North Korea
Getty Images/ Carl Court


  • The group designated as "APT43" allegedly has links to North Korea's foreign intelligence service
  • The North Korean hacking group targets experts through phishing and fake personas
  • APT43 steals cryptocurrency from ordinary users using malicious Android apps

A group of hackers from North Korea has been waging long-term social engineering and espionage campaigns to gather intelligence, supporting the North Korean regime's geopolitical interests.

A new report by cybersecurity consultancy firm Mandiant, which is a part of Google Cloud, highlighted the threat posed by a North Korean hacking group it named "Advanced Persistent Threat 43," or APT43, which has alleged links to North Korea's Reconnaissance General Bureau (RGB), the country's main foreign intelligence service.

Mandiant said that since 2018, APT43 has played the "long con" by targeting South Korean, Japanese and American think tanks and academics familiar with international negotiations and sanctions affecting North Korea.

The North Korean hackers approach their target experts using spear-phishing emails from fake or spoofed personas. The victims are directed to websites impersonating legitimate entities that contain phony log-in pages where victims are tricked into entering their account credentials.

After stealing the victims' credentials, APT43 impersonates the target to carry out intelligence collection and uses the victim's contacts to find other targets.

APT43 aims to gain the experts' insights on the defense, security and foreign policies of the U.S. and South Korea, which could affect North Korea's policies.

"The group is primarily interested in information developed and stored within the U.S. military and government, defense industrial base (DIB), and research and security policies developed by U.S.-based academia and think tanks focused on nuclear security policy and nonproliferation," the Mandiant report said.

"APT43 has displayed interest in similar industries within South Korea, specifically non-profit organizations and universities that focus on global and regional policies, as well as businesses, such as manufacturing, that can provide information around goods whose export to North Korea has been restricted," it continued.

The North Korean hacking group also targeted healthcare and pharmaceutical entities during the COVID-19 pandemic, which Mandiant believes indicates that its operations are "highly responsive to the demands of Pyongyang's leadership," The Washington Post reported.

Mandiant's cybersecurity researchers also uncovered APT43's cryptocurrency theft operations against ordinary users. North Korean hackers allegedly used the stolen cryptocurrency to sustain their own operations.

The report said APT43 is using malware-laden Android apps to target users who are looking to get cryptocurrency loans. These users end up losing their digital assets to the threat actors.

North Korean hackers would then launder the stolen cryptocurrency through hash rental and cloud mining services, making it harder for authorities to track them down.

Ben Read, the head of Mandiant's cyberespionage analysis, said that unlike other known regime-backed groups such as the Lazarus Group, groups such as APT43 have narrower objectives and contribute to larger cybercrime operations of North Korea while supporting Kim Jong-un's nuclear ambitions.

"It shows specialization between the different groups. It is a bureaucracy. It's not just an undifferentiated cluster of hackers, but there are teams that consistently, year-over-year, operate in a way that is sort of knowable," Read said.

North Korea has long been known for its sophisticated cybercrime activities.

The Lazarus Group was responsible for a cyberespionage campaign that used distributed denial-of-service attacks (DDoS) to target the websites and servers of the South Korean government.

The North Korean hacking group was also linked to bank heists, allegedly stealing millions from Ecuador's Banco del Austro and Bangladesh Bank.

Lazarus Group was also involved in the massive hack of Sony Pictures in 2014, stealing large amounts of data and accessing unreleased films.

Glib Ivanov-Tolpintsev, 28, is suspected of hacking into tens of thousands of computers and selling their access codes on the dark web, the underground version of the internet
Representation. AFP / Fred TANNEAU