Study reveals North Korean cyber-espionage has reached new heights

Spying unit is widening its operations into aerospace and defence industries, according to US security firm

An increasingly sophisticated North Korean cyber-espionage unit is using its skills to widen spying operations to aerospace and defence industries, a new study has revealed.

FireEye, a US private security company that tracks cyber-attackers around the world, has identified a North Korean group, which it names APT37 (Reaper) and which it says is using malware to infiltrate computer networks.

The report suggests the group has been active since 2012, but has now graduated to the level of an advanced persistent threat.

Until now, the group has substantially focused its cyber-espionage efforts on South Korea, but FireEye outlines evidence that it “has expanded its operations in both scope and sophistication”.

“We assess with high confidence that this activity is carried out on behalf of the North Korean government,” the report says.

The group’s cyber operation is now said to be targeting Japan, Vietnam and the Middle East and is attempting to steal secrets from companies and organisations involved in the chemical, electronics, manufacturing, aerospace, automotive and healthcare industries.

“We judge that APT37’s primary mission is covert intelligence gathering in support of North Korea’s strategic, military, political and economic interests,” the report says.

The report comes after months of increasingly hot rhetoric between Kim Jong-un and Donald Trump amid US fears that North Korea is its biggest threat, as Pyongyang makes progress in developing a nuclear warhead and ballistic missile system capable of hitting the US mainland.

The scale of North Korea’s cyber-espionage effort was outlined in 2015 when South Korea claimed the north’s “cyber army” had doubled in size to more than 6,000 people.

In December last year, it was suggested the UK and US may have launched retaliatory cyber-attacks against North Korea. The UK and the Trump administration blamed North Korea for the WannaCry malware attacks which brought chaos to hospitals, banks and other companies in May 2017.

“The attack was widespread and cost billions, and North Korea is directly responsible,” Tom Bossert, Trump’s homeland security adviser, wrote in the Wall Street Journal.

John Hultquist, director of intelligence analysis at FireEye, said APT37 had so far received very little public attention.

“We have been tracking their actions for some time, gathering clues from incidents mainly focused in South Korea. North Korea is an increasingly aggressive actor willing to leverage a variety of tools against their neighbours and the world,” he said.

“Previous incidents, such as the WannaCry attacks, have been a surprise. If we want to neutralize this surprise, we have to seek out these actors and expose them.”

APT37’s targets have included:

  • A Middle Eastern company that entered into a joint venture “that had gone bad” to provide North Korea with telecommunications service.
  • Individuals involved in trade and international affairs issues.
  • Individuals working with Olympics organisations.
  • A journalist and a research fellow associated with North Korean human rights issues.
  • An entity in Japan associated with United Nations missions on sanctions and human rights.

Methods used by the group included sending to a board member of a Middle Eastern financial company a malicious document disguised as a bank liquidation letter, which used a vulnerability in Microsoft Office that had only been disclosed one month earlier.

Once opened, the document communicated with a compromised website to surreptitiously install a ‘backdoor’ tool that allowed the group to collect system information, take screenshots and download more malicious files to the victimized computer.

The group is also said to go after South Korean targets using emails promising links to websites about Korean reunification.

Compromised websites, including a news site for North Korean defectors and refugees, an aromatherapy site and a scuba diving website were all used to avoid detection and deliver “malicious malware payloads” designed to infect servers.

The fact that the group quickly incorporated recently publicised vulnerabilities into its spear-phishing emails “suggest a high operational tempo and specialized expertise”, FireEye concludes.

“Their malware is characterised by a focus on stealing information from victims, with many set up to automatically exfiltrate data of interest,” the report says, adding: “We assess with high confidence that APT37 acts in support of the North Korean government and is primarily based in North Korea.

“An individual we believe to be the developer behind several APT37 malware payloads inadvertently disclosed personal data showig that the actor was operating from an IP address and access point associated with North Korea.”

One piece of malware called DogCall is capable of capturing screenshots, keystrokes and getting into cloud storage services like Dropbox. It was used to target South Korea government and military organisations in March and April 2017.

A “wiper tool” called RUHappy was also deployed, meant to render systems inoperable.


David Taylor in New York

The GuardianTramp

Related Content

Article image
China reacts furiously to US cyber-espionage charges
Beijing calls indictment of five Chinese officials preposterous, accuses US of double standards and summons ambassador

Jonathan Kaiman in Beijing

20, May, 2014 @12:31 PM

Article image
Has North Korea found a friend in President Putin? | Natalie Nougayrède
Natalie Nougayrède: In the midst of the Sony hacking scandal, Kim Jong-un received an invite to Russia. It’s a sign that we’re in a new era of hybrid warfare and deniable attacks

Natalie Nougayrède

23, Dec, 2014 @5:09 PM

Article image
Are China and the US ready for a truce on cyber-espionage? | Misha Glenny
For China the right to control content for its citizens is a key concern but for the US, it is the struggle to maintain the system of intellectual property rights and technological supremacy

Misha Glenny

23, Sep, 2015 @4:16 PM

Article image
The Guardian view on cyberwars: enter the trolls | Editorial
Editorial: The great breach in the US government’s database is a classic case of informational smash and grab. But operations to plant misinformation are also worrying for states which care about truth


05, Jun, 2015 @6:11 PM

Article image
David Cameron challenges China to be more open about cyber-security

Prime minister seeks talks on 'issue of mutual concern' amid western fears that Beijing is behind most aggressive online attacks

Nicholas Watt in Shanghai

04, Dec, 2013 @12:01 AM

Article image
The Guardian view on North Korea: Pyongyang’s advantage | Editorial
Editorial: While Kim Jong-un’s regime has hacked other countries, US attempts to damage his nuclear programme face tough challenges


05, Mar, 2017 @7:13 PM

Article image
John Kerry hits out at Chinese cyber-spying
John Kerry has condemned computer espionage at meetings in Beijing amid new reports of Chinese hacking of US offices

Jonathan Kaiman in Beijing

10, Jul, 2014 @12:18 PM

Article image
Sony CEO insists 'we made no mistake' after US accuses North Korea of hack – as it happened
President Obama says Sony ‘made a mistake’ in pulling The Interview after threats from North Korean hackers

Alan Yuhas

19, Dec, 2014 @9:37 PM

Article image
UK accuses Kremlin of ordering series of 'reckless' cyber-attacks
Foreign Office increases pressure on Russia after Skripal poisoning

Patrick Wintour Diplomatic editor

03, Oct, 2018 @11:01 PM

Article image
FBI and MI5 leaders give unprecedented joint warning on Chinese spying
Christopher Wray joins Ken McCallum in London, calling Beijing the ‘biggest long-term threat to economic security’

Guardian staff and agencies

07, Jul, 2022 @12:21 PM