A lesser-known North Korean cyberespionage group has been rapidly widening its scope and skills to step up attacks beyond the Korean Peninsula to include Japan, Vietnam and the Middle East in 2017, security researchers have said.
According to cybersecurity firm FireEye, the shadowy hacker group dubbed APT37 or Reaper has been active since 2012 and primarily focused on South Korea.
Researchers added that the group has since "expanded its operations in both scope and sophistication" to rise to the level of an advanced persistent threat. For years, the cyberspying group has been operating in the shadows of the notorious Lazarus Group — the group widely believed to have carried out the 2014 Sony hack and the 2017 WannaCry ransomware attacks.
Now, APT37 has expanded its cyber arsenal to include access to zero-day vulnerabilities and a diverse suite of custom malware for intrusion, exfiltration, espionage and even destructive purposes.
"We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests," FireEye said in a report published on Tuesday (20 February). "We judge that APT37's primary mission is covert intelligence gathering in support of North Korea's strategic military, political and economic interests."
Between 2014 and 2017, the group primarily focused on South Korean government, military, defense industrial base and media sector using Korean language lures and politically themed material.
Last year, the group appeared to move beyond the peninsula to target other entities in Japan, Vietnam and the Middle East across a range of industries such as chemicals, electronics, aerospace, automotive, manufacturing and health sectors.
"APT37 targeted a research fellow, advisory member, and journalist associated with different North Korean human rights issues and strategic organizations," FireEye's report reads. "It also targeted an entity in Japan associated with the United Nations missions on sanctions and human rights."
In another case, APT37 targeted an unnamed Middle Eastern organisation that was involved with a North Korean firm in a business deal that went bad.
"This firm was targeted shortly after media reports of this schism had gone public," researchers said. "The targeting effort may have been an attempt by the North Korean government to gather information on a former business partner."
In May 2017, a board member of a Middle Eastern financial company was targeted with a specially-crafted spear phishing email disguised as a bank liquidation letter.
Diverse and destructive cyberarsenal
Newer variants of KARAE and POORAIM malware were also deployed to South Korean victims via torrent websites while a DogCall backdoor and RUHappy wiper malware were used against South Korean military and government organisations.
The DogCall malware is capable of capturing keystrikes, screenshots and leveraging cloud storage services such as Dropbox. Meanwhile, the destructive RUHappy wiper tool can leave systems inoperable and simply displays the words "Are you Happy?" when users' try to restart the system.
FireEye managed to track down and analyse the group's activities after it was connected to the use of an Adobe Flash zero-day vulnerability named CVE-2018-4878.
"We believe this is the next team to watch," FireEye's director of intelligence analysis John Hultquist told Wired. "This operator has continued to operate in a cloud of obscurity, mostly because they've stayed regional. But they're showing all the signs of a maturing asset that's commanded by the North Korean regime and can be turned to any purpose it wants."
Researchers said APT37 serves as an "additional tool" for the regime that is "perhaps even desirable for its relative obscurity.
"We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions," they noted. "Especially as pressure mounts on their sponsor."