of stolen information. The fact that we have a cyber action launched by a dictatorial regime and is resulting in the suppression of free-speech in the United States of America is hugely disturbing. The big question now is what the United States and Western society are going to do in response to this outrageous attack on our liberties and way of life? Stay tuned for more information from CrowdStrike about Silent Chollima and advice on how to protect yourself from becoming the next victim of such an attack.