US, China talk cyber espionage, the North Korea problem


In this April 6, 2017, photo, Secretary of State Rex Tillerson, left, walks with Chinese president Xi Jinping at the Palm Beach International Airport in West Palm Beach, Fla. Lambasted for his low-key diplomacy, Tillerson is emerging from the shadows with his leading public role in shaping and explaining the Trump administration's missile strikes in Syria. He now takes on an even higher-profile mission, heading to Moscow this week under the twin clouds of Russia’s alleged U.S. election meddling and its possible support for a Syrian chemical weapons attack. (AP Photo/Lynne Sladky)

President Donald Trump met with Chinese President Xi Jinping on April 6 and 7 in Mar-a-Lago, Florida, with a host of tricky issues on the agenda.

Secretary of State Rex Tillerson, in a closed briefing with reporters in Florida on Friday, said President Trump “raised serious concerns about the impact of China’s industrial, agricultural, technology and cyber policies on U.S. jobs and exports.”

In announcing a new “U.S.-China Comprehensive Dialogue,” Tillerson said, “it will have four pillars: The diplomatic and security dialogue; the comprehensive economic dialogue; the law enforcement and cybersecurity dialogue; and the social and cultures issues dialogue.”

The conceptual grouping of cybersecurity with law enforcement, rather than with diplomatic and national security, is significant within the context of the talks. The grouping reflects the fact that U.S.-China cyber tensions revolve primarily around China’s commercial and industrial cyber espionage and intellectual property theft, rather than nation-state cyberwar.

After the 2013 release of the U.S. IP Commission Report, which alleged Chinese state hackers were involved in stealing $300 billion worth of U.S. intellectual property annually, the Obama administration began to publicly criticize Chinese cyber espionage against U.S. organizations, while trying to formalize agreements to cease activities.

In May 2014, the U.S. charged five Chinese military hackers for cyber espionage, marking the first time criminal charges had been leveled against nation-state hackers. The following year, the U.S. and China agreed to an anti-hacking pact.

The latest round of U.S.-China talks occurred amid new allegations of ongoing Chinese cyber espionage against commercial and government websites in the U.S., U.K. and Japan.

Cybersecurity company Fidelis published a report on Thursday – the day Xi arrived in Florida – that claimed, in February, malware had been planted on the “Events” page of the U.S. National Foreign Trade Council, a lobbying group. Fidelis wrote in a blog post:

The malware we observed has been used exclusively by Chinese nation-state threat actors in our observation and according to previously published research. Based on our observations, we estimate that it is highly probable that this activity – which we’re calling ‘Operation TradeSecret’ – targeted key private-sector players involved in lobbying efforts around United States’ foreign trade policy.

APT 10, the alleged Chinese threat actor behind Operation TradeSecret, was also accused last week of carrying out Operation Cloud Hopper, which PwC and BAE Systems described as “what is thought to be one of the largest ever sustained global cyber espionage campaigns.”

But continuing concerns about China’s cyber espionage likely fell lower on the agenda than the topic of China’s defiant neighbor North Korea, whose actions have grown increasingly erratic and brazen in recent months.

Much of the attention lately has been on North Korea’s continuing kinetic missile tests and the strange circumstances surrounding the death of North Korea leader Kim Jong Un’s estranged half-brother, Kim Jong Nam, who was poisoned with VX nerve agent in Kuala Lumpur International Airport in February.

While the contours of China’s relationship with North Korea were shaped decades ago, relations between the countries are reportedly strained right now. A Beijing-based writer for The Economist noted just before the U.S.-China meeting, “Xi is widely thought to be furious at Kim” for the assassination of Kim’s brother, who was living in the Chinese autonomous territory of Macau and under Chinese protection when he was murdered.

North Korea Shifting Cyber Operations

Despite the more prevalent media coverage of missile tests and assassination intrigue, North Korea’s cyber army – estimated by South Korea Defense Security Command Chief Cho Hyun Chun to number about 6,800 in 2016 – remains quietly active, according to recent reports by cybersecurity companies Kaspersky Lab and Symantec. The companies reported, independently, that North Korea appears to be shifting its traditional cyber operations, which have historically focused on espionage and sabotage.

Perhaps spurred by growing economic strain – from U.N. sanctions and China’s recent embargo on imported North Korean coal – the hermit kingdom has allegedly ramped up its hacking for financial profit.

North Korea’s cybercriminal activity is not all together new. Yu Dong Yeol, director of the Korea Institute of Liberal Democracy in Seoul, told a security conference in July 2016 that North Korea generates over $860 million in annual revenue from cybercrime, including online gambling, fraud and blackmail.

