North Korean Actors Spear Phish U.S. Electric Companies
FireEye, Threat Research
October 11, 2017
can confirm that FireEye devices detected and stopped spear
phishing emails sent on Sept. 22, 2017, to U.S. electric
companies by known cyber threat actors likely affiliated with
the North Korean government. This activity was early-stage
reconnaissance, and not necessarily indicative of an imminent,
disruptive cyber attack that might take months to prepare if it
went undetected (judging from past experiences with other cyber
threat groups). We have previously detected groups we suspect
are affiliated with the North Korean government compromising
electric utilities in South Korea, but these compromises did not
lead to a disruption of the power supply.
We have not observed suspected North Korean actors using any
tool or method specifically designed to compromise or manipulate
the industrial control systems (ICS) networks that regulate the
supply of power. Furthermore, we have not uncovered evidence
that North Korean linked actors have access to any such
capability at this time.
Nation-states often conduct cyber espionage operations to gather
intelligence and prepare for contingencies, especially at times
of high tension. FireEye has detected more than 20 cyber threat
groups suspected to be sponsored by at least four other
nation-states attempting to gain access to targets in the energy
sector that could have been used to cause disruptions. The few
examples of disruptions to energy sector operations being caused
by cyber operations required additional technical and
operational steps that these North Korean actors do not appear
to have taken nor have shown the ability to take.
In December 2014, the South Korean Government reported that
nuclear power plants operated by Korea Hydro and Nuclear Power (KHNP)
were targeted with wiper malware, potentially linked to North
Korean actors. This incident did not demonstrate the ability to
disable operations. Instead, sensitive KHNP documents were
leaked by the actors as part of an effort to exaggerate the
access they had and embarrass the South Korean Government, a
technique we assess North Korea would turn to again in order to
instill fear and/or meet domestic propaganda aims.
far, the suspected North Korean actions are consistent with a
desire to demonstrate a deterrent capability rather than a
prelude to an unprovoked first-strike in cyberspace; however,
North Korea linked actors are bold, have launched multiple cyber
attacks designed to demonstrate national strength and resolve,
and have little concern for potential discovery and attribution
of their operations. They likely remain committed to pursuing
targets in the energy sector, especially in South Korea and
among the U.S. and its allies, as a means of deterring potential
war or sowing disorder during a time of armed conflict.
The number of nation-states developing the capability to disable
the operations of power utilities has increased in recent years.
For North Korea, even limited compromises of power companies
would probably be exaggerated and hailed as a victory by
North Korea linked hackers are among the most prolific
nation-state threats, targeting not only the U.S. and South
Korea but the global financial system and nations worldwide.
Their motivations vary from economic enrichment to traditional
espionage to sabotage, but all share the hallmark of an
ascendant cyber power willing to violate international norms
with little regard for potential blowback.