Cyberthreat Groups from North Korea becoming top-level adversaries

Subjected to economic sanctions and isolated from the rest of the world, with the exception of China, North Korea is increasingly relying on cybercrime to sustain its economy. North Korean cyberwarfare groups increase their capabilities.

How to solve such a problem as a cyber threat by North Korea?

In recent years, North Korea has turned from a minor nuisance to a scourge of banks and cryptocurrency exchanges.

Threat analysis experts interviewed by The Daily Swig said the attackers’ tactics and tricks have evolved to elevate the country to a top-level cyber adversary.

This threat goes beyond the notorious Lazarus Group, a group of cybercriminals accused of a devastating attack on Sony Pictures in 2014, and the audacious cyber-robbery of $81 million worth of Bangladesh Central Bank reserves in 2016, as well as other attacks.

How sophisticated are North Korean cyber threat groups?

Along with state-sponsored Russian, Chinese, and Iranian threat actors (the paranoia has not been reversed), North Korea’s Advanced Persistent Threat (APT) groups are considered among the most sophisticated in the world.

Russian (in particular, APT28, APT29, and Turla) and North Korean (Lazarus) attackers are considered the most advanced groups of all, due to their ability to use customizable toolsets, apply the latest attack techniques, and speed of execution.

Paul Prudhomme, head of threat intelligence at IntSights, told The Daily Swig that North Korean attackers are making more of an effort to stay out of sight.

What organizations are the North Korean attackers targeting?

North Korea’s cyber operations are most focused on South Korea and the United States, and usually target government agencies, diplomatic organizations, the military, financial institutions, industrial conglomerates, and more recently, pharmaceutical and healthcare research.

Meanwhile, according to Mandiant, financially motivated cybercrime in North Korea is more global, and includes direct targeting of banks, cryptocurrency-focused campaigns, and even web skimming operations.

Yana Blachman, a former Israeli intelligence official turned threat intelligence specialist at Vanafi, told The Daily Swig that North Korean APT groups collectively target a wide range of sectors.

“Each APT group is designed to target one specific sector”, Blachman explained. “For example, Lazarus primarily targets governments and financial institutions in South Korea and the United States, while Bureau 325 is known to target large biotech companies, research institutes, and government agencies.

“Along with these groups, others, such as APT38, focus primarily on banks, financial institutions, and cryptocurrency exchanges”, Blachman added.

The Lazarus Group recently ran a highly sophisticated targeted phishing campaign in which attackers spent almost a year preparing, creating security blogs and Twitter accounts and typically interacting with security researchers in an attempt to gain their trust.

North Korean groups also tend to change their targets dramatically, and it is simply not realistic to predict their steps.