A recent assessment by cybersecurity experts at Mandiant reveals intriguing developments in North Korea's cyber landscape. The comprehensive analysis highlights key shifts, shared tooling, and evolving alignments among North Korean threat actors.
In this report, Mandiant provides insights into the changing dynamics of North Korea's cyber operations, as follows:
Continued Evolution of North Korea's Cyber Offensive Program
Mandiant's assessment indicates North Korea's commitment to using cyber intrusions for espionage, financial crimes, and power projection. The regime shows a growing determination to finance both its cyber and kinetic capabilities through cybercrime.
Increased Adaptability and Complexity
Recent operations suggest an increase in adaptability and complexity, including a cascading software supply chain attack – a first for North Korea. Notably, there is a consistent focus on blockchain and fintech targets.
Adaptation and Diversification of Threat Activity
North Korean threat groups continue to adapt, creating tailored malware for different platforms, including Linux and MacOS.
Blending of Cyber Postures
Mandiant's continuous monitoring has revealed a significant multiyear shift and blending of North Korea's cyber posture, leading to overlaps in targeting and shared tooling.
Historical Examples and Clustering for Attribution
The report emphasises the significance of historical examples and uncategorised clustering as a means to maintain visibility on separate threat groups.
The report illustrates the significant transformation of North Korea's cyber landscape since 2009 and notes the overlapping indicators among various organizations. This overlap highlights growing adaptability and collaboration between these threat actors, particularly following the 2020 COVID-19 pandemic.
The report provides insights into various North Korean threat groups and their primary areas of focus, including intelligence gathering, financial crimes, and targeting cryptocurrency industries. Mandiant observes shared tooling and an increasing level of flexibility in their approach, making it challenging for defenders to track and attribute their malicious activities.
Furthermore, the report identifies overlaps and shared resources among different threat groups, complicating attribution efforts. The analysis highlights the DPRK's growing interest in cryptocurrency-related activities, including ransomware, crypto-jacking, and theft, as a means to finance their operations.
Mandiant's experts also point out the increasing sophistication of supply chain attacks conducted by North Korean actors, such as UNC4736 and UNC4899, demonstrating a shift towards more aggressive and broader intrusions.
The report concludes by emphasising that while attribution may become more challenging due to these developments, shared infrastructure and tooling offer opportunities for detection and country-level attribution.
For more details and in-depth insights into the changing landscape of North Korea's cyber activities, you can access the full report at https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023
About us:
Mandiant is a recognised leader in dynamic cyber defence, threat intelligence and incident response services. By scaling decades of frontline experience, Mandiant helps organisations to be confident in their readiness to defend against and respond to cyber threats. Mandiant is now part of Google Cloud.