According to a UN expert report, North Korea was able to capture a record amount of money in 2022 through cyber attacks by the APT group Lazarus. North Korean cybercriminals are believed to have stolen at least $630 million.
The sanctioned country uses the money mainly to finance its nuclear and missile programs. The state group Lazarus, among others, is held responsible for the cyber attacks. In public reporting, the Lazarus Group is often used as a generic term for numerous North Korean cyber actors. A blog post by Mandiant provides detailed insights into the various institutions within the hermit state, helping to understand how actors evolve and share resources.
Many APT groups work in one pot
TEMP.Hermit, APT38 and Andariel are probably subordinate to Lab 110. Lab 110 is likely an expanded and reorganized version of Bureau 121, often referred to as North Korea's primary hacking unit. Lab 110 includes some elements most closely associated with the organization publicly reported as the "Lazarus Group." Open source reporting often uses the Lazarus Group title as an umbrella term and refers to numerous clusters that we track separately. Although TEMP.Hermit is most commonly aligned with Lazarus Group reporting, researchers and open sources often lump all three of these actor groups — and sometimes even all North Korean APTs — together simply as the “Lazarus Group.”
Targets of North Korean cyber criminals
“Despite the fluctuations in the crypto market, North Korea remains committed to targeting these assets. These actors are involved in a variety of fraudulent methods to raise money and funnel it into the regime's coffers. Some intruders focus purely on raising money. Others primarily collect intelligence information and target cryptocurrencies to fund their operations. Both businesses and high net worth individuals are targets of the attacks, which are constantly evolving and often go unnoticed.” – John Hultquist, Head of Client Threat Intelligence at Google Cloud.
More at Mandiant.com
About Mandiant Mandiant is a recognized leader in dynamic cyber defense, threat intelligence and incident response. With decades of experience on the cyber frontline, Mandiant helps organizations confidently and proactively defend against cyber threats and respond to attacks. Mandiant is now part of Google Cloud.