Executive Summary
- The DPRK’s offensive program continues to evolve, showing that the regime is determined to continue using cyber intrusions to conduct both espionage and financial crime to project power and to finance both their cyber and kinetic capabilities.
- Latest DPRK nexus operations hint at an increase in adaptability and complexity, including a cascading software supply chain attack seen for the first time, and consistently targeting blockchain and fintech verticals.
- While different threat groups share tooling and code, North Korean threat activity continues to adapt and change to build tailored malware for different platforms, including Linux and macOS.
- Mandiant’s continuous monitoring of DPRK aligned malicious cyber actors highlights a significant multiyear shift and blend in the country’s cyber posture.
- Overlaps in targeting and shared tooling muddles attribution attempts for investigators while streamlining adversarial activities.
- Historical examples of activity and uncategorized clustering represent a way forward for maintaining visibility on separate groups.
Summation of North Korea’s Cyber Program
Historically Mandiant has made assessments on the Democratic People’s Republic of Korea’s (DPRK) cyber program based on Mandiant responses to intrusions, defector accounts, and OSINT reporting, in conjunction with government disclosures of DPRK units and motivation information. These assessments were generalizations and as new activity, such as cryptocurrency-focused units, emerged it blended the efforts from DPRK aligned cyber operators, and updates were needed for the now historic chart seen in Figure 1...Read More!
