Cybersecurity company FireEye warned in a report today about the expansion of a North Korean cyber espionage group known as APT37 (Reaper), which was behind the exploitation of an Adobe Flash zero-day vulnerability earlier this year.
“We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper. We have observed TEMP.Reaper operators directly interacting with their command and control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang,” FireEye said in a Feb. 2 post. “The STAR-KP network is operated as a joint venture between the North Korean Government’s Post and Telecommunications Corporation and Thailand-based Loxley Pacific. Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year