Skip to main content

Advertisement

Springer Nature Link
Log in

An exploratory analysis of the DPRK cyber threat landscape using publicly available reports

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Cyber activities have evolved to mirror real-world operations, prompting state-sponsored intelligence agencies to pivot swiftly to cyberspace. Notably, Democratic People’s Republic of Korea (DPRK) state-sponsored threat actors have emerged as significant global players, targeted not only the Republic of Korea but also engaged in espionage activities worldwide. Their activities have expanded to include ransomware distribution and cryptocurrency heists, indicating a pursuit of financial gain. To comprehensively understand and track their activities, the research utilized exploratory analysis of publicly available reports. This research involved meticulous analysis of over 2000 publicly available reports spanning a significant period from 2009 to May 2024. Our analysis focused on identifying the code names employed in these reports to denote DPRK state-sponsored threat actors. By analyzing the naming conventions used by cyber threat intelligence companies, the study clustered groups believed to represent the same entity. This approach identified 160 distinct code names for these actors. Additionally, the threat actors were categorized into seven widely recognized groups in the threat intelligence industry. Furthermore, 154 notable incidents attributed to these actors were extracted and documented. Detailed analysis of these incidents, including motivations, targeted sectors, and related factors, provided valuable insights into the evolving tactics of DPRK state-sponsored threat actors. In a concerted effort to contribute to the cybersecurity community, our findings have been openly shared as a dataset and presented through a dedicated website for easy access. This initiative aims to significantly enhance the understanding of researchers interested in their activities. The dataset, now publicly available, serves as a valuable resource for researchers seeking comprehensive material on their activities. Openly sharing the findings aims to foster collaboration and further research in the cybersecurity community to effectively combat emerging threats.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Data availibility

Data is provided within the manuscript and has been cited.

References

  1. Alaeifar, P., Pal, S., Jadidi, Z., Hussain, M., Foo, E.: Current approaches and future directions for cyber threat intelligence sharing: a survey. J. Inf. Secur. Appl. 83, 103786 (2024). https://doi.org/10.1016/j.jisa.2024.103786

    Article  Google Scholar 

  2. Aliprandi, C., Luca, A.E.D., Pietro, G.D., Raffaelli, M., Gazzè, D., Polla, M.N.L., Marchetti, A., Tesconi, M.: Caper: Crawling and analysing Facebook for intelligence purposes. In: ASONAM 2014 - Proceedings of the 2014 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining pp. 665–669 (2014). https://doi.org/10.1109/ASONAM.2014.6921656

  3. Alves, F., Bettini, A., Ferreira, P.M., Bessani, A.: Processing tweets for cybersecurity threat awareness. Inf. Syst. 95, 101586 (2021). https://doi.org/10.1016/j.is.2020.101586

    Article  Google Scholar 

  4. ASEC: Distribution of malicious Korean HWP files with litigation-related content - konni group. Ahnlab (2019). https://asec.ahnlab.com/ko/1277/

  5. Barnhart, M., Larsen, A., Johnson, J., Long, T., Cantos, M., Hernandez, A.: Assessed cyber structure and alignments of north Korea in 2023. Mandiant (2023). https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023

  6. Blankenship, K.: Ch–Ch-changes: the arc of the CHOLLIMA’s and DPRK’s state-driven cyber ecosystem. CYBERWARCON 2019 (2019). https://www.youtube.com/watch?v=QFX1LqzmYHE

  7. BLKSMTH: scarcruft bolsters arsenal for targeting individual android devices. S2W (2023). https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab

  8. Boo-wook, H.: An assessment of North Korean cyber threats. J. East Asian Aff. 31, 97–117 (2017)

    Google Scholar 

  9. Britannica: Lazarus | biblical accounts, description, & facts. Britannica (2023). https://www.britannica.com/biography/Lazarus-biblical-figure

  10. Browne, T.O., Abedin, M., Mohammad, Chowdhury, J.M., Abedin, M., Jabed, M., Chowdhury, M.: A systematic review on research utilising artificial intelligence for open source intelligence (OSINT) applications. Int. J. Inf. Secur. 23:4 23, 2911–2938 (2024). https://doi.org/10.1007/S10207-024-00868-2

  11. Caltagirone, S., Pendergast, A., Betz, C.: The diamond model of intrusion analysis. DTIC(Defense Technical Information Center) (2013). https://apps.dtic.mil/sti/citations/ADA586960

  12. CEIP: Timeline of cyber incidents involving financial institutions. Carnegie Endowment for International Peace (2024). https://carnegieendowment.org/features/fincyber-timeline?lang=en

