Researchers: North Korean Hackers Gain Speed, FlexibilityRegime Keeps Refining Cyber Operations Focused on Espionage and Financial Crime
North Korea's state-sponsored hackers continue to refine their arsenal of tactics, techniques and procedures as they conduct operations at the ruling totalitarian regime's behest.
So says Google's Mandiant threat intelligence group, in a new report that analyzes how the Pyongyang-based regime that rules the small country uses "cyber intrusions to conduct both espionage and financial crime to project power and to finance both their cyber and kinetic capabilities."
With a population of just 25 million people, the report is a reminder that what's officially called the Democratic People's Republic of Korea punches above its weight on the cyber operations and cybercrime fronts. Over the past five years, the DPRK has stolen more than $3 billion, U.S. officials say.
Led by Supreme Leader Kim Jong-Un, the DPRK maintains a number of state-sponsored hacking teams located at home and abroad which gather intelligence on allies, enemies and defectors, as well as hack banks and steal cryptocurrency. The United Nations says stolen funds are used to fund the country's long-range missile and nuclear weapons programs, as well as enrich the country's rulers.
U.S. intelligence regularly ranks North Korea as being one of its top four nation-state adversaries online, with China and Russia in the lead, followed by Iran and North Korea (see: US Intelligence Ranks China as Top National Security Threat).
How the DPRK organizes its cyber operations assets appears to have shifted in response to the novel coronavirus pandemic, becoming more fluid, likely due in part to individuals operating from China and South Korea being cut off during quarantines, Mandiant said. Since then, DPRK often operations appear to involve individuals and tools being brought together for temporary task forces, in an approach that emulates more sophisticated operations run by the likes of China.
On the latter front, researchers traced one such attack against the X_Trader trading software package made by Trading Technologies, through which DPRK hackers hit multiple additional targets, including planting information stealers in software created by desktop phone developer 3CX, which counts among its multinational corporate customers Toyota, Coca-Cola and Air France (see: North Korean Hackers Chained Supply Chain Hacks to Reach 3CX).
Active Hacking Teams
Mandiant tracks multiple groups or operations tied to North Korea's cyber operations. Some appear to be primarily financially motivated, while others appear to focus on cyberespionage and cyber operations. Where the motivation remains unclear, Mandiant codenames them UNC, for uncategorized.
Here's information shared by Mandiant on some of the top clusters of activity it's been tracking, which appear to correspond to distinct although oftentimes overlapping groups:
- Andariel: Also known as UNC614, this group appears to be run by the DPRK's Reconnaissance General Bureau and to primarily target military and government personnel, including stealing information needed to further the regime's missile and nuclear weapons programs. The group uses a number of custom-built tools and has a cybercrime sideline that includes using their own ransomware - dubbed Maui - to extort victims, including hospitals.
- TEMP.Hermit: Most attacks attributed to "Lazarus Group" trace to a "cluster of activities" that security researchers refer to as TEMP.Hermit, which since 2013 has been running cyberespionage operations that target governments, as well as the defense, telecommunications and financial services sectors, Mandiant's report says.
- AppleJeus: Also known as UNC1720, this financially focused group appears to share tools with TEMP.Hermit, but largely focuses on cryptocurrency theft to help the regime fund its activities. Researchers have previously reported that elements of this group appear to have been behind the X_Trader supply chain attack discovered earlier this year, together with a group codenamed UNC4736 by Mandiant.
- APT37: Run the DPRK's Ministry of State Security, or MSS, this group appears to be focused on gathering intelligence pertaining to governments that interact with the DPRK, as well as the activities of defectors abroad. The group has been extremely active this year.
- APT38: Although no recent attacks have been attributed to this group, historically it has focused on financial theft, including stealing millions of dollars by targeting the Interbank Fund Transfer Systems.
- APT43: Run by the RGB, this group is "a prolific cyber operator that directly supports intelligence-gathering interests of the North Korean regime," focused especially on South Korea and U.S. government organizations, think tanks and academics (see: North Korean Hackers Target South Korean Naval Shipyards).
- CryptoCore: Active since at least 2018 and also known as UNC1069, this group focuses on cryptocurrency theft, and may be the successor to what was previously tracked as APT38. It often targets cryptocurrency exchanges and financial services firms.
- TraderTraitor: Also known as UNC4899, this group "targets blockchain companies through spear-phishing messages," and may be a successor to APT38.
- IT workers: Highly skilled IT workers placed abroad by the regime - or who pretend to live abroad - bring in income for the regime. "Although they mainly engage in legitimate IT work, they have misused their access to enable malicious cyber intrusions carried out by North Korea," Mandiant said. This program primarily appears to be run by the Korean Workers' Party's Munitions Industry Department, according to the U.S. Department of the Treasury (see: North Korean IT Workers Using US Salaries to Fund Nukes).
Not all of the above groups or operations are necessarily standalone. Mandiant said many appear to overlap, with subsets perhaps being involved in "temporary tasking," meaning they gather needed intelligence before being assigned new targets or types of operations. These overlaps complicate efforts to track North Korea's cyber operations.
"Operators within these units quickly change their current focus and begin working on separate, unrelated efforts such as ransomware, collecting information on conventional weapons, nuclear entity targeting, blockchain and fintech targeting efforts, among various others," Mandiant said. "This flexible approach to tasking makes it difficult for defenders to track, attribute and thwart malicious activities, while enabling this now collaborative adversary to move stealthily with greater speed and adaptability."