Defense and electronics industries around the world now have another cyber threat from North Korea to worry about: Reaper.
The elite hacking group, also known as ACT37, is linked to Pyongyang and has emerged as a significant threat according to U.S. security firm FireEye, which published a new report Tuesday suggesting the hackers have graduated to the level of “advanced persistent threat.”
Reaper has operated under the radar since 2012, focusing mostly on cyber espionage efforts in South Korea, where it’s targeted human rights organizations, North Korean defectors and organizers for the 2018 Winter Olympics.
South Korea remains the hacking group’s primary focus, but it has recently targeted entities in the Middle East, Japan and Vietnam. The move beyond the Korean Peninsula is part of the reason FireEye believes Reaper is “the next team to watch,” John Hultquist, FireEye's director of intelligence analysis, told Wired.
“This operator has continued to operate in a cloud of obscurity, mostly because they’ve stayed regional. But they’re showing all the signs of a maturing asset that’s commanded by the North Korean regime and can be turned to any purpose it wants,” Hultquist said.
FireEye pointed to two recent attacks as proof that the hacking group was expanding its focus. One attack centered on a Middle East company that had a falling out with the North Korean government, another targeted a Japanese company involved in imposing UN sanctions.
The security firm believes it can say with “high confidence that APT37 acts in support of the North Korean government and is primarily based in North Korea.”
The smoking gun: FireEye spotted an ammeutrish security mistake by the developer of the group’s malware, which “inadvertently disclosed personal data showing that the actor was operating from an IP address and access point associated with North Korea.”
Reaper has largely managed to fly under the radar until now, but North Korea’s other state-sponsored hacking enterprises are well-documented — particularly the elite team known as Lazarus.
The U.S. government and security researchers have identified Lazarus as the hacking team behind the devastating WannaCry ransomware attack last year that infected roughly 300,000 devices in over 150 countries.
In December, the U.S. government publicly blamed North Korea for the devastating attack, and vowed that Pyongyang would be “held accountable.”
Lazarus is also accused of conducting a 2013 attack on South Korean television stations, the U.S. Sony Pictures hack in 2014, and the theft of $81 million from the Bangladesh Bank in 2016.
Pyongyang’s army of cyber soldiers has enjoyed relative freedom in recent years, growing under the shadow of Pyongyang’s high-profile nuclear missile program.
Cover image: North Korean leader Kim Jong Un gives field guidance at the Sci-Tech Complex, in this undated photo released by North Korea's Korean Central News Agency (KCNA) in Pyongyang October 28, 2015. REUTERS/KCNA