But financially motivated hacks are occurring more frequently, cybersecurity experts warn. Symantec said over 100 organizations in 31 countries had been targeted by North Korea since October 2016.

The Lazarus Group Never Died

Many of North Korea’s cyber operations are believed to be carried out by a threat actor dubbed Lazarus Group, which has been known to be active since at least 2009. From 2009 to 2011, the group conducted a prolonged cyber espionage campaign – interspersed with periodic cyberattacks against South Korea’s government – called Operation Troy, according to a 2013 McAfee report.

In February 2016, a consortium of cybersecurity companies led by Novetta (and including AlienVault, Kaspersky, Symantec and ThreatConnect) published research entitled, Operation Blockbuster. The investigation aimed to identify the threat actor behind the 2014 Sony Pictures Entertainment hack, which the FBI has attributed to North Korea. (After the Sony hack, a group calling itself Guardians of Peace claimed credit, but security researchers believe Guardians of Peace and Lazarus Group are the same threat actor.)

Operation Blockbuster identified Lazarus Group as the culprit of the Sony hack and analyzed 45 distinct families of malware employed by the group over several years. The analysis included malware used in 2009’s distributed denial of service (DDoS) attacks on South Korea and subsequent cyber campaigns, including Ten Days of Rain and March 2013’s infamous Dark Seoul cyberattack.

According to recent reports by Symantec and Kaspersky, Lazarus Group appears to be spearheading recent cyberattacks motivated by financial profit. Kaspersky said its research shows the group’s four primary targets include financial institutions, casinos, financial technology companies and crypto-currency businesses.

Hacking for Profit

Perhaps the most infamous financial cyber heist to date was conducted on the Central Bank of Bangladesh in February 2016, in which a threat actor stole $81 million through the interbank financial messaging system SWIFT (Society for Worldwide Interbank Financial Telecommunication).

Kaspersky and Symantec have independently reported on emerging forensic evidence, which researchers said increases their confidence that Lazarus Group conducted the Bangladesh cyber heist. Symantec’s Eric Chien, a security researcher, said if North Korea was behind the hack, it would mark “a first” for a nation-state stealing money from the international banking system.

More recently, in February 2017, the website of the Polish Financial Supervision Authority (PFSA), Poland’s financial sector regulatory body, was discovered to be compromised as part of a watering hole attack. Security researchers at Bad Cyber reported that PFSA’s site appears to have been compromised from October 2016 to February 2017, with several Polish banks’ employees affected.

Symantec and Kaspersky later reported independently that the cyberattack was part of a broader campaign against financial institutions globally.

Based on its investigations into the Polish banks cyberattack, Symantec said in March that four “tentative links” to the threat actor Lazarus Group had been discovered. The first link was the identification of a backdoor (Downloader.Ratankba) previously attributed to Lazarus Group. The backdoor downloaded a version of HackTool that possessed “distinctive characteristics shared with malware previously associated with Lazarus,” which was the second link, Symantec wrote.

Symantec established the third link when a victim of the Polish banks cyberattacks submitted a disk-wiping malware (Backdoor.Destover) sample discovered on a compromised system. The disk wiper had been used in the Sony hack and has been associated with Lazarus Group.

The fourth link included a unique trait (“del /a %1”) found in Downloader.Ratankba, which Symantec said has been “identified in multiple malware families linked to Lazarus, including Backdoor.Joanap and Backdoor.Destover.”

Discovery of the Bluenoroff Subgroup: Lazarus’s ‘Field Engineers’

On April 3, Kaspersky published new details on what it believes to be a special-mission subgroup within Lazarus, which it has dubbed Bluenoroff. Kaspersky wrote:

[Lazarus Group’s] interest in financial gain is relatively new, considering the age of the group, and it seems that they have a different set of people working on the problems of invisible money theft or the generation of illegal profit. We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations, while a substantially smaller unit within the group, which we have dubbed Bluenoroff, is responsible for financial profit.

In its report, Kaspersky details Lazarus Group/Bluenoroff’s tools, tactics and procedures (TTP). In particular, Kaspersky noted the use of code obfuscation techniques, custom algorithms, commercial software protectors and custom and underground packers.

Lazarus/Bluenoroff goes to great lengths to remain stealthy, often hiding exploit code in Microsoft Windows’s dynamic-link libraries (DLLs) or registry values. The group often employs encryption and password protects its tools to prevent their detection or use by others.

