ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > [Unnamed groups: North Korea]

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: [Unnamed groups: North Korea]

Names[Unnamed groups: North Korea] (?)
CountryNorth Korea North Korea
MotivationInformation theft and espionage
First seen2019
DescriptionThese are reported APT activities attributed to a country, but not to an individual threat group.
ObservedCountries: France, USA.
Tools usedBeaverTail, OtterCookie, InvisibleFerret.
Operations performedAug 2019Suspected North Korean Cyber Espionage Campaign Targets Multiple Foreign Ministries and Think Tanks
<https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z>
Dec 2022Operation “Contagious Interview”
Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors
<https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/#post-131292-_xkx0jjh1l9jy>
Apr 2024Operation “DEV#POPPER”
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
<https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/>
Jul 2024Research Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering
<https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/>
Jul 2024How a North Korean Fake IT Worker Tried to Infiltrate Us
<https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us>
Aug 2024South Korea says DPRK hackers stole spy plane technical data
<https://www.bleepingcomputer.com/news/security/south-korea-says-dprk-hackers-stole-spy-plane-technical-data/>
Sep 2024Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview
<https://securitylabs.datadoghq.com/articles/tenacious-pungsan-dprk-threat-actor-contagious-interview/>
Oct 2024APT Actors Embed Malware within macOS Flutter Applications
<https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/>
Oct 2024Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware
<https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/>
Nov 2024Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack
<https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/>
Nov 2024New 'OtterCookie' malware used to backdoor devs in fake job offers
<https://www.bleepingcomputer.com/news/security/new-ottercookie-malware-used-to-backdoor-devs-in-fake-job-offers/>
Counter operationsJan 2019Justice Department Announces Court-Authorized Efforts to Map and Disrupt Botnet Used by North Korean Hackers
<https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-efforts-map-and-disrupt-botnet-used-north>
May 2024US woman allegedly aided North Korean IT workers infiltrate 300 firms
<https://www.bleepingcomputer.com/news/security/five-arizona-ukraine-charged-for-cyber-schemes-infiltrating-over-300-companies-to-benefit-north-koreas-weapons-program/>
Aug 2024Department Disrupts North Korean Remote IT Worker Fraud Schemes Through Charges and Arrest of Nashville Facilitator
<https://www.justice.gov/usao-mdtn/pr/department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and>
Dec 2024US offers $5 million for info on North Korean IT worker farms
<https://www.bleepingcomputer.com/news/security/us-offers-5-million-for-info-on-north-korean-it-worker-farms/>
Dec 2024South Korea sanctions 15 North Koreans for IT worker scams, financial hacking schemes
<https://cyberscoop.com/south-korea-sanctions-north-koreans-it-worker-scams/>
Information<https://www.us-cert.gov/ncas/current-activity/2020/02/14/north-korean-malicious-cyber-activity>
<https://www.us-cert.gov/ncas/alerts/aa20-106a>
<https://www.us-cert.gov/ncas/current-activity/2020/05/12/north-korean-malicious-cyber-activity>
<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a>
<https://www.us-cert.gov/ncas/current-activity/2018/08/09/North-Korean-Malicious-Cyber-Activity>
<https://www.us-cert.gov/ncas/current-activity/2019/09/09/north-korean-malicious-cyber-activity>
<https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/MTAC-East-Asia-Report.pdf>
<https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/>
<https://www.ic3.gov/PSA/2024/PSA240903>
<https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/>
<https://www.knowbe4.com/hubfs/North-Korean-Fake-Employees-Are-Everywhere-WP_EN-us.pdf>
<https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/>
<https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/2024-10-01-security-advisory.pdf>
<https://blog.barracuda.com/2024/10/02/north-korean-apt-groups-dmarc-misconfigurations>
<https://www.secureworks.com/blog/fraudulent-north-korean-it-worker-schemes>
<https://unit42.paloaltonetworks.com/north-korean-it-workers/>
<https://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/>

Last change to this card: 29 December 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]