Cyber Threats from North Korea
Understand more about cyber threat actors and intrusion sets attributed to North Korea.
Cyber Threat Graph
Explore how the related entities on the cyber threat graph.
Intrusion Sets
Cyber intrusion sets attributed to North Korea.
APT37
APT37 is an intrusion set originally identified by FireEye iSight Intelligence and linked to North Korean state interests. The group has ...
APT45
APT45 is a group observed carrying out campaigns as early as 2009 and graduated to APT status by researchers at Google's Mandiant in July 2024. ...
Andariel
Andariel is a state-sponsored cyber organization based in Pyongyang and Sinuiju, North Korea. It operates under the Reconnaissance General ...
H0lyGh0st
H0lyGh0st is a ransomware actor who has been observed deploying ransomware against targets in education, finance, manufacturing, entertainment and ...
Kimsuky
Kimsuky is a North Korean sponsored APT group that conducts cyber espionage operations against targets related to the Korean peninsula, nuclear ...
Lazarus Group
The Lazarus Group intrusion set was originally identified by Novetta under Operation Blockbuster which attributed the 2014 cyber attack against ...
Onyx Sleet
Onyx Sleet, formerly known as PLUTONIUM, is a North Korean nation-state threat actor that has been active since at least 2014. Its primary targets ...
Storm-0530
Storm-0530 is an intrusion set tracked by researchers at Microsoft Threat Intelligence. The group calls itself H0lyGh0st and conducts ransomware ...
TA427
TA427 is an intrusion set tracked by researchers at Proofpoint who they link to North Korea (the Democratic People's Republic of Korea) and ...
Threat Actors
Cyber threat actors attributed to North Korea.
North Korean Ministry of State Security (MSS)
According to researchers at Mandiant, the Democratic People’s Republic of Korea’s (DPRK) Ministry of State Security (MSS) is the sponsor of parts ...
North Korean Reconnaissance General Bureau
According to the US government, the Reconnaissance General Bureau (RGB) is a military intelligence agency of the Democratic People’s Republic of ...
North Korean Reconnaissance General Bureau 3rd Bureau
North Korea's Reconnaissance General Bureau (RGB) 3rd Bureau is reported by the FBI and other international agencies as an entity based in ...
Threat Reports
Publicly available threat reporting on cyber attacks and campaigns attributed to North Korea.
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...
APT45: North Korea’s Digital Military Machine
This report from threat intelligence analysts at Google's Mandiant marks the graduation of this cyber actor to a fully designated APT - APT45. The ...
Onyx Sleet uses array of malware to gather intelligence for North Korea
Following an indictment by the US Department of Justice linked to the intrusion set Microsoft track as Onyx Sleet, this report includes details of ...
From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering
This blog post from Proofpoint's Threat Research Team details the TA427 group who they link to Kimsuky and attribute to North Korea. TA427 conduct ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
Operation Blockbuster: Unraveling the Long Thread of the Sony Attack
This report by Novetta covers 'Operation Blockbuster' which was a Novetta-led coalition of private industry partners aiming to understand and ...
APT37 (REAPER) - The Overlooked North Korean Actor
This special report by FireEye discusses an investigation into APT37, a suspected North Korean cyber espionage group. According to the report, ...
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by North Korea.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1560 | Archive Collected Data | Collection |
| T1587.001 | Malware | Resource Development |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1021 | Remote Services | Lateral Movement |
| T1587.004 | Exploits | Resource Development |
| T1083 | File and Directory Discovery | Discovery |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1071 | Application Layer Protocol | Command and Control |
| T1591 | Gather Victim Org Information | Reconnaissance |
| T1003 | OS Credential Dumping | Credential Access |
| T1572 | Protocol Tunneling | Command and Control |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1090 | Proxy | Command and Control |
| T1592 | Gather Victim Host Information | Reconnaissance |
| T1087 | Account Discovery | Discovery |
| T1059 | Command and Scripting Interpreter | Execution |
| T1596 | Search Open Technical Databases | Reconnaissance |
| T1039 | Data from Network Shared Drive | Collection |
| T1595 | Active Scanning | Reconnaissance |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1059.003 | Windows Command Shell | Execution |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1204.002 | Malicious File | Execution |
| T1016 | System Network Configuration Discovery | Discovery |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1110 | Brute Force | Credential Access |
| T1518.001 | Security Software Discovery | Discovery |
| T1070.004 | File Deletion | Defense Evasion |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1112 | Modify Registry | Defense Evasion |
| T1082 | System Information Discovery | Discovery |
| T1047 | Windows Management Instrumentation | Execution |
| T1005 | Data from Local System | Collection |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1033 | System Owner/User Discovery | Discovery |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1074.001 | Local Data Staging | Collection |
| T1057 | Process Discovery | Discovery |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1569.002 | Service Execution | Execution |
| T1012 | Query Registry | Discovery |