The Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy and 10 Days of Rain attacks are all believed to originate from North Korea. But how can they be attributed with certainty? And what connection does a DDoS and disk-wiping attack from 4 July 2009 have with WannaCry, one of the largest cyber attacks in the history of the cyber sphere?
From the Mydoom variant Brambul, to the more recent FallChill, WannaCry, and targeting of cryptocurrency exchanges, there is a distinct timeline of attacks beginning from the moment North Korea entered the world stage as a significant threat actor. Bad actors have a tendency to unwittingly leave fingerprints on their attacks, allowing researchers to connect the dots between them. North Korean actors have left many of these clues in their wake and throughout the evolution of their malware arsenal. In this session, attendees will view never-before-seen code analysis illustrating key similarities between samples attributed to North Korea, a shared networking infrastructure, and other revealing data hidden within the binaries. All of these puzzle pieces will be put together to illustrate the connections between the many attacks attributed to North Korea and to categorize different tools used by specific teams of their cyber army.