North Korea (DPRK) Cyber Operations Groups

leave a comment »

After Russia, US and China, here is my mapping of known APT groups with (offensive) cyber operations capabilities from DPRK (commonly referred to as North Korea). As always, please let me know if you notice any mistakes, errors, or missing information since this is supposed to be a live document, updated as soon as new information becomes available.

The sources used are listed below the diagram, similarly to the other cases.

Last update: 10 October 2023

Sources

• Wikipedia: Reconnaissance General Bureau
• Wikipedia: Ministry of State Security (North Korea)
• Recorded Future: North Korea Cyber Activity
• Foundation for Defense Democracies: Kim Jong Un’s ‘All-Purpose Sword’
• FAS: North Korean Intelligence Agencies
• Global Security: Reconnaissance General Bureau; Chongch’al Ch’ongguk; a.k.a. KPA Unit 586
• Michael Raska: North Korea’s Evolving Cyber Strategies: Continuity and Change
• NATO CCD COE 11th International Conference on Cyber Conflict: The All-Purpose Sword: North Korea’s Cyber Operations and Strategies
• ASEC: APT Attack-New “Kimsuky” malware emerges
• CSIS: North Korea’s Cyber Operations; Strategy and Responses
• US Department of Justice: North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions
• US Department of Justice: Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe
• US Department Justice: Assistant Attorney General John C. Demers Delivers Remarks on the National Security Cyber Investigation into North Korean Operatives
• US Department of Justice: North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions
• US CISA: FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks
• US CISA: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
• FBI: Update on Sony Investigation
• Health Sector Cybersecurity Coordination Center (HC3): North Korean Cyber Activity
• Russian Council: North Korea’s Cyber
• ThaiCERT: APT group: Lazarus Group, Hidden Cobra, Labyrinth Chollima
• Daily NK: Kim Jong Un is directly handling results of new COVID-19 hacking organization’s work
• Microsoft: Cyberattacks targeting health care must stop
• Mandiant: Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations
• Mandiant: Assessed Cyber Structure and Alignments of North Korea in 2023

ChangeLog

• Version 2.2 (10 October 2023): Added APT43 under Lab 110 (source)
• Version 2.0 (28 March 2022): Updated based on Mandiant’s research
• Version 1.5 (28 April 2021): Added Bureau 325. (credits: @SwitHak)
• Version 1.0 (24 April 2021): First publication.

Written by xorl

April 24, 2021 at 13:39

Posted in threat intelligence