By employing multi-step hacks, which usually entail “rudimentary” code in the first step to establish backdoors, the group can further surveil the target’s network environment, detect defensive technologies and move laterally across systems and subnets – all while protecting its most valuable exploit code from detection.

If network reconnaissance reveals an environment ripe for a financial cyber heist, then specialized TTPs are called upon, and for those, Kaspersky wrote, Lazarus turns to Bluenoroff:

Bluenoroff, being a subgroup of Lazarus, is focusing on financial attacks only. This subgroup has reverse-engineering skills because they spend time tearing apart legitimate software and implementing patches for SWIFT Alliance software, in attempts to find ways to steal big money. Their malware is different, and they aren’t exactly soldiers that hit and run. Instead, they prefer to make an execution trace to reconstruct and quickly debug the problem. They are field engineers that come when the ground is already cleared after conquering new lands.

Despite extensive efforts to prevent detection, Lazarus has been observed to continually update its TTPs, leading Kaspersky to describe the group as a “malware factory,” suggesting significant expertise, discipline and resources.

Kaspersky called the scale of Lazarus’s cyber operations “shocking” and warned the group “is not just another APT actor.”

U.S.-China Talks: No Formal Agreements, ‘Very Constructive Tone’

It was unlikely the U.S. and China would formalize any new agreements on cyber, North Korea or any other items on the broad agenda for the two administrations’ opening talks – especially given the parties’ different strategic objectives for dealing with North Korea.

Tillerson confirmed as much, characterizing the talks on North Korea as “wide-ranging, very comprehensive and more focused entirely on both countries’ previous commitments to denuclearize the peninsula.” Tillerson added, “There was no kind of a package arrangement discussed to resolve this.”

Former U.S. Security of State Henry Kissinger – who negotiated directly with China during the Nixon and Ford administrations, then advised on China over subsequent decades and who has written numerous books to include On China – effectively contrasted the philosophies and styles of Chinese and American negotiators likely on display during the latest talks.

Kissinger noted that Chinese negotiators often “use diplomacy to weave together political, military and psychological elements into an overall strategic design.” In contrast, America views diplomacy as distinct from military, “in essence, separate phases of action.”

Chinese negotiators are often more conceptual than concrete – especially in contrast to the transactional approach of Western businessmen like Trump and much of his Cabinet. Whereas “American diplomacy generally prefers the specific over the general, the practical over the abstract,” Kissinger noted, “Diplomacy to [the Chinese] is the elaboration of a strategic principle.” Indeed, sounding almost like how Kissinger might summarize the Chinese conceptual viewpoint on the first round of talks, Tillerson said the discussions “established a new high-level framework for negotiations.”

Chinese negotiators, Kissinger observed, “have no emotional difficulty with deadlocks. They patiently take the long view against impatient interlocutors, making time their ally.” In contrast, American negotiators often feel “an obligation to break deadlocks with new proposals, unintentionally inviting new deadlocks to elicit new proposals,” which Kissinger noted can lead to tactics that “can be used by determined adversaries in the service of a strategy of procrastination.”

Kissinger characterized traditional Chinese strategy as subtle, indirect and focused on “the patient accumulation of relative advantage” – a striking contrast to Trump’s sometimes brash, always direct and seeming spontaneous approach to strategic decisions.

There were bound to be tensions between Trump and Xi, given Trump’s past criticisms of China. The tension was likely heightened by news of the U.S. bombing a Syrian air base during a dinner hosted by Trump on Thursday. China was one of four nations – including Russia, Iran and North Korea – who criticized the U.S. airstrike, to which Chinese Foreign Ministry Spokesperson Hua Chunying responded by urging “a political settlement of the Syrian issue.”

Some have argued the Syria bombing was, in part, a strategic decision to send a message to China and North Korea, as well as Syria, an act that would illustrate Kissinger’s observation that American “Military action is viewed as occasionally creating the conditions for negotiations.”

Yet, with so much at stake and no agreement, Tillerson summarized the talks by focusing on tone:

The chemistry between the two leaders was positive. … And I would tell you the exchanges were very frank. They were candid, they were open and they were very positive. So I think all of us are feeling very good about the results of this summit in terms of what it did for setting a very constructive tone going forward.

In the absence of a comprehensive strategy for deterring North Korea, the U.S. could continue cyber and electronic warfare to try to disrupt the hermit kingdom’s unabashed ambition to sabotage U.S. networks and to hit the U.S. mainland with a nuclear warhead.