Phishing Attack Defense: North Korean Hacker Playbook Reveals Assembly Line

The United States government recently formally charged a North Korean hacker in the infamous 2014 Sony phishing attack. Although the Sony attack is old news, the criminal complaint provides new insight into the hacker’s phishing campaign assembly line that we can learn from to better defend from attacks. The complaint makes it clear that the hacker has a “playbook,” consisting of phishing methods and tactics that easily bypass cybersecurity defenses. These were used and reused again and again by the hacker, over several years, to successfully attack many victims, including entertainment companies, financial institutions, defense contractors, and others. The playbook enabled this hacker to extract information and steal money, inflicting significant damage to victims.

In football, a playbook can make or break a team. If you can get hold of your opponent’s playbook, you have a huge advantage. Instead of waiting for your opponent’s next move, scrambling to respond and hoping for the best, you can preemptively execute a defense that stops opponents in their tracks.

So what lessons can we learn about phishing attack defense by studying the playbook outlined in the North Korean hacker criminal complaint?

Email Authentication can’t protect against phishing attacks.

The hacker established multiple accounts with email service providers, such as Gmail and Hotmail, to send spear-phishing emails to victims and receive exfiltrated data from victims’ systems. Because the email service providers that the hacker used to send their email comply with the latest email authentication standards (DMARC), the hacker’s phishing emails easily passed the victim’s email authentication security checks. Email authentication isn’t a reliable way to protect from phishing email because it’s just as easy for bad guys as it is for good guys to establish and use email accounts that pass authentication checks.

Hackers reuse email accounts across campaigns.

The North Korean hacker used and reused the same email accounts to execute campaigns against multiple organizations and industries, including campaigns against Sony, Bangladesh Bank, Lockheed, and others. By proactively tracking hacker activity and the email accounts that hackers use and reuse to execute attacks, security providers have better insight into malicious sender accounts before phishing campaigns launch and can better protect customers from spear-phishing attacks.


Hackers use compromised systems to execute attacks.
The North Korean hacker compromised multiple reputable systems, and then used those systems to execute the attacks. Compromising and using reputable systems to execute attacks helps hackers evade detection by the victim’s security defenses. Security vendors that proactively track hacker activity in the wild can detect systems compromised by the hacker, that they use and reuse for attacks, and can better protect customers from malicious traffic originating from those compromised system IPs or domains.
Hackers continually craft new malware but reuse code.
Similar to any good developer who takes pride in his or her work, a hacker reuses their code across campaigns. if it’s working, why change? The malware used by the North Korean hacker, although mostly unique for each campaign, reused some code across malware payloads. By proactively tracking hacker activity and analyzing associated malware payloads, security providers can discover patterns. Those patterns can then be used by security providers to analyze customer web downloads and email attachments to detect and protect in seconds against the hacker’s newest, previously unseen malware payloads.


As shown above, the security industry can take a lesson from football strategy: threat actors too have a playbook. They figure out the plays that work—those that easily bypass cybersecurity defenses—and use those plays over and over again. If the defense can’t stop your star running back, you’ll keep running down the middle, and likewise, if targeted victims keep clicking a hacker’s credential harvesting phish, the hacker is going to keep sending it.

It only takes one click for a phishing campaign to succeed. Effective protection requires security providers taking the offensive: understanding threat actors playbooks, proactively discovering their infrastructure, such as compromised websites, malware payloads and email accounts, and tracking their activity before attacks launch. Only then can security defenses be armed to effectively identify and protect users against inbound attacks originating from seemingly reputable websites and senders.Area 1 Security is the only security provider that continually tracks threat actors and hunts for phishing campaigns and infrastructure in the wild. Our Area 1 Horizon™ anti-phishing service stops the email, web, and network phishing attacks that other security technologies miss. For more information, please visit our website or register for a demo.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


Understanding the Four Business Email Compromise Attack Types

Business Email Compromise (BEC), also sometimes referred to as email account compromise (EAC) or vendor email compromise (VEC), is a type of phishing attack that takes advantage of an existing relationship between a victim and organization.

Area 1 Security Announces the Most Spoofed Brand of 2021

Dear America’s sports-loving, company-securing fans: Before you find yourself glued this weekend to (what some call) THE biggest game in college basketball history, we are here to crown the 2022 March Hackness winner!

2022 March Hackness: The Return of the Phishing Bracket

Area 1 Security’s Sixth Annual March Hackness: The Perfect Phishing Bracket is here! Learn who made the list of the top brands that attackers use in phishing lures.