  13. CSIS: Significant cyber incidents. Center for Strategic & International Studies (2024). https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents

  14. Diablo2Wiki: Andariel. Diablo2Wiki (2013). https://diablo2.diablowiki.net/Andariel. Accessed 26 Sept 2023

  15. Diablo2Wiki: Archbishop lazarus. Diablo2Wiki (2021). https://diablo2.diablowiki.net/Archbishop_Lazarus

  16. ESRC: Discovering commonalities between apt campaigns ’konni’ & ’thallium (kimsuky)’ organizations. ESTSecurity (2019). https://blog.alyac.co.kr/2347

  17. Falowo, O.I., Popoola, S., Riep, J., Adewopo, V.A., Koch, J.: Threat actors’ tenacity to disrupt: Examination of major cybersecurity incidents. IEEE Access 10, 134038–134051 (2022). https://doi.org/10.1109/ACCESS.2022.3231847

    Article  Google Scholar 

  18. FIRST: Traffic light protocol (tlp). Forum of Incident Response and Security Teams (2024). https://www.first.org/tlp/

  19. Flashpoint: A breakdown and analysis of the december, 2014 sony hack. Flashpoint (2014). https://flashpoint.io/blog/a-breakdown-and-analysis-of-the-december-2014-sony-hack/

  20. González-Granadillo, G., Faiella, M., Medeiros, I., Azevedo, R., González-Zarzosa, S.: Etip: an enriched threat intelligence platform for improving OSINT correlation, analysis, visualization and sharing capabilities. J. Inf. Secur. Appl. (2021). https://doi.org/10.1016/j.jisa.2020.102715

    Article  Google Scholar 

  21. González-Manzano, L., deFuentes, J.M., Lombardi, F., Ramos, C.: A technical characterization of APTS by leveraging public resources. Int. J. Inf. Secur. 22, 1567–1584 (2023)

    Article  Google Scholar 

  22. GREAT: Lazarus under the hood. Kaspersky (2017). https://securelist.com/lazarus-under-the-hood/77908/

  23. Greenberg, A.: Hacker group names are now absurdly out of control. WIRED (2023). https://www.wired.com/story/hacker-naming-schemes-spandex-tempest/

  24. Guerrero-Saade, J.A., Raiu, C.: Walking in your enemy’s shadow: When fourth-party collection becomes attribution hell. VirusBulletin (2017). https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf

  25. Guerrero-Saade, J.A., Raiu, C.: Walking in your enemy’s shadow: when fourth-party collection becomes attribution hell. VirusBulletin (2017). https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf

  26. Hacqueboard, F., Hilt, S., Merces, F.: Oniondog is not a targeted attack-it’s a cyber drill. Trendmicro (2017). https://www.trendmicro.com/en_us/research/17/h/oniondog-not-targeted-attack-cyber-drill.html

  27. Irshad, E., Siddiqui, A.B.: Cyber threat attribution using unstructured reports in cyber threat intelligence. Egypt. Inform. J. 24, 43–59 (2023). https://doi.org/10.1016/J.EIJ.2022.11.001

    Article  Google Scholar 

  28. Iuzvyk, D., Peck, D., Kolesnikov, O.: Stiff#bizon detection using securonix - new attack campaign observed possibly linked to konni/apt37 (North Korea). Securonix (2022). https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/

  29. Katagiri, N.: Advanced persistent threats and the “big four’’: State-sponsored hackers in China, Iran, Russia, and North Korea in 2003–2021. Comparative Strategy (2024). https://doi.org/10.1080/01495933.2024.2317251

    Article  MATH  Google Scholar 

  30. KCC: Around 77,000 zombie pcs were mobilized in the 3.4 ddos attack. Korea Communications Commission (2011). https://www.korea.kr/briefing/pressReleaseView.do?newsId=155726421

  31. Kim, J., Kwak, K.J., Jang, M.C.: Kimsuky group: track the king of the spear-phishing. VirusBulletin (2019). https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf

  32. Klinger, B.: North korean cyberattacks: a dangerous and evolving threat. The Heritage Foundation (2021). https://www.heritage.org/asia/report/north-korean-cyberattacks-dangerous-and-evolving-threat

  33. KMSIP: interim investigation results of the 3.20 cyber terror attack announced. Korea Ministry of Science, ICT and Future Planning (2013). https://www.korea.kr/news/policyNewsView.do?newsId=148758739

  34. KNIS: Nis “operating emergency response system against ddos attacks”. Korea National Intelligence Service (2009). https://www.korea.kr/news/policyNewsView.do?newsId=148673043

