Special Features

Spotlight on RSA

Another year, another North Korean malware-spreading, crypto-stealing gang named

Mandiant identifies 'moderately sophisticated' but 'prolific' APT43 as global menace


Google Cloud's recently acquired security outfit Mandiant has named a new nasty from North Korea: a cyber crime gang it calls APT43 and accuses of a five-year rampage.

"Mandiant assesses with high confidence that APT43 is a moderately sophisticated cyber operator that supports the interests of the North Korean regime," states a report on the gang released on Wednesday.

The report observes that APT43's activities have sometimes been attributed to actors known as "Thallium" or "Kimsuky" – such as the 2021 attack on South Korea's nuclear research agency.

That raid is typical of APT43's activities. It aligns with the gang's goal of strategic intelligence collection to keep North Korea informed of its foes' activities and capabilities.

APT43 mostly uses spear phishing and fake websites to gather information, eschewing zero-day vulnerabilities. Once it compromises a target, the gang's favorite tool is LATEOP – a backdoor based on VisualBasic scripts. It's also used malware such as gh0st RAT, QUASARRAT, and AMADE to go about its business. The gang appears not to be a notable malware innovator, but Mandian has observed "a steady evolution and expansion of the operation's malware library over time."

As North Korea's needs change, so do APT43's activities and targets. Before 2020 it targeted diplomatic organizations and think tanks that considered strategic issues around the Korean peninsula. It then shifted focus to healthcare organizations, in what Mandiant assesses was a desire to gather information related to COVID-19.

Those shifts have seen the group attack different types of target. But Mandiant's analysts believe it has an overarching purpose of "enabling North Korea's weapons program, including: collecting information about international negotiations, sanctions policy, and other countries' foreign relations and domestic politics as these may affect North Korea's nuclear ambitions."

APT43 funds its own activities by stealing and laundering cryptocurrency, but those heists aren't its purpose. Indeed, North Korea backs another gang – APT38 – to pinch cryptocurrency.

But the gangs don't operate in isolation. Mandian asserts "APT43 has shared infrastructure and tools with known North Korean operators, highlighting its role and mission alignment in a wider state-sponsored cyber apparatus."

Intriguingly, Mandiant thinks APT43 may also have a role in policing some of that apparatus.

"We have some indication that APT43 also carries out internal monitoring of other North Korean operations, including non-cyber activities," the report asserts. "APT43 has compromised individual espionage actors, including those within its own operations. However it is unclear if this is intentional for self-monitoring purposes or accidental and indicative of poor operational security."

"Mandiant assesses with moderate confidence that APT43 is attributable to the North Korean Reconnaissance General Bureau (RGB), the country's primary foreign intelligence service," the report adds.

"We expect that APT43 will remain highly prolific in carrying out espionage campaigns and financially motivated activities supporting these interests," Mandiant's report concludes. "We believe North Korea has become increasingly dependent on its cyber capabilities, and APT43's persistent and continuously developing operations reflect the country's sustained investment and reliance on groups like APT43." ®

Send us news
2 Comments

Moscow-adjacent GoldenJackal gang strikes air-gapped systems with custom malware

USB sticks help, but it's unclear how tools that suck malware from them are delivered

How to spot a North Korean agent before they get comfy inside payroll

Mandiant publishes cheat sheet for weeding out fraudulent IT staff

NCA unmasks man it suspects is both 'Evil Corp kingpin' and LockBit affiliate

Aleksandr Ryzhenkov alleged to have extorted around $100M from victims, built 60 LockBit attacks

'Critical' CUPS vulnerability chain easy to use for massive DDoS attacks

Also, rooting for Russian cybercriminals, a new DDoS record, sneaky Linux server malware and more

Necro malware continues to haunt side-loaders of dodgy Android mods

11M devices exposed to trojan, Kaspersky says

Ransomware crew infects 100+ orgs monthly with new MedusaLocker variant

Crooks 'like a sysadmin, with a malicious slant'

INC ransomware rebrands to Lynx – same code, new name, still up to no good

Researchers point to evidence that scumbags visited the strategy boutique

Ransomware gang Trinity joins pile of scumbags targeting healthcare

As if hospitals and clinics didn't have enough to worry about

Evil Corp's deep ties with Russia and NATO member attacks exposed

Ransomware criminals believed to have taken orders from intel services

Big brands among thousands infected by payment-card-stealing CosmicSting crooks

Gangs hit 5% of all Adobe Commerce, Magento-powered stores, Sansec says

Thousands of Fortinet instances vulnerable to actively exploited flaw

No excuses for not patching this nine-month-old issue

US lawmakers seek answers on alleged Salt Typhoon breach of telecom giants

Cyberspies abusing a backdoor? Groundbreaking