The United Nations panel enforcing trade sanctions against North Korea has been hacked repeatedly by a “nation-state actor,” compromising the email accounts of four current or former members of the panel and a “considerable number” of email messages, according to a U.N. incident report.
The Post reviewed a heavily redacted draft of a forthcoming report from the U.N. Panel of Experts that includes the U.N. account of the attack.
The documents do not disclose the nature of the information that the hackers acquired. But members of the panel routinely review secret intelligence analyses of the smuggling operations propping up the regime of leader Kim Jong Un.
North Korea smuggles goods into and out of the country to evade the United Nations sanctions, which limit trade and are aimed at undermining the North Korean economy and halting the country’s nuclear weapons efforts. The panel's work is aimed at identifying the smuggling so that it may be stopped.
“The panel continues to be targeted by a sophisticated hacking campaign,” according to the U.N. report expected to be released later this month.
North Koreans have been implicated in numerous hacks around the globe, but the redacted version of the account of the incident does not identify the nation-state behind the attack. Some elements of the attack had been previously reported.
A report earlier this month from FireEye, a California-based cybersecurity firm, described a North Korean cyberespionage group known as APT37 (Reaper) that appears to be working on behalf of the North Korean government. Among its targets was an entity associated with the United Nations missions on sanctions and human rights.
John Hultquist, director of intelligence analyses at FireEye, cautioned that he has no information directly linking the attack on the U.N. panel to APT37.
But “on several occasions, we’ve seen countries leverage their cyberespionage capabilities to surveil organizations and people who are involved in sanctions,” Hultquist said. “We’ve been tracking this group for a few years now. Their targeting is overwhelmingly focused on North Korean interests — on defectors, on sanctions and on organizations involved in the reunification of Korea. They’ve also made mistakes that allowed us to see their Internet addresses — in North Korea.”
It can be difficult to identify the source of hacks, however. For example, U.S. intelligence officials say that a hack at the Olympics in PyongChang was conducted by Russian military spies but was disguised to appear as if it had been perpetrated by North Korea. North Korean officials have previously denied hacking the U.N. group.
The report gives a fuller sense of the extent of the attacks against the U.N. than was previously available.
In May, Reuters reported that an email alert at the U.N. said that hackers had breached the computer of one of the panel members and that “hackers have very detailed insight into the panel’s current investigations structure and working methods.” And in a footnote to a September report, the U.N. group said that persistent hacking had “hampered the ability of the Panel to report on the implementation of sanctions.”
The new information in the report identifies the hackers as a “professionally operating” group from a nation-state and provides details regarding their methods and the extent of the attack.
The U.N. incident report also indicates that the attack appears to have begun with a tactic known as “spear-phishing.” Victims received forged email messages with file attachments. Those attachments were made to appear like legitimate documents, according to the report, making it more likely for recipients to open the files — and expose them to risk.
The panel members were using Microsoft’s Office 365 software, and after an investigation by Microsoft, the company reported to the United Nations that it associated the attack with a “nation-state.”
“The incident resulted in the compromise of four email accounts of current or former members of the DPRK panel,” according to the U.N. incident report. “A considerable number of email messages had been forwarded to external accounts that were presumably created for this specific purpose.”