North Korea's State-Sponsored APTs Organize & Align

North Korean advanced persistent threat (APT) groups have become aligned in an unprecedented way since the start of the COVID-19 pandemic, evolving in terms of adaptability and complexity, and allowing for individual threat groups to diversify and expand activities — all while making it more difficult for investigators to keep up.

Historically, threat researchers have tracked North Korea's threat activities as being carried out by individual groups — Lazarus Group and Kimsuky among them. However, the lines are beginning to blur between individual APTs, who increasingly are coordinating efforts, and sharing both tools and information. As a result, it's becoming harder to distinguish who's responsible for what threat activity, researchers from Mandiant revealed in a report published Oct. 10.

While threat researchers scramble to unravel various threads to define activity according to its perpetrator, North Korean actors are moving nimbly to diversify their attacks, sharing tooling and code as they continue to adapt and change to build tailored malware for different platforms — Linux and MacOs among them, the researchers have found.

The supply chain also may be at an increased risk from North Korean APTs, as the groups evolve toward aggressive and broader intrusions that encompass multiple intrusions to multiple networks by multiple APTs, using various supply chain vectors, the researchers noted.

"This flexible approach to tasking makes it difficult for defenders to track, attribute, and thwart malicious activities, while enabling this now collaborative adversary to move stealthily with greater speed and adaptability," the researchers noted.

That said, individual groups continue to work on "separate, unrelated efforts such as ransomware, collecting information on conventional weapons, nuclear entity targeting, blockchain- and fintech- targeting efforts, among various others," Mandiant analysts wrote in the report. This includes efforts to steal cryptocurrency to fund the regime of North Korea's Supreme Leader Kim Jong Un, who each of them ultimately serve. While this effort is a broad goal across APTs, several sub-groups have emerged in recent years that are exclusively aimed at this activity.

A More Organized State-Sponsored Structure

COVID-19 marked a significant change in how North Korean threat groups operate, with an unprecedented level of coordination and information-sharing directly driven by the closure of borders during that time. This left typically secretive and taciturn operators located outside the country in a lurch, and forced them to communicate with other groups, spurring collaboration that continues to this day, Michael Barnhart, principal analyst at Mandiant, says.

"While it remains uncertain whether this collaboration was intentional or driven by necessity, there is no sign of a decrease in such activities," Barnhart says. "In fact, there is evidence of an increasing trend toward such collaborations."

Mandiant researchers compiled a comprehensive structure of the current North Korean APT landscape to help defenders understand what they're currently up against. In general, all threat groups lead back to Kim Jong Un, and all activity is either to provide funding or intelligence for the regime — or both.

Branching directly from the supreme leader are the General Staff Department of the Korean People's Army — which oversees the Reconnaissance General Bureau (RGB) — and the Minister of State Security, to which APT37, better known as ScarCruft or Reaper, directly reports.

Several threat groups also are aligned with North Korea's RGB, including Kimsuky, which Mandiant tracks as APT43; APT38 (better known as Lazarus, one of North Korea's most prolific threat groups); Temp.HERMIT, also tracked as part of Lazarus' activities and dedicated to cyber espionage; and Andariel, often linked to ransomware activities using bespoke ransomware dubbed Maui.

To complicate matters further, each of these groups has sub-groups operating under them to carry out particular tasks. For example, a group tracked as Apple.Jeus operates under the umbrella of Temp.HERMIT and is tasked exclusively with targeting cryptocurrency industry "with the goal of stealing digital assets to fund the regime's priorities," the researchers wrote.

Muddying the waters further are several groups operating under the direction of the Central Committee of the Workers' Party of Korea — the United Front Department and IT Workers — each of which work domestically and abroad to conduct cyber operations on behalf of the regime.

DPRK's Threat Evolution Demands Collaborative Response

Due to the evolving nature of these diverse and varied groups operating on behalf of North Korea, the ultimate takeaway of Mandiant's findings is that defenders would be better served by focusing on the specific nature of a particular activity rather than getting too deep in the weeds of trying to figure out which North Korea-backed group is perpetrating it, Barnhart says.

"These specific threat actors are extremely adaptable and agile, often leading defenders to spend significant time attempting to attribute actions to specific individuals behind the keyboard," he says.

Because this process is "far from straightforward," a more productive approach would be "to prioritize the mission after [attributing the attacks] to North Korea, rather than becoming overly preoccupied with specific units, until it becomes necessary to address those specific concerns," Barnhart says.

Future threat intelligence-gathering efforts will rely on defenders engaging in the same collaborative spirit demonstrated by the North Korean APTs themselves to mount "a more effective, collective response to counter this persistent threat actor," he says.

"Our recommendation is for both governments and the private sector to continue their collaborative efforts, presenting a unified front," Barnhart says. "This approach serves to maximize imposed cost on the threat actor."