> The leaked dataset attributed to the “Kim” operator offers a uniquely operational perspective into North Korean-aligned cyber operations.
It's puzzling why the NORC hackers didn't use a nearest neighbor hack rather than leaving a trail of bread crumbs all the way back to Pyongyang ;)
sgnelson · 4h ago
This is interesting due to the tying of DPRK and PRC. It seems hard to say how much coordination there is between the two, but whatever it is, it appears to be greater than zero. While not necessarily surprising, I wonder if this public attribution will make it harder for the PRC to deny involvement with both the DPRK's efforts and their own.
wrp · 55m ago
Regardless of how unhappy Beijing may be with things Pyongyang does, North Korea is of such obvious strategic importance to China that they are unlikely to ever waver in their support of the regime or even try to hide it.
chasd00 · 2m ago
Anything happens to North Korea and all those starving people flood into China. I think that’s why China supports North Korea.
the_af · 46m ago
What's surprising about this? It's not dissimilar to how the US behaves towards their less than savory strategic allies (or, historically, towards dictatorships as long as they were US-aligned).
wrp · 38m ago
Not saying it should be surprising. Just trying to answer the question.
ummonk · 46m ago
I don’t see any smoking gun here that would prevent the PRC from denying its involvement in these hacking efforts.
jmyeet · 3h ago
I don't think Chinese support for NK has ever been a secret anymore than the the US support for South Korea has. And it's in China's backyardd so they've got way more of an excuse.
And if you think that doesn't matter, look at the Monroe Doctrine [1].
Taken further, the so-called Cuban Missile Crisis should really be called the Turkey Missile Crisis. The US (through NATO) placed Jupiter nuclear MRBMs in Turkey, only hunddreds of miles from Moscow. The USSR responded by doing the exact same thing, by placing nuclear weapons in Cuba. And the US almost started World War 3 over it.
It was the USSR who stepped back from the brink and, as a result of a secret agreement, the Jupiter MRBMs were quietly removed from Turkey [2].
Why is this comment downvoted? You have the right to see China, USSR and NK as immoral regimes but there's nothing non-factual here.
charonn0 · 3h ago
The topic is cybercrime and espionage, not nuclear brinksmanship or colonialism. Whatever parallels can be drawn don't seem to be very relevant, so the comment comes off as an attempt to deflect criticism.
kace91 · 3h ago
Maybe it wasn’t clear, but I think the comment is explaining the importance for superpowers of keeping their immediate surroundings politically aligned - china wants NK on their side for the same reason neither the US or the URSS wanted nukes on their doorstep.
No comments yet
codpiece · 1h ago
It was still a fascinating aside, and it's not like HN stays on topic in a thread. I learned something today.
the_af · 45m ago
> The topic is cybercrime and espionage, not nuclear brinksmanship or colonialism.
Those are all closely related topics in geopolitics.
skinnymuch · 50m ago
You can’t separate colonialism and imperialism from Korea. As if any of us know what Korea would be doing if the west didn’t invade then sanction among other things.
tremon · 4h ago
> The dump also revealed reliance on GitHub repositories known for offensive tooling. TitanLdr, minbeacon, Blacklotus, and CobaltStrike-Auto-Keystore were all cloned or referenced in command logs.
What's the rationale for allowing the development of offensive tooling on github? Is this a free-speech thing, or are these repositories relevant for scientific research in some way?
StrauXX · 4h ago
They are heavily used in penetrationtests and red teaming engagements. Banning such tools from the public just mystifies attackers ways to defenders, while not in any way hindering serious malicious actors. We had that discussion back in the 90s and early 2000s.
freedomben · 3h ago
Agreed. Plus it's not always a clear line between offensive and legitimate usage. For many years nmap was banned on most corporate networks, but it's an invaluable tool for legitimate use too, despite being useful for offensive cases as well
randall · 41m ago
one time i ran nmap against my dev box at facebook. i was definitely worried someone was going to give me a stern talking to.
laveur · 4h ago
I think they get heavily used by security researchers, and other people that do regular Penetration Testing.
awesome_dude · 34m ago
Isn't Github supposed to be blocking sanctioned countries, like Iran, and North Korea?
I think they're wondering why GitHub doesn't report these to law enforcement and their creators don't go to prison.
Not sure about US law, but in Germany, creating or possessing a hacking tool (including things like nmap) is a criminal offence.
rpdillon · 3h ago
Wait, installing nmap on your laptop from a Linux distribution's repositories is a crime in Germany?
ranger_danger · 35m ago
No, OP loves to claim almost daily how nearly everything is illegal in Germany, and never provides any sources or court cases when asked for proof, just "google it yourself" or "the German criminal code".
to11mtm · 2h ago
Not really, so long as you don't use it for anything 'bad'. i.e. if you're just running against your local network, who's gonna report it?
dwattttt · 1h ago
Surely then it's the 'use', not the 'possession' that's a criminal offence? Or is it still a criminal offence to possess it, but you're fine as long as no one finds out? Because that doesn't stop it being a criminal offence.
kace91 · 3h ago
>Not sure about US law, but in Germany, creating or possessing a hacking tool (including things like nmap) is a criminal offence.
Surely that must be wrong, are security certs not a thing in Germany?
Ugh. It does look like the wording gives some room though?
As in, it requires “preparing the commission of an offense”. Does acquiring the tool for other uses like learning or professional training help?
