North Koreas State-Sponsored APTs Organize & Align
An unprecedented collaboration by various APTs within the DPKR makes them harder to track, setting the stage for aggressive, complex cyberattacks that demand strategic response efforts, Mandiant warns.
North Korean advanced persistent threat (APT) groups have
become aligned
in an unprecedented way since the start of the COVID-19 pandemic, evolving in terms of adaptability and complexity, and allowing for individual threat groups to diversify and expand activities — all while making it more difficult for investigators to keep up.
Historically, threat researchers have tracked North Koreas threat activities as being carried out by individual groups —
Lazarus Group
and
Kimsuky
among them. However, the lines are beginning to blur between individual APTs, who increasingly are coordinating efforts, and sharing both tools and information. As a result, its becoming harder to distinguish whos responsible for what threat activity, researchers from
Mandiant revealed in a report
published Oct. 10.
While threat researchers scramble to unravel various threads to define activity according to its perpetrator, North Korean actors are moving nimbly to diversify their attacks, sharing tooling and code as they continue to adapt and change to build tailored malware for different platforms — Linux and MacOs among them, the researchers have found.
The supply chain also may be at an increased risk from North Korean APTs, as the groups evolve toward aggressive and broader intrusions that encompass multiple intrusions to multiple networks by multiple APTs, using various supply chain vectors, the researchers noted.
This flexible approach to tasking makes it difficult for defenders to track, attribute, and thwart malicious activities, while enabling this now collaborative adversary to move stealthily with greater speed and adaptability, the researchers noted.
That said, individual groups continue to work on separate, unrelated efforts such as ransomware, collecting information on conventional weapons, nuclear entity targeting, blockchain- and fintech- targeting efforts, among various others, Mandiant analysts wrote in the report. This includes efforts to
steal cryptocurrency
to fund the regime of North Koreas Supreme Leader Kim Jong Un, who each of them ultimately serve. While this effort is a broad goal across APTs, several sub-groups have emerged in recent years that are exclusively aimed at this activity.
COVID-19 marked a significant change in how North Korean threat groups operate, with an unprecedented level of coordination and information-sharing directly driven by the closure of borders during that time. This left typically secretive and taciturn operators located outside the country in a lurch, and forced them to communicate with other groups, spurring collaboration that continues to this day, Michael Barnhart, principal analyst at Mandiant, says.
While it remains uncertain whether this collaboration was intentional or driven by necessity, there is no sign of a decrease in such activities, Barnhart says. In fact, there is evidence of an increasing trend toward such collaborations.
Mandiant researchers compiled a comprehensive structure of the current North Korean APT landscape to help defenders understand what theyre currently up against. In general,
all threat groups
lead back to Kim Jong Un, and all activity is either to provide funding or intelligence for the regime — or both.
Branching directly from the supreme leader are the General Staff Department of the Korean Peoples Army — which oversees the Reconnaissance General Bureau (RGB) — and the Minister of State Security, to which
APT37
, better known as ScarCruft or Reaper, directly reports.
Several threat groups also are aligned with North Koreas RGB, including
Kimsuky
, which Mandiant tracks as APT43; APT38 (better known as
Lazarus
, one of North Koreas
most prolific
threat groups); Temp.HERMIT, also tracked as part of
Lazarus activities
and dedicated to cyber espionage; and
Andariel, often linked to ransomware activities
using bespoke
ransomware dubbed Maui
.
To complicate matters further, each of these groups has sub-groups operating under them to carry out particular tasks. For example,
a group tracked as Apple.Jeus
operates under the umbrella of Temp.HERMIT and is tasked exclusively with targeting cryptocurrency industry with the goal of stealing digital assets to fund the regimes priorities, the researchers wrote.
Muddying the waters further are several groups operating under the direction of the Central Committee of the Workers Party of Korea — the United Front Department and IT Workers — each of which work domestically and abroad to conduct cyber operations on behalf of the regime.
Due to the evolving nature of these diverse and varied groups operating on behalf of North Korea, the ultimate takeaway of Mandiants findings is that defenders would be better served by focusing on the specific nature of a particular activity rather than getting too deep in the weeds of trying to figure out which North Korea-backed group is perpetrating it, Barnhart says.
These specific threat actors are extremely adaptable and agile, often leading defenders to spend significant time attempting to attribute actions to specific individuals behind the keyboard, he says.
Because this process is far from straightforward, a more productive approach would be to prioritize the mission after [attributing the attacks] to North Korea, rather than becoming overly preoccupied with specific units, until it becomes necessary to address those specific concerns, Barnhart says.
Future threat intelligence-gathering efforts will rely on defenders engaging in the same collaborative spirit demonstrated by the North Korean APTs themselves to mount a more effective, collective response to counter this persistent threat actor, he says.
Our recommendation is for both governments and the private sector to continue their collaborative efforts, presenting a unified front, Barnhart says. This approach serves to maximize imposed cost on the threat actor.
Tags:
North Koreas State-Sponsored APTs Organize & Align