The Democratic People’s Republic of Korea continues to advance its offensive cyber program, showcasing its unwavering commitment to using cyber attacks for espionage purposes.

According to assessments made by Mandiant, the DPRK’s cyber program has exhibited new activities focusing on cryptocurrency. Furthermore, it appears that the efforts of DPRK-aligned cyber operators have blended together to achieve these goals.

Mandiant’s investigation uncovered evidence of multiple campaigns that suggest the emergence of newly formed groups or task forces. These groups seem to consist of individuals with questionable backgrounds and equipment sourced from different groups.

The execution of these actions exhibited a degree of temporal overlap with the activities attributed to APT43 and TEMP. The presence of an unverified connection to Andariel has suggested the formation of a novel collaborative alliance.

Based on our analysis, it can be inferred that the observed behavior of threat actors indicates a higher level of adaptability.

These actors demonstrate the ability to efficiently allocate resources towards forming task force-oriented collectives, which may involve well-established cyber threat groups such as Chinese Advanced Persistent Threats (APTs).

In the latter part of March 2023, public disclosure unveiled a GitHub repository associated with APT37, which is suspected to contain various samples, files, and tools.

In the year 2021, a member of the APT37 group has employed the repository for the purpose of staging infrastructure.

• The repository’s decoy documents and data target education, government, and financial groups. HWP files and themes suggest many victims and targets are from South Korea.

• Several materials concentrate on resumes, CVs, and references, which can be used to apply for jobs or target journalists. Mandiant has seen other actors like APT43 conduct this.

• APT37 was accused of delivering malware as a compressed password file in February 2023 by open-source reporting. APT43’s LOGCABIN payload has been reported via open-source sources.

Current cybercriminal Groups:

Andariel (UNC614): Andariel’s mission is to gather intelligence that can be used to “build” nuclear weapons or advance research and development in other strategic industries, such as pharmaceuticals. 

TEMP.Hermit:  The primary focus of TEMP. Isolates remain espionage-related activities rather than cryptocurrency. Government, Defense, and Telecom are the Primary Targets.

AppleJeus (UNC1720):  This group’s tools overlap with TEMP. Hermit, but is not focused on the same targeting profiles, potentially indicating shared resources.

APT37: This group is the closest to the MSS, and its overall cyber activities emphasize the tracking of defectors overseas and of foreign elements interacting with DPRK.

APT38: This organization has been accused of sophisticated Interbank Fund Transfer System hacks that stole millions of dollars in numerous countries. Subgroups do current group activity. 

APT43: This organization acts as an intelligence arm and seeming embassy replacement for the RGB and DPRK leadership writ large.

CryptoCore (UNC1069): this uses spear-phishing to attack financial services and cryptocurrency exchanges with LONEJOGGER malware.

TraderTraitor (UNC4899): To access start-ups and high-tech enterprises, the group delivers these communications to personnel, notably system administrators and software developers, on numerous communication channels. 

Cybergroups in the DPRK ecosystem share malware and tools. These malware families seem to be given in order for the newer units to create their own group-tailored families.

Activities:

• Andariel is known to allocate financial resources toward the execution of cyber espionage activities through the utilization of ransomware campaigns. These activities are integral components of a larger financial ecosystem that encompasses bitcoin targeting and freelancing. The utilization of ransomware as a means to finance operations exemplifies the extent of isolation experienced by certain groups from the governing regime, necessitating their reliance on self-funding mechanisms.

• Certain DPRK-aligned cyber operators Mandiant tracks excel in several cyber areas. Operators have shown the ability to perform complex tasks at high levels of execution, then switch to other tasks and maintain that level of performance.

• North Korea spied on vaccine makers in numerous nations, according to Microsoft. This matched our targeting assessment and CUTELOOP and PENDOWN activity Mandiant found targeting medicines.

• Domain registrants for APT43 and COVID-19 cyber attacks overlap. This is further proof that these groups share resources and are bureaucratically close.

As more data is gathered, there is a good chance that some greater fidelity will be achieved. This could also help better scope groups and discover any individuals or organizations who specialize in targeting particular businesses or sectors. 

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.