Assessed Cyber Structure and Alignments of North Korea in 2023

Security Officer Comments:
Suggested Correction(s):
Link(s):




Cyber Security Threat Summary:
North Korea’s state-sponsored hackers, under the direction of its ruling regime, are constantly improving their tactics for conducting cyber operations. This information comes from a recent report by Google’s Mandiant threat intelligence team. The report reveals how the Pyongyang-based regime, despite its small population of 25 million, utilizes cyber intrusions for both espionage and financial crimes, thereby bolstering its power and financing its cyber and kinetic capabilities.

Supreme Leader Kim Jong-Un leads the Democratic People's Republic of Korea (DPRK), which operates multiple state-sponsored hacking teams domestically and internationally. These teams gather intelligence on allies, enemies, and defectors, in addition to hacking banks and stealing cryptocurrency. The stolen funds play a crucial role in funding the country's long-range missile and nuclear weapons programs while also enriching its rulers, according to the United Nations. Over the past five years, U.S. officials estimate that the DPRK has pilfered more than $3 billion. This underscores the DPRK's significant influence in the realm of cyber operations and cybercrime, despite its relatively small population.

The United States consistently identifies North Korea as one of its top four online nation-state adversaries, with China and Russia as the primary ones, followed by Iran and North Korea. Mandiant, a cybersecurity firm, reports that North Korea's organization of its cyber operations has adapted in response to the COVID-19 pandemic. This shift has made its operations more flexible, likely because individuals operating from China and South Korea were isolated during quarantine measures. As a result, DPRK operations now involve individuals and tools being assembled into temporary task forces, mirroring the approach of more sophisticated operations seen in China. North Korean hackers continue to employ innovative methods, including the use of Linux and macOS malware, along with supply chain attacks. In one notable incident, researchers traced an attack on the X_Trader trading software package created by Trading Technologies. This attack extended to multiple other targets, including the insertion of information stealers into software developed by 3CX, a desktop phone developer with multinational corporate clients.

Security Officer Comments:
Researchers at Mandiant track various North Korean cyber operations, some financially motivated, others focusing on cyberespionage. When motivation is unclear, they're codenamed UNC (uncategorized).

  • Andariel (UNC614): Linked to the DPRK's Reconnaissance General Bureau, it targets military and government personnel for missile and nuclear weapons information. It uses custom tools and their own ransomware, Maui, for extortion, even targeting hospitals.
  • TEMP.Hermit: Often attributed to "Lazarus Group," this cluster has been running cyberespionage operations since 2013, targeting governments, defense, telecom, and finance sectors.
  • AppleJeus (UNC1720): A financially focused group that shares tools with TEMP.Hermit, specializing in cryptocurrency theft to fund regime activities. Associated with the X_Trader supply chain attack.
  • APT37: Run by DPRK's Ministry of State Security, it focuses on gathering intelligence related to governments interacting with the DPRK and defector activities.
  • APT38: Historically focused on financial theft, especially targeting the Interbank Fund Transfer Systems.
  • APT43: Run by the Reconnaissance General Bureau, it supports intelligence gathering, focusing on South Korea and U.S. government organizations, think tanks, and academics.
  • CryptoCore (UNC1069): Active since 2018, this group specializes in cryptocurrency theft, potentially succeeding APT38. Targets include cryptocurrency exchanges and financial services firms.
  • TraderTraitor (UNC4899): Targets blockchain companies through spear-phishing messages, possibly a successor to APT38.
  • IT Workers: Regime-employed IT experts abroad generate income but can also enable malicious cyber intrusions, primarily run by the Korean Workers' Party's Munitions Industry Department.
    • These groups often overlap, making tracking North Korea's cyber operations complex. They may engage in temporary tasking, gathering intelligence before moving on to new targets or types of operations.

      Suggested Correction(s):
      • Organizations can make APT groups’ lives more difficult. Here’s how:
      • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
      • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
      • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
      • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.