  35. KRNPA: Interpark personal information hacking, extortion, north korea suspected. Korea National Police Agency (2016). https://www.korea.kr/briefing/pressReleaseView.do?newsId=156144599

  36. KRNPA: Hackers stole and distributed 230,000 financial transaction details from atm machines in south korea. Korea National Police Agency (2017). https://www.korea.kr/briefing/pressReleaseView.do?newsId=156224052&pageIndex=1

  37. ju Kwak, K., Kim, J., Jang, M., Lyu, J., Jang, N.: Campaign rifle: Andariel, the maiden of anguish. FSI(Financial Security Institute) (2017). https://www.fsec.or.kr/bbs/detail?menuNo=244&bbsNo=6680

  38. Lambert, J.: Microsoft shifts to a new threat actor naming taxonomy. Microsoft (2023). https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/

  39. Legoy, V., Caselli, M., Seifert, C., Peter, A.: Automated retrieval of att &ck tactics and techniques for cyber threat reports. In: FIRST Cyber Threat Intelligence Symposium (2020). https://arxiv.org/abs/2004.14322v1

  40. Lemay, A., Calvet, J., Menet, F., Fernandez, J.M.: Survey of publicly available reports on advanced persistent threat actors. Comput. Secur. 72, 26–59 (2018). https://doi.org/10.1016/J.COSE.2017.08.005

    Article  MATH  Google Scholar 

  41. Liras, L.F.M., de Soto, A.R., Prada, M.A.: Feature analysis for data-driven apt-related malware discrimination. Comput. Secur. 104, 102202 (2021). https://doi.org/10.1016/j.cose.2021.102202

    Article  Google Scholar 

  42. Lyu, J.: Everyday is lazarus.day (2023). https://lazarus.day/

  43. Lyu, J.: Collection of DPRK state-sponsored threat actors’ activities. Mendeley Data, V2 (2024). https://doi.org/10.17632/WWB2RZGFN7.2, https://data.mendeley.com/datasets/wwb2rzgfn7/2

  44. Microsoft: how microsoft names threat actors. Microsoft (2023). https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming

  45. MISP: Misp galaxy clusters. CIRCL(Computer Incident Response Center Luxembourg) (2023). https://www.misp-project.org/galaxy.html

  46. MITRE: Carbanak, software s0030. MITRE ATT &CK (2021). https://attack.mitre.org/software/S0030/

  47. MITRE: Carbanak, anunak, group g0008. MITRE ATT &CK (2023). https://attack.mitre.org/groups/G0008/

  48. MITRE: Konni, software s0356. MITRE ATT &CK (2023). https://attack.mitre.org/software/S0356/

  49. MITRE: Groups. MITRE ATT &CK (2024). https://attack.mitre.org/groups/

  50. Novetta: operation blockbuster: unraveling the long thread of the sony attack. Novetta (2016). https://www.operationblockbuster.com/

  51. Perry, L., Shapira, B., Puzis, R.: No-doubt: Attack attribution based on threat intelligence reports. In: 2019 IEEE International Conference on Intelligence and Security Informatics, ISI 2019, pp. 80–85 (2019). https://doi.org/10.1109/ISI.2019.8823152

  52. Raiu, C., Ivanov, A.: Operation daybreak. Kaspersky (2016). https://securelist.com/operation-daybreak/75100/

  53. Rani, N., Saha, B., Maurya, V., Shukla, S.K.: Ttphunter: automated extraction of actionable intelligence as TTPS from narrative threat reports. In: ACM International Conference Proceeding Series, pp. 126–134 (2023). https://doi.org/10.1145/3579375.3579391. https://dl.acm.org/doi/10.1145/3579375.3579391

  54. Rascagneres, P.: Konni: A malware under the radar for years. Cisco Talos (2017). https://blog.talosintelligence.com/konni-malware-under-radar-for-years/

  55. Rosenberg, J., Beek, C.: Examining code reuse reveals undiscovered links among north korea’s malware families. Intezer (2018). https://intezer.com/blog/research/examining-code-reuse-reveals-undiscovered-links-among-north-koreas-malware-families/

  56. Sarefo, S., Dawson, M., Banyatsang, M.: An exploratory analysis of the cybersecurity threat landscape for Botswana. Procedia Comput. Sci. 219, 1012–1022 (2023). https://doi.org/10.1016/J.PROCS.2023.01.379

    Article  Google Scholar 

  57. Shevchenko, S.: Two bytes to \$951m. BAE Systems (2016). https://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html