Or even better, shouldn’t lack of proof that the user had malicious intent be enough?
ranger_danger · 24m ago
Hard disagree, I think there is very important context missing here, notably:
> 2. computer programs for the purpose of the commission of such an offence
Big huge emphasis on "for the purpose of", meaning there must be clear intent to cause harm or break the law, especially for a criminal case. This assumes the purpose of the program is not inherently for hacking/criminal purposes, which I do not believe would be hard to argue that nmap is not designed as a "hacking tool".
In the US you’re allowed to have pretty much whatever code you want on your computer, obviously excepting binary representations of illegal photo/video content.
How do they even enforce it? Or is it just an extra law to throw at someone already convicted of something?
esseph · 1h ago
That is fucking insane.
Basically Linux itself would be classified as a "hacking tool".
hexpeek · 1h ago
I’ve heard that in North Korea it is difficult for ordinary people to learn or own a computer. It is assumed that a small number of elite operatives are selected and trained to carry out such tasks, and it is somewhat surprising that they possess the latest technology and conduct hacking.
asdff · 1h ago
If anything the hackers in north korea are probably world class if the government is getting their students into focused training programs early in their schooling. Western nations have nothing equivalent due to schooling being generalist and undergrad and grad school not really introducing you to the sort of work you'd actually do on the job as a hacker. 22 year old western hacker for a 3 letter agency is going to have maybe a 6 month softball tangentially related internship of experience under their belt while the north korean might have years and years by that point.
awesome_dude · 40m ago
> 22 year old western hacker for a 3 letter agency is going to have maybe a 6 month softball tangentially related internship of experience under their belt while the north korean might have years and years by that point.
I was with you right up until this bit
The agencies concerned tend to recruit people that have demonstrated ability in that field, and they've usually got it with "self-directed" training :)
ummonk · 40m ago
North Korean teams tend to perform very well in coding contests, so it’s a safe bet that North Korea is quite good at nurturing a small slice of elite computing talent.
aussieguy1234 · 2h ago
That's a fairly detailed analysis of an APT workflow.
Now, non-APT actors, if they wanted to up their level of sophistication, might replicate some of these workflows for their own nefarious activities.
awesome_dude · 32m ago
There's always a risk of openness creating copycats, but there's also the fact that informed decisions can now be made by people who need to mitigate against these malicious actors.
There's no way to only give the information to one group without the other group getting their hands on it.
fragmede · 7m ago
There's levels between not sharing it with anybody, and dumping it up on the public web for everyone to see. There are private disclosure lists they could have used, if they wanted to.
jmyeet · 3h ago
So this is interesting from a technical perspective. Some of this infrastructure is used by pen testers and the likes, which just goes to show that there is no such thing as a defensive weapon. I'll let you ponder why that might be pertinent.
Unfortunately, it quickly turns into a discussion of how bad NK and China are and how China shouldn't support NK (because, again, they're bad).
I'll offer two words to expose the hypocrisy of this: Stuxnet, Pegasus.
It's puzzling why the NORC hackers didn't use a nearest neighbor hack rather than leaving a trail of bread crumbs all the way back to Pyongyang ;)
And if you think that doesn't matter, look at the Monroe Doctrine [1].
Taken further, the so-called Cuban Missile Crisis should really be called the Turkey Missile Crisis. The US (through NATO) placed Jupiter nuclear MRBMs in Turkey, only hunddreds of miles from Moscow. The USSR responded by doing the exact same thing, by placing nuclear weapons in Cuba. And the US almost started World War 3 over it.
It was the USSR who stepped back from the brink and, as a result of a secret agreement, the Jupiter MRBMs were quietly removed from Turkey [2].
[1]: https://en.wikipedia.org/wiki/Monroe_Doctrine
[2]: https://www.wilsoncenter.org/blog-post/jupiter-missiles-and-...
No comments yet
Those are all closely related topics in geopolitics.
What's the rationale for allowing the development of offensive tooling on github? Is this a free-speech thing, or are these repositories relevant for scientific research in some way?
https://docs.github.com/en/site-policy/other-site-policies/g...
Not sure about US law, but in Germany, creating or possessing a hacking tool (including things like nmap) is a criminal offence.
Surely that must be wrong, are security certs not a thing in Germany?
As in, it requires “preparing the commission of an offense”. Does acquiring the tool for other uses like learning or professional training help?
Or even better, shouldn’t lack of proof that the user had malicious intent be enough?
> 2. computer programs for the purpose of the commission of such an offence
Big huge emphasis on "for the purpose of", meaning there must be clear intent to cause harm or break the law, especially for a criminal case. This assumes the purpose of the program is not inherently for hacking/criminal purposes, which I do not believe would be hard to argue that nmap is not designed as a "hacking tool".
Germany appears to have a similar standard to US criminal cases where you are presumed innocent until proven guilty "beyond a reasonable doubt": https://law.stackexchange.com/questions/40966/innocent-until...
How do they even enforce it? Or is it just an extra law to throw at someone already convicted of something?
Basically Linux itself would be classified as a "hacking tool".
I was with you right up until this bit
The agencies concerned tend to recruit people that have demonstrated ability in that field, and they've usually got it with "self-directed" training :)
Now, non-APT actors, if they wanted to up their level of sophistication, might replicate some of these workflows for their own nefarious activities.
There's no way to only give the information to one group without the other group getting their hands on it.
Unfortunately, it quickly turns into a discussion of how bad NK and China are and how China shouldn't support NK (because, again, they're bad).
I'll offer two words to expose the hypocrisy of this: Stuxnet, Pegasus.