North Korea reuses code in major hacks, researchers find

New research found that everything from DDoS attacks to WannaCry was done with reused code.
Lazarus Group, apt37
Pyongyang, North Korea (Pixabay)

Most of Pyongyang’s highest-profile cyberattacks over the past decade were cobbled together with bits of reused code, overlapping networking infrastructure and the indelible fingerprint of North Korean military hackers, a pair of researchers have found.

North Korea has come a long way since it first emerged on the global stage as a nascent cyber threat. As it grew in power, hit new targets and conducted malicious activities, Pyongyang didn’t need to reinvent the wheel. Instead, it built on previous successes, leveraging code from previous campaigns to build out future malware.

After months of code analysis, Christiaan Beek and Jay Rosenberg, the two researchers, published blog posts outlining their findings, which trace reused code a from a DDoS attack launched by a fledging outfit of North Korean hackers in 2009 all the way to WannaCry, one of the world’s most crippling cyberattacks. That ransomware has been attributed to a North Korea-backed hacking group.

Beek, McAfee’s lead scientist and senior principal engineer, worked with Rosenberg, senior security researcher at Intezer, to pore through hundreds of North Korean malware samples and piece together what they say are shared code similarities and networking infrastructure between “almost every one of the attacks associated with North Korea.”


The revelation isn’t a surprise, Rosenberg and Beek told CyberScoop. As this publication has reported before, North Korea uses old products for a ton of its own internal security. But the extent to which different pieces of malware and sets of hacking tools are connected – and the degree of overlap – is certainly noteworthy. It will be a boon to security researchers, law enforcement and the intelligence community to detect and thwart attacks in the years to come, the researchers said.

Rosenberg and Beek drew connections between a diffuse range of attacks and gleaned “a distinct timeline of attacks beginning from the moment North Korea entered the world stage as a significant threat actor,” they wrote.

“When we’re looking at nation-state cyber crime operations, from my experience, I knew that North Korea already had code overlap,” Beek said. “We’ve seen some examples but never had the tech in place to research it.”

That’s where Intezer’s software came in. Beek reached out to Rosenberg, who specializes in reverse engineering and malware analysis that uses biology as an inspiration.

Beek likened his side of the task to DNA analysis, saying: “We analyze software like you would DNA. We actually disassemble…and extract code fragments, so this is kind of like a signature, a genetic makeup of a software.”


When researchers conduct a post-hoc analysis of pieces of sophisticated nation-state malware, there are details and minutiae “that the human eye would miss,” Beek said, and it takes a considerable amount of effort to pore through the ins and outs of the sophisticated software. Intezer’s software helped with the heavy lifting that allowed the two to complete the research, Beek said.

Together, the two were able to sift through hundreds of samples, disassembling malware and compiling code fragments that resembled a signature.

The two found overlaps between some of North Korea’s most infamous malware families, such as Lazarus and Hidden Cobra, as well as some of its most devastating hacking tools.

Going forward, “now you can use [this finding] for classifying, attributing, linking campaigns and actors,” Beek said. “As a hunter, you can use this to write proactive detection mechanisms rules.” Plus, it may force North Korean hackers to ditch pieces of code they’ve used for years.

For the most part, Beek and Rosenberg did not have access to classified malware samples, which could have aided their investigation. The two also discovered a number of false flags, in which other state-backed hackers used pieces of North Korean code to conceal their identity.


The pair’s research, released Thursday, couldn’t come at a better time. DHS warned Thursday of a new active malware variant, dubbed KEYMARBLE, that has the trappings of North Korean government hacking activity.

Latest Podcasts