  58. Skopik, F., Pahi, T.: Under false flag: using technical artifacts for cyber attack attribution. Cybersecurity 3, 1–20 (2020). https://doi.org/10.1186/S42400-020-00048-4

    Article  MATH  Google Scholar 

  59. SkyEye, HeliosTeam: Operation Oniondog. Qihoo 360 (2016), https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.03.08.OnionDog/APT-C-03-en.pdf

  60. Tarakanov, D.: The “kimsuky” operation: A north Korean apt? Kaspersky (2013). https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/

  61. ThaiCERT: threat group cards: a threat actor encyclopedia. ETDA(Electronic Transactions Development Agency) (2023). https://apt.etda.or.th/cgi-bin/listgroups.cgi

  62. Tom, B.: Russian cyberattacks pose greater risk to governments and other insights from our annual report. Microsoft (2021). https://blogs.microsoft.com/on-the-issues/2021/10/07/digital-defense-report-2021/

  63. Tounsi, W., Rais, H.: A survey on technical threat intelligence in the age of sophisticated cyber attacks. Comput. Secur. 72, 212–233 (2018). https://doi.org/10.1016/J.COSE.2017.09.001

    Article  MATH  Google Scholar 

  64. TradersofCrypto: the world’s biggest financial hacks. Traders of Crypto (2020). https://tradersofcrypto.com/financial-hacks/

  65. UN: S/2020/151 final report of the panel of experts. UN Security Council Sanctions Committee on North Korea (2020). https://www.securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/S_2020_151.pdf

  66. UN: S/2021/211 final report of the panel of experts. UN Security Council Sanctions Committee on North Korea (2021). https://www.securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/s_2021_211.pdf

  67. UN: S2022/132 final report of the panel of experts. UN Security Council Sanctions Committee on North Korea (2022). https://www.securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/N2225209.pdf

  68. UN: S/2023/656 final report of the panel of experts. UN Security Council Sanctions Committee on North Korea (2023). https://www.securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/s_2023_171.pdf

  69. UN: S/2024/215 final report of the panel of experts. UN Security Council Sanctions Committee on North Korea (2024). https://www.securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/S%202024%20215.pdf

  70. UNIT42: Crooked pisces. Palo Alto Networks (2021). https://unit42.paloaltonetworks.com/atoms/crooked-pisces/

  71. USCISA: hidden cobra - fastcash campaign. US Cybersecurity & Infrastructure Security Agency (2018). https://www.cisa.gov/news-events/alerts/2018/10/02/hidden-cobra-fastcash-campaign

  72. USCISA: Fastcash 2.0: North korea’s beagleboyz robbing banks. US Cybersecurity & Infrastructure Security Agency (2020). https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a

  73. USFBI, USCISA, USTreasury: North Korean state-sponsored cyber actors use MAUI ransomware to target the healthcare and public health sector. CISA (2022). https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a

  74. USJustice: Three north korean military hackers indicted in wide-ranging scheme to commit cyberattacks and financial crimes across the globe. United States Department of Justice (2021). https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and

  75. Zhao, J., Yan, Q., Li, J., Shao, M., He, Z., Li, B.: Timiner: automatically extracting and analyzing categorized cyber threat intelligence from social data. Comput. Secur. (2020). https://doi.org/10.1016/j.cose.2020.101867

    Article  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Forensics, Sungkyunkwan University, Seoul, South Korea

    Jeonggak Lyu & Gibum Kim

  2. Department of Computer Science and Engineering, Sungkyunkwan University, Seoul, South Korea

    Ahyun Song & Euiseong Seo

Authors
  1. Jeonggak Lyu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ahyun Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Euiseong Seo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Gibum Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

J.L. and A.S. were responsible for the initial draft of the manuscript, writing the main text. E.S. and G.K. significantly contributed to the manuscript by reviewing and providing substantial edits and revisions to enhance clarity, coherence, and scientific accuracy. All authors reviewed and approved the final version of the manuscript, ensuring that it accurately represents their contributions and collectively agreeing on its content.

Corresponding author

Correspondence to Jeonggak Lyu.

Ethics declarations

Conflict of interest

The authors have no Conflict of interest to declare concerning this paper.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Lyu, J., Song, A., Seo, E. et al. An exploratory analysis of the DPRK cyber threat landscape using publicly available reports. Int. J. Inf. Secur. 24, 66 (2025). https://doi.org/10.1007/s10207-025-00980-x

Download citation

  • Published:

  • DOI: https://doi.org/10.1007/s10207-025-00980-x

Keywords