Who Targets/Attacks the Japanese Financial Sector & Why?

Home , Bangladesh Bank robbery, Bureau 121, Cozy Bear, Lazarus Group

DSEI - Combating Threats of the New Era

Measures against Cyber

Who Targets Japan & Why?

Ideas to Combat!

Cartan McLaughlin

CEO Nihon Cyber Defence Co., Ltd.

Russia - BEAR China - PANDA North Korea - CHOLLIMA

• Fancy Bear (APT 28) • Emissary Panda (APT 27) • Lazarus • Cozy Bear (APT 29) • Stone Panda (APT 10) • Bluenoroff • Voodoo Bear • Comment Crew (APT 1) • Andariel • Energetic Bear • Ke3Chang • Deep Panda

Russia – BEAR China – PANDA North Korea – CHOLLIMA

• Political • Military • Financial • Military • Intellectual Property • Intellectual Property • Financial • Financial

© Nihon Cyber Defence Co., Ltd, 2019. All rights reserved. Warning! Hacking without permission is a criminal offence. UN Report: North Korean virtual currency hackers have earned up to $2 billion so far

© Nihon Cyber Defence Co., Ltd, 2019. All rights reserved. Warning! Hacking without permission is a criminal offence. RGB: NORTH KOREAN CYBER ESPIONAGE • The Reconnaissance General Bureau of AGENCY/GROUP North Korea • Prime Agency for North Korea cyber activities BUREAU 121: • North Korean cyberwarfare agency • Suspected/Alleged for Sony Hack 2014 • Suspected 1,800 specialists or more UNIT 180: • North Korean cyberwarfare cell • Suspected/Alleged for : - • Bangladesh Bank robbery in 2016 • the WannaCry ransomware attack 2017 LAZARUS GROUP: • Suspected for Bitpoint (2019) and Coincheck(2018) hack • Suspected groups under the hood: • Financially motivated

CHINA • APT10 – [ MenuPass ] • Emissary Panda – [ APT27, Lucky Mouse ] • Stone Panda • Ke3Chang – [ APT15, Mirage, Vixen Panda, GREF ] • Deep Panda – [ APT19, Shell Crew, WebMasters ] • Comment Crew – [ APT1 ] • Axiom – [ Group 72, Winnti ]

NORTH KOREA • Lazarus – [ APT 38, Unit 180, Bureau 121 ] • Bluenoroff

• When • July 4th , 2019 (Thursday) • What • Newly released mobile payment system compromised • Exploited ability to request password reset with only the following information (and the ability to send new password to any email address) • Date of birth • Account email • Account phone number

• When • Between April 23rd – May 10th, 2019 • What • 461,000 leaked customer account information including… • Names • Addresses • Phone Numbers • Credit Card Data

Coincheck Hack: One of The Largest Heist Ever

• What $560 million stolen in Virtual Cybercurrency

• Where Japan

• When January 26th, 2018

• Who Lazarus (Suspected)

• Why Financial Gains & Disruption

• How Phishing Attack

Case: BITPoint Hack

• What $32 million stolen in Virtual Cybercurrency

• Where Japan

• When July 12th, 2019

• Who Lazarus (Suspected) / HYDSVN (MOKES Malware)

• Why Financial Gains & Disruption

• How Under Investigation

• Creation of National Cyber Security Centre • Collaboration of Government Agencies • Proactive Collaborative Defence and Information Sharing Portals • Creation of Cyber Awareness for the Individuals and Companies – Cyber Essentials • Accreditation and Academia to build National Capability GCHQ NCSC LAW ENFORCEMENT UK Cyber • Guidance • National Crime Agency (National Cyber R&R • Threat assessment Crime Unit) • Incident response • Metropolitan Police Cyber Crime Unit • Information sharing • Regional Organised Crime Units • City of London Police • Support for regulators • Police forces in Scotland, Wales and • Support for national skills Northern Ireland programmes • Accreditation • Education and research POLICY DEPARTMENTS WITH CYBER • Direct role in defence of non- RESPONSIBILITY Prime Minister (National Security Council) –National Security military government networks Strategy implementation and some parts of Critical • Cabinet Office – Minister with responsibility for broad cyber security issues; Cyber and Government Security MOD Offensive Cyber National Infrastructure and Directorate/Office of Cyber Security and Information Assurance National Offensive Cyber Defence – Cross-government policy coordination, implementation of Programme. National Cyber Security Strategy, management of NCSP funds • CERT-UK and GovCERT • Department for Digital, Culture, Media and Sport – cyber skills and digital strategy Run jointly by GCHQ and • Ministry of Defence – cyber deterrence MOD. • doctrine, cyber reserves • Department for International Trade – cyber exports • Department for Education – national curriculum • Department for Business, Energy and Industrial Strategy – industrial strategy • Foreign and Commonwealth Office – international cyber policy Defence of Military Networks • Home Office – domestic safety and security System not working

Unclear who was in charge

Resources wasted Why was the NCSC formed? Cyber security a growing a problem

But also an opportunity

Enormous benefits from digitalisation

Realisation that Incident Response (IR) at a national level was dysfunctional Care-CERT

MoD – CERT

NCSC works Law Enforcement with other Intelligence services parts of government Lead Government Departments (LGDs) Cabinet Office

Regulators The NCSC’s Operations Directorate

Intelligence Services

Where do the Partner countries (Both IS and CERTS) tips come Cyber Incident Response (CIR) Companies from? MoD and Care CERT

Victims through the online reporting format Cyber Essentials & 10 Steps Accreditation • NCSC marketplace & suppliers to government

• CREST accreditation

• ACEs & accredited courses

• Cyber awards

• Academia Academia - QUB Belfast CSIT Centre Secure Information Technologies Our vision is to be a global innovation hub for cyber security, this means that CSIT will accelerate new value creation, drive new venture creation and build capacity for the cyber security industry. Main Research Areas

Network Security: • Advanced detection algorithms Next generation real-time defensive technologies • Deep packet inspection technologies

Data security: • Novel biometric authentication mechanisms • High performance cryptography • Physical Unclonable Functions (PUF) for smart cards and chipsets

Insider Threat: • Detection tools for corporate and government systems including anomaly detection Conclusion

• A vital part of the UK’s work on increasing its cyber security has been to establish strong government and industry links and Collaboration & Trust

• Particularly indispensable: sharing information, senior understanding of importance, connecting government expertise to business’ behaviour 質問 QUESTIONS???

TLP AMBER - CONFIDENTIAL Types of Malicious Insider – CPNI Research

Deliberate - 6% Self initiated – 76% Exploited/Recruited - 15% Motivations for insider activity •NSA WAS CONSIDERED TO BE •PERFECT STORM OF OVER- •LEADERSHIP DID NOT TAKE THE “SECURITY GOLD CONFIDENCE, LACK OF INSIDER THREAT SERIOUSLY STANDARD” AND FAILED UNDERSTANDING OF VULNERABILITIES, AND Snowden - UNWILLINGNESS TO QUESTION INAPPROPRIATE ACTIVITIES The key points

TOO MUCH CONFIDENCE IN FOCUSED ON WHAT MOST FAILED TO IMPLEMENT A SECURITY CLEARANCE CONSIDER TO BE HOLISTIC PROGRAM (POLYGRAPH) “CYBERSECURITY,” I.E., PERIMETER SECURITY, OR SECURING THE FACILITY AGAINST THREATS FROM OUTSIDERS