Author : Olivia Lee | S2W TALON
#VB024 — https://www.first.org/conference/2024/Executive Summary
In December 2023, South Korea was rocked by a major cybersecurity incident orchestrated by the hacking group SkidSec. Known for their politically charged attacks, SkidSec launched the ‘North Korean Propaganda Distribution Campaign,’ which leveraged vulnerabilities in the IPP (Internet Printing Protocol) systems of printers across South Korea. Within just 24 hours, the group successfully spread propaganda featuring North Korean leader Kim Jong-un through thousands of compromised printers, signaling a global cybersecurity threat with far-reaching implications.
SkidSec, active since October 2023, meticulously targeted 3,439 printers across South Korea using the Censys platform, which allows the identification of exposed internet-connected devices. By exploiting printers without proper authentication, the group was able to remotely print propaganda materials. This attack serves as a stark reminder that even seemingly innocuous devices, such as printers, can be weaponized in the modern cybersecurity landscape.
In a follow-up to their first campaign, SkidSec released a list of 1,381 vulnerable printers and escalated their messaging, adding the phrase “The Great Leader Kim Il-sung will always be with us” to their printouts. Additionally, they shared a custom attack script called ‘PrinterGun,’ which allowed even unskilled users to execute similar attacks. These developments underscore the rising threat posed by hacktivist groups with political agendas, as well as the global risk of vulnerable IoT (Internet of Things) devices being exploited for ideological purposes.
While the campaign targeted South Korea, its implications are global. Devices such as printers, smart home systems, medical equipment, and other internet-connected infrastructure are ubiquitous across homes and businesses worldwide, and they too are vulnerable. SkidSec’s actions demonstrate that political or ideological issues can transcend borders through technology, turning local issues into global threats.
This presentation will examine the details of the SkidSec campaign, their attack methods, and the broader cybersecurity implications of their actions. The S2W Threat Intelligence Center has been analyzing the group’s motives, exploring whether SkidSec is operating under North Korean directives or is an independent group. This analysis will offer insights into SkidSec’s potential financial and ideological goals, as well as how such campaigns could evolve into more significant threats in the future.
Key Takeaways
- Attack Vectors and Tools:
- Censys Platform: SkidSec used Censys to identify vulnerable IPP-enabled printers using HP JetDirect software in South Korea.
- Vulnerability Exploitation: The group successfully exploited printers lacking proper authentication, allowing them to remotely control the printing process and distribute propaganda.
- PrinterGun Script: SkidSec shared an attack script that simplified the process, allowing others to replicate the campaign with minimal effort.
2. Campaign Execution and Escalation:
- Initial Campaign: On November 29, 2023, SkidSec launched their first attack, targeting 3,439 printers across South Korea. By November 30, they had successfully compromised 15 printers.
- Second Campaign: In December 2023, SkidSec released a list of 1,381 accessible printers and escalated their messaging, adding new propaganda slogans and incentivizing users to spread the printed materials further.
- Incentives: SkidSec offered financial rewards in Monero for users who managed to have printed materials featured in news reports.
3. Global Implications:
- IoT Vulnerability: This incident highlights the global risks associated with IoT devices, as even widely-used items like printers can become tools for ideological warfare.
- Escalating Cyber Threats: SkidSec’s campaigns demonstrate how politically or ideologically driven cyberattacks can escalate and have far-reaching impacts beyond their initial targets.
4. Motives and Future Threats:
- SkidSec’s Agenda: The S2W Threat Intelligence Center is investigating SkidSec’s potential ties to North Korea and whether their actions align with larger geopolitical strategies. The group’s actions reflect a growing trend where cyberattacks are used to further political ideologies, potentially leading to more sophisticated and far-reaching campaigns in the future.
For more details, please refer to the presentation at VirusBulletin 2024.
- Abstract: https://www.virusbulletin.com/conference/vb2024/abstracts/phantom-syndicate-hacking-collective-north-korean-allegiance/
- Presentation: (Attach later when public)
[VirusBulletin 2024] The Phantom Syndicate: a hacking collective with a North Korean allegiance was originally published in S2W BLOG on Medium, where people are continuing the conversation by highlighting and responding to this story.