Financial Crime World

North Korean Cyber Operations: A Complex Web of Targets and Tactics

A recent report from Mandiant has shed new light on the complex web of targets and tactics employed by North Korea’s cyber operations, revealing a consistent pattern of targeting and resource sharing among various groups.

Consistent Targeting and Organization

The report highlights the consistency in targeting over time between current and historic organizations within North Korea’s cyber operations. This consistency is mirrored by the consistency in the organization’s mission mandates, with many of the same countries and industries being targeted repeatedly.

Key Findings

  • The existence of a group called “Room 35,” which is believed to be responsible for developing malware and intrusion tools used to collect information on targets and build intelligence reports for senior North Korean officials.
  • Room 35 shares resources with other groups, including APT43, which has been observed targeting pharmaceutical companies and stealing confidential data using social engineering tactics and malware created within the organization.

New Groups and Tactics

The report also reveals the existence of a new group called “Bureau 325,” which was formalized in January 2021 and appears to be focused on targeting COVID-19-related information. The group has been observed using new malware and social engineering tactics to target pharmaceutical companies and healthcare organizations.

Resource Sharing

The report highlights the sharing of tooling and malware among various groups within the DPRK ecosystem, including APT43, TEMP.Hermit, and suspected linked groups. This sharing of resources is believed to make precise attribution more difficult, as it allows different groups to use similar tactics and tools.

Recommendations

To better understand North Korea’s cyber operations and protect against their threats, we recommend:

Key Takeaways

  • Continued monitoring and analysis of North Korea’s cyber operations is necessary to better understand their goals and methods.
  • Organizations should remain vigilant and take steps to protect themselves against social engineering tactics and malware attacks.
  • Governments and private sector organizations should collaborate to share information and coordinate efforts to counter North Korean cyber threats.

Key Findings:

  • Room 35 develops malware and intrusion tools used for intelligence gathering
  • APT43 targets pharmaceutical companies, stealing confidential data using social engineering and malware
  • Bureau 325 focuses on targeting COVID-19-related information using new malware and social engineering tactics
  • Groups within the DPRK ecosystem share tooling and malware, making precise attribution more difficult