North Korean state-sponsored cyber groups, broadly referred to as the “Lazarus Group,” appear to have recently restructured themselves in an effort to accelerate internal cooperation, according to the cybersecurity firm Mandiant.
Enhanced cooperation among the “Lazarus Group” has led to several advantages for the hacking collective, such as improved resource sharing and attributional complexity, warns Google-owned Mandiant in a blog post last week.
“The DPRK’s cyber landscape has evolved into a streamlined organization, complete with shared tooling and targeting efforts,” stated Michael Barnhart, voicing the firm’s estimate of North Korea’s current cyber program.
The sharing of tools and enhanced targeting is nothing new for hackers in the Pyongyang regime, noted the Mandiant research team. However, the COVID-19 pandemic “marked a significant shift” in these tactics, a change attributable to the hardened border between North Korea and China.
North Korea is accused of committing cybercrimes for the purposes of espionage and money laundering, their primary means of accruing power and influence. Prior to the COVID-19 pandemic, North Korea’s cyber operations were divided into six interrelated groups: UNC614 (Andariel), APT37, APT38, APT43 (Kimsuky), TEMP.Hermit, and IT workers. Over the course of the pandemic, they evolved into nine groups, adding AppleJeus (UNC1720), CryptoCore (UNC1069), and TraderTraitor (UNC4899).
Although these units are thought to be working for the Reconnaissance General Bureau (RGB), the Ministry of State Security, and the Workers Party of Korea respectively, they are quickly becoming a unified cyber army, rapidly adapting to change and sharing malicious tools whenever needed, according to the report by Mandiant.
“Operators within these units quickly change their current focus and begin working on separate, unrelated efforts, such as ransomware, collecting information on conventional weapons, nuclear entity targeting, and blockchain and fintech targeting efforts, among various others,” wrote the researchers.
“This flexible approach to tasking makes it difficult for defenders to track, attribute, and thwart malicious activities. Further, it enables this now collaborative adversary to move stealthily with greater speed and adaptability,” stressed the cyber threat intelligence company.