Phishing Attack Defense: North Korean Hacker Playbook Reveals Assembly Line

The United States government recently formally charged a North Korean hacker in the infamous 2014 Sony phishing attack. Although the Sony attack is old news, the criminal complaint provides new insight into the hacker’s phishing campaign assembly line that we can learn from to better defend from attacks. The complaint makes it clear that the hacker has a “playbook,” consisting of phishing methods and tactics that easily bypass cybersecurity defenses. These were used and reused again and again by the hacker, over several years, to successfully attack many victims, including entertainment companies, financial institutions, defense contractors, and others. The playbook enabled this hacker to extract information and steal money, inflicting significant damage to victims.

In football, a playbook can make or break a team. If you can get hold of your opponent’s playbook, you have a huge advantage. Instead of waiting for your opponent’s next move, scrambling to respond and hoping for the best, you can preemptively execute a defense that stops opponents in their tracks.

So what lessons can we learn about phishing attack defense by studying the playbook outlined in the North Korean hacker criminal complaint?

Email Authentication can’t protect against phishing attacks.

The hacker established multiple accounts with email service providers, such as Gmail and Hotmail, to send spear-phishing emails to victims and receive exfiltrated data from victims’ systems. Because the email service providers that the hacker used to send their email comply with the latest email authentication standards (DMARC), the hacker’s phishing emails easily passed the victim’s email authentication security checks. Email authentication isn’t a reliable way to protect from phishing email because it’s just as easy for bad guys as it is for good guys to establish and use email accounts that pass authentication checks.

Hackers reuse email accounts across campaigns.

The North Korean hacker used and reused the same email accounts to execute campaigns against multiple organizations and industries, including campaigns against Sony, Bangladesh Bank, Lockheed, and others. By proactively tracking hacker activity and the email accounts that hackers use and reuse to execute attacks, security providers have better insight into malicious sender accounts before phishing campaigns launch and can better protect customers from spear-phishing attacks.


Hackers use compromised systems to execute attacks.
The North Korean hacker compromised multiple reputable systems, and then used those systems to execute the attacks. Compromising and using reputable systems to execute attacks helps hackers evade detection by the victim’s security defenses. Security vendors that proactively track hacker activity in the wild can detect systems compromised by the hacker, that they use and reuse for attacks, and can better protect customers from malicious traffic originating from those compromised system IPs or domains.
Hackers continually craft new malware but reuse code.
Similar to any good developer who takes pride in his or her work, a hacker reuses their code across campaigns. if it’s working, why change? The malware used by the North Korean hacker, although mostly unique for each campaign, reused some code across malware payloads. By proactively tracking hacker activity and analyzing associated malware payloads, security providers can discover patterns. Those patterns can then be used by security providers to analyze customer web downloads and email attachments to detect and protect in seconds against the hacker’s newest, previously unseen malware payloads.


As shown above, the security industry can take a lesson from football strategy: threat actors too have a playbook. They figure out the plays that work—those that easily bypass cybersecurity defenses—and use those plays over and over again. If the defense can’t stop your star running back, you’ll keep running down the middle, and likewise, if targeted victims keep clicking a hacker’s credential harvesting phish, the hacker is going to keep sending it.

It only takes one click for a phishing campaign to succeed. Effective protection requires security providers taking the offensive: understanding threat actors playbooks, proactively discovering their infrastructure, such as compromised websites, malware payloads and email accounts, and tracking their activity before attacks launch. Only then can security defenses be armed to effectively identify and protect users against inbound attacks originating from seemingly reputable websites and senders.Area 1 Security is the only security provider that continually tracks threat actors and hunts for phishing campaigns and infrastructure in the wild. Our Area 1 Horizon™ anti-phishing service stops the email, web, and network phishing attacks that other security technologies miss. For more information, please visit our website or register for a demo.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.