Last year, a group of US security researchers were targeted by North Korean backed black hat adversaries. Many reported the activity to the appropriate governmental channels, scrubbed their systems of the malware payloads and moved on. However, one targeted researcher known as Px4, disappointed by what they considered an insufficient response from the US government, took action into their own hands. What can we learn from this story?
Even the most technically competent user can be compromised.
According to Verizon’s 2021 Data Breach Report, 88% of breaches in 2021 involved a human element. The North Korean sponsored attack took aim at what is an important facet of the success of the cybersecurity community: collaboration. The sharing of open source tools and high impact techniques allows the community at large to improve their efficacy together. Rising tides raise all ships and whatnot. By chipping away at the mutual trust within the community, the black hat actors have diminished the collective power that it holds. Corporations should look to this when providing either the carrot or the stick in security awareness simulations or an actual breach. If a professional security researcher can be duped by a social engineering attack, Watkins in Marketing doesn’t stand a chance against an adversary in the wild.
Not all Federal response is equal
The American Cybersecurity and Infrastructure Security Agency (CISA) offers varying levels of assistance and protection to US groups. According to US security researcher Dave Aitel “The United States is good at protecting the government, OK at protecting corporations, but does not protect individuals.” Should the United States be offering more assistance to individual citizens targeted by state sponsored actors? Many of these security researchers had access to vulnerabilities, corporate networks and code repos for widely used tools that provide the necessary ingredients to another devastating software supply chain attack. If CISA and other governmental organizations aren’t devoting the same resources to protecting individuals that they are to protect themselves and large corporations, who is to blame if this becomes a step in the next Solar Winds type attack?
Hell hath no fury like a person of the Internet scorned
Upon realizing that taking matters into their own hands was the right course of action for them, did PX4 halt critical infrastructure or exfiltrate sensitive data? Nope, they engaged in a campaign of mostly minor annoyance via heavily automated DoS and DDoS attacks whose effort PX4 compares to a small to medium sized penetration test. All jokes aside, PX4 has gathered important intelligence on North Korean vulnerabilities and has been working to mobilize other Western security researchers into taking stronger actions against North Korea via the FUNK project whose aim is to ‘keep North Korea honest. You can make a difference as one person. The goal is to perform proportional attacks and information-gathering in order to keep NK from hacking the western world completely unchecked.’