Unidentified Leak Paths Led to Successful Hack of South Korean Military by North Korea – Part 1

October 17, 2017 4:23 pm korea_dmz-svg_

According to ABC News, the recent breach of South Korean classified systems holding joint South Korean-US military files were attributed to missed leak paths between the intranet and internet. These leak paths were used by North Korean hackers, operating out of China, to steal classified data. North Korea used malware that originally was hidden inside a commercially known anti-virus solution used by a contractor to compromise these classified systems and exfiltrate data across these leak paths. The initial compromise was executed in September last year and the leak path established at that time went undetected, while South Korean and U.S. military secrets were progressively stolen. According to the Wall Street Journal, “South Korean officials [were caught] off guard, the people said, because it occurred within a military intranet believed to have been cut off from the internet…”

Leak Paths Are Central to Most of Today’s Successful Breaches

Perimeter defenses are well-tested protective elements that have been used for thousands of years. Instead of protecting each house in a city against invaders, walls were built around the city, and well-guarded gates controlled access to the city. Often, there were lesser entry points through the walls, for convenience or special uses. These included “postern gates,” which were small entrances far from the main gates. There are numerous tales of cities that fell because their perimeter defenses were subverted by these little known entry points. Spies on the inside, who find these long-forgotten “postern gates”, provide an entry point for covert operations and that is exactly what happened in this case.

These unknown or unauthorized entry points are leaks – a means to malicious or unauthorized entry across the network perimeter. Firewalls and intrusion detection systems serve as gatekeepers to defend the network; nevertheless, circumvention can and does happen. Unlike data leaks, which represent the egress of sensitive information from an organization’s control, Internet leaks are unrestricted pathways into and/or out of an organization’s network perimeter. Malicious attackers use these paths to infiltrate networks, compromise endpoints, shuttle additional malware, install encryption software for ransomware, move laterally to find sensitive data, and even take over additional systems through more infections. According to a Ponemon Institute and an IBM survey enterprise losses from attack activities, which use worms, viruses, spyware, and other attack vectors, average $3.6M annually in 2017. If one includes additional recovery and reputation costs, that figure grows even larger.

Core of the Problem

Continuous changes to the network landscape, including infrastructure, operating systems, and applications can cause organizational security policy and network defense configuration to become misaligned, contributing to a proliferation of leaks. And it only takes one leak to allow malicious intrusion into a network.

Proactive identification of leaks and exposed network zones allows effective prioritization of remedial resources to prevent network subversions. When combined with the other aspects of a comprehensive Network Assurance program, real-time leak discovery can be a powerful mechanism for comprehensively protecting an organization’s network.

In Part 2 of this two-part series, we’ll cover the differences and implications of inbound versus outbound leak paths. While it may not seem obvious, an inbound leak path is often the precursor to an outbound leak and more indicative of a breach attempt. In addition, we’ll cover some recommendations in proactively identifying leak paths and segmentation violations.

In the meantime, visit http://www.lumeta.com/spectre to see how Lumeta can help detect leak paths and segmentation misconfigurations and violations. You can also contact us here! Until then, we’ll have part two later this month, so stay tuned!