Targeted threat

Hit-and-hope generic cyber attacks are being usurped by highly targeted sniping on academic institutions with specific departments. Zeki Turedi finds out who is in the crosshairs

In 2018 academic institutions suffered extreme targeting from what the cybersecurity industry calls ‘threat actors’, AKA the bad guys. Academia, alongside the technology and energy sectors, specifically saw dramatic increases in one particular type: malware-free attacks, over the past year.

This is driven by academic institutions’ valuable IP and research, and exacerbated by the reality that many such organisations have historically had ‘relaxed’ IT security postures, providing adversaries with opportunities to easily build malicious network intrusions, and inadvertently facilitating attacks simply by focusing on other areas.

It is interesting to note that universities with a Korean relations department were even more likely to be hacked. And that doesn’t stem from random chance – it’s because one particular threat actor, a nation state, has been particularly active in attacking the academic sector.

Ricochet Chollima
In the first half of 2018, adversaries based in the Democratic People’s Republic of Korea (DPRK or North Korea) leveraged the technology sector in order to enable further malicious efforts targeting entities associated with the think tank, government and humanitarian sectors. Ricochet Chollima has been extremely active targeting the Republic of Korea (ROK or South Korea), particularly the government, military, think tank, media and academic sectors, as well as defectors from DPRK. CrowdStrike intelligence expects this adversary to continue to be active against this target scope in the near term. In the mid to long term, it is possible that Ricochet Chollima may widen focus to include other countries and verticals of strategic relevance to the DPRK.

Since initial discovery, an array of tools has been uncovered and linked to this adversary, showcasing a well-resourced team in both implant development and intrusion operations. Since 2016, Ricochet Chollima has leveraged exploits (including zero-day exploits: those which are unknown even to software creators) against Adobe Flash and Hangul Word Processor (HWP) applications in operations that used both strategic web compromise and targeted spear phishing campaigns. The actors’ range of implants uses novel command-and-control mechanisms such as cloud services, social media platforms and webmail services.


You might also like: Cyber security needs you!


This activity appears to be targeting individuals and organisations within the ROK that have interests in DPRK-ROK relations and policy. Ricochet Chollima was last active recently, in the spring of 2019.
Another DPRK adversary that is active in a wide variety of industries including the targeting of academia is Velvet Chollima. This adversary has been involved in espionage operations via spear phishing efforts since at least 2012. Although full victim scope is unknown, Velvet Chollima appears to have primarily focused efforts on targeting the ROK using Korean-language lure documents associated with government policy, military and Olympic-interest themes. More recently, this adversary has been observed targeting academia and think tanks in the US.

While this adversary appears to be primarily focused on espionage operations, it remains very active – its last known cyber behaviour was also in the spring of 2019.

Velvet Chollima
Velvet Chollima is an adversary with a high ‘ops tempo’, and a previously observed target scope that appeared to be heavily focused on South Korean government and military sectors. It is highly likely that the targeting throughout 2018 of Asia and DPRK policy experts in global academic and think tank sectors supports these cyber espionage efforts.

Neither public disclosure of DPRK-based adversary activity, nor the multiple diplomatic overtures between the DPRK and countries including the US, China, Russia and South Korea appear to have decreased the pace of DPRK’s malicious cyber activity. In some cases, diplomatic activity appeared to motivate an increase in DPRK operations. For example, preceding the historic summit between US president Donald Trump and DPRK leader Kim Jong-Un, CrowdStrike intelligence observed an overall increase in targeted intrusion activity associated with adversaries based on the Korean peninsula, including Silent Chollima, Labyrinth Chollima and Velvet Chollima.

The long-running campaigns of Velvet Chollima and Ricochet Chollima appear to be focused on acquiring information regarding Korea-related diplomatic concerns, US and South Korean policy decisions, and analysis on the denuclearisation of the Korean peninsula.

Heavy targeting by malware-free threats means academic institutions will benefit from strengthening defences

Ricochet Chollima appears to support espionage efforts targeting inter-Korea issues such as defectors, unification and denuclearisation. Notable activity from this adversary in 2018 includes zero-day use of the CVE-2018-4878 Adobe Flash exploit. It has displayed a medium-rate ops tempo.

Silent Chollima and Labyrinth Chollima are not focused on academic institutions: With campaigns focusing on the government, military and financial networks in South Korea, and the financial sector and technology/engineering sectors, respectively.

Implications for the academic sector
The destructive Sony Pictures cyber attack in 2014 showed the world that years in isolation refining its cyberwar capabilities had paid off for the DPRK in the form of an army of skilled hackers, controlled by a leader with the will to conduct offensive cyber operations on an international scale. In 2016, the DPRK announced a new five-year plan to improve its economy and standing in the world, and since then has frequently turned to its strength in cyberspace to level the geopolitical playing field and prop up its struggling economy.

With roughly 18 months left for the DPRK to achieve the strategic goals outlined in its five-year plan for economic development, the intersection of cyberwarfare and geopolitics on the Korean peninsula and across the world, is a busy and dangerous place, with academic institutions in the firing line.

In 2019, targeted intrusion adversaries will continue to conduct campaigns as part of their nation state’s national strategies. China, Russia, Iran and the DPRK are seeking geopolitical prominence, both in their respective regions and internationally, and they will use their cyber capabilities to attain and maintain situational awareness of their neighbours and rivals. Entities in the government, defence, think tank, NGO and academic sectors will continue to be the targets of these operations.

Because of the threat from heavy targeting by malware-free threats, academic institutions will benefit from aggressively strengthening defences to address these more sophisticated, modern attacks.

Strengthen the defences
The basics of user awareness, asset and vulnerability management, and secure configurations continue to serve as the foundation for a strong cybersecurity programme. We recommend that organisations regularly review and improve their standard security controls, including:

● User awareness programmes should be initiated to combat the continued threat of phishing and related social engineering techniques, such as 2018’s massive Emotet outbreak.
● Asset management and software inventory are crucial to ensuring that organisations understand their own footprint and exposure.
● Vulnerability and patch management can verify that known vulnerabilities and insecure configurations are identified, prioritised and remediated.
● Multi-factor authentication (MFA) should be established for all users because today’s attackers have proven to be adept at accessing and using valid credentials, leading quickly to deeper compromise – also, MFA makes it much more difficult for adversaries to gain privileged access.
● In addition to MFA, a robust privilege access management process will limit the damage adversaries can do if they get in, and reduce the likelihood of lateral movement.
● Implement password protection to prevent disabling or uninstalling endpoint protection that provides critical prevention and visibility for defenders – also, disabling it is always a high-priority for attackers looking to deepen their foothold and hide their activities.

As sophisticated attacks continue to evolve, enterprises face much more than just ‘a malware problem’. Defenders must look for early warning signs that an attack may be underway, such as code execution, persistence, stealth, command control and lateral movement within a network. Contextual and behavioural analysis, when delivered in real time via machine learning and artificial intelligence, effectively detects and prevents attacks that conventional ‘defence-in-depth’ technologies cannot address.

Pursue the ‘1-10-60 rule’ in order to effectively combat sophisticated cyber threats: detect intrusions in under one minute, perform a full investigation in under 10 minutes and eradicate the adversary from the environment in under 60 minutes.

Organisations that meet this 1-10-60 benchmark are much more likely to eradicate the adversary before the attack spreads from its initial entry point, minimising impact and further escalation. Meeting this challenge requires investment in deep visibility, as well as automated analysis and remediation tools across the enterprise, reducing friction and enabling responders to understand threats and take fast, decisive action.


Zeki Turedi is a technology strategist at CrowdStrike: www.crowdstrike.com