North Korea reorganized its hacking groups to increase efficiency in cyber operations, Mandiant reveals

By Dain Oh, The Readable
Oct. 16, 2023 8:26PM GMT+9

North Korean state-sponsored cyber groups, broadly referred to as the “Lazarus Group,” appear to have recently restructured themselves in an effort to accelerate internal cooperation, according to the cybersecurity firm Mandiant.

Enhanced cooperation among the “Lazarus Group” has led to several advantages for the hacking collective, such as improved resource sharing and attributional complexity, warns Google-owned Mandiant in a blog post last week.

“The DPRK’s cyber landscape has evolved into a streamlined organization, complete with shared tooling and targeting efforts,” stated Michael Barnhart, voicing the firm’s estimate of North Korea's current cyber program.

The sharing of tools and enhanced targeting is nothing new for hackers in the Pyongyang regime, noted the Mandiant research team. However, the COVID-19 pandemic “marked a significant shift” in these tactics, a change attributable to the hardened border between North Korea and China.

North Korea is accused of committing cybercrimes for the purposes of espionage and money laundering, their primary means of accruing power and influence. Prior to the COVID-19 pandemic, North Korea’s cyber operations were divided into six interrelated groups: UNC614 (Andariel), APT37, APT38, APT43 (Kimsuky), TEMP.Hermit, and IT workers. Over the course of the pandemic, they evolved into nine groups, adding AppleJeus (UNC1720), CryptoCore (UNC1069), and TraderTraitor (UNC4899).

Source: Mandiant

Although these units are thought to be working for the Reconnaissance General Bureau (RGB), the Ministry of State Security, and the Workers Party of Korea respectively, they are quickly becoming a unified cyber army, rapidly adapting to change and sharing malicious tools whenever needed, according to the report by Mandiant.

“Operators within these units quickly change their current focus and begin working on separate, unrelated efforts, such as ransomware, collecting information on conventional weapons, nuclear entity targeting, and blockchain and fintech targeting efforts, among various others,” wrote the researchers.

“This flexible approach to tasking makes it difficult for defenders to track, attribute, and thwart malicious activities. Further, it enables this now collaborative adversary to move stealthily with greater speed and adaptability,” stressed the cyber threat intelligence company.

ohdain@thereadable.co

The cover image of this article was designed by Areum Hwang. This article was copyedited by Arthur Gregory Willers.


Dain Oh is a distinguished journalist based in South Korea, recognized for her exceptional contributions to the field. As the founder and editor-in-chief of The Readable, she has demonstrated her expertise in leading media outlets to success. Prior to establishing The Readable, Dain was a journalist for The Electronic Times, a prestigious IT newspaper in Korea. During her tenure, she extensively covered the cybersecurity industry, delivering groundbreaking reports. Her work included exclusive stories, such as the revelation of incident response information sharing by the National Intelligence Service. These accomplishments led to her receiving the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology, a well-deserved accolade bestowed upon her through a unanimous decision. Dain has been invited to speak at several global conferences, including the APEC Women in STEM Principles and Actions, which was funded by the U.S. State Department. Additionally, she is an active member of the Asian American Journalists Association, further exhibiting her commitment to journalism.