The emergence of Coordinated North Korean APTs Amidst COVID-19: Since the onset of the COVID-19 pandemic, North Korean state-sponsored advanced persistent threat (APT) groups have undergone a remarkable transformation, demonstrating an unprecedented level of coordination and collaboration.
This evolution has made it increasingly challenging for threat researchers to attribute specific activities to individual APTs.
This news item explores the changes in North Korean APT operations, their implications for cybersecurity, and the need for a collaborative response.
Key Takeaways Emergence of Coordinated North Korean APTs Amidst COVID-19:
- Coordination and Complexity: North Korean APT groups, historically tracked as distinct entities, have started working together, sharing tools and information. This coordinated effort has enhanced their adaptability and complexity, making it difficult to attribute specific activities to individual groups.
- Supply Chain Vulnerabilities: The evolving tactics of North Korean APTs pose an increased risk to supply chains. These groups are engaged in aggressive and widespread intrusions that involve multiple actors targeting various networks, utilizing various supply chain vectors.
- Diverse Objectives: While APT groups are working together on certain activities, they continue to pursue individual, unrelated efforts, including ransomware attacks, data collection on conventional weapons, nuclear entity targeting, blockchain and fintech targeting, and cryptocurrency theft.
Coordination and Complexity
North Korean APT groups, such as Lazarus Group and Kimsuky, historically operated independently.
However, the COVID-19 pandemic forced a shift in their tactics, leading to increased coordination and information sharing.
This newfound collaboration has allowed them to diversify their attacks, adapt to new challenges, and share tooling and code, making it difficult for defenders to attribute their activities.
Supply Chain Vulnerabilities
The evolving strategies of North Korean APTs pose a significant threat to the supply chain. These groups are now involved in aggressive and broader intrusions, targeting multiple networks through various supply chain vectors.
This approach allows them to move stealthily, with greater speed and adaptability, making defense more challenging.
Diverse Objectives
While APT groups collaborate on some activities, they continue to pursue distinct objectives. These include ransomware attacks, data collection on conventional weapons, nuclear entity targeting, and efforts to target blockchain and fintech.
Notably, some sub-groups have emerged with a primary focus on stealing cryptocurrency to fund North Korea’s regime.
A More Organized State-Sponsored Structure
The COVID-19 pandemic marked a significant change in how North Korean APT groups operate. The closure of borders forced previously secretive operators outside the country to communicate and collaborate, resulting in an ongoing trend of coordination.
All APT activities ultimately serve the regime of North Korea’s Supreme Leader Kim Jong Un, with various groups and sub-groups operating under different entities.
Collaborative Response
The evolving nature of North Korean APTs makes it challenging to attribute specific actions to individual groups.
As a result, a more effective approach for defenders is to prioritize the mission after attributing attacks to North Korea rather than becoming preoccupied with specific units.
A collaborative response from governments and the private sector is crucial to counter this persistent threat actor.
Conclusion
The coordinated efforts of North Korean APT groups underscore the need for a collaborative response to counter evolving cybersecurity threats. Rather than focusing on individual units, defenders should prioritize mission-specific actions in their efforts to protect against these agile and adaptable adversaries.
