Cyber actors
Supply chain attacks pose a significant threat as they can impact multiple organisations through one initial compromise. Photo by Tima Miroshnichenko/Pexels

Cyber actors linked to the Democratic People's Republic of Korea (DPRK) are employing increasingly sophisticated techniques to target global organisations through software supply chain attacks, warn the UK's National Cyber Security Centre (NCSC) and the Republic of Korea's National Intelligence Service (NIS).

In a joint advisory released on Thursday, the NCSC and NIS detailed the tactics used by DPRK state-linked cyber actors, emphasising the growing threat and complexity of such attacks.

Supply chain attacks, a method where malicious actors compromise elements of the software distribution process, have become a favoured tool for DPRK cyber actors. These attacks, often involving zero-day vulnerabilities and exploits in third-party software, allow the actors to gain access to specific targets or indiscriminate organisations through their supply chains.

The NCSC and NIS highlight that these attacks are aligned with broader DPRK-state priorities, including revenue generation, espionage and the theft of advanced technologies.

The advisory comes on the heels of a new Strategic Cyber Partnership announced between the UK and the Republic of Korea, underscoring their commitment to collaboratively addressing common cyber threats.

Paul Chichester, NCSC Director of Operations, stated: "In an increasingly digital and interconnected world, software supply chain attacks can have profound, far-reaching consequences for impacted organisations."

Growing Threat and the Need for Vigilance

Supply chain attacks orchestrated by DPRK state-linked cyber actors have steadily increased in volume and sophistication in recent years.

These actors employ tactics such as zero-day attacks and multiple exploits to target software supply chain products used by various international organisations. The NCSC and NIS highlight that these attacks significantly contribute to broader DPRK state priorities, including revenue generation, espionage and the theft of advanced technologies across sectors, including defence.

The targets of supply chain attacks can span multiple well-protected and high-profile organisations, making them an effective means of compromise. Elements vulnerable to compromise include software vendors, managed service providers and cloud providers.

Once compromised, cyber actors can launch further attacks, potentially deploying ransomware or causing system disruptions. The use of legitimate software and hardware makes these attacks challenging to detect.

The advisory provides technical details about the malicious activity, presenting case studies of recent attacks originating from the DPRK. It also offers advice on mitigating supply chain compromises, emphasising the importance of establishing effective control and oversight of supply chains.

The advisory outlines the techniques employed by DPRK state-linked cyber actors in recent supply chain attacks, shedding light on their attack flow and modus operandi. One example detailed in the advisory occurred in March 2023, where cyber actors used software vulnerabilities in security authentication and network-linked systems to gain unauthorised access to the intranet of a target organisation.

The attack involved compromising a media outlet's website and deploying malicious scripts into an article to create a watering hole.

Victims who opened the infected article with vulnerable security authentication software enabled the execution of malicious code, connecting to a command and control server for remote control. The actors then exploited a network-linked system vulnerability to spread malicious code to the business side server, compromising it and stealing information.

The highly sophisticated attack used undisclosed vulnerabilities and legitimate functions for intrusion, demonstrating the actors' adaptability and strategic planning. The compromise of one supply chain led to the infection of another, highlighting the interconnected and cascading nature of these attacks.

The advisory concludes with a call to action, emphasising the need for organisations to implement security measures to reduce the risk of compromise.

Organisations are urged to follow the mitigative actions outlined in the advisory and refer to the NCSC's supply chain security guidance for effective control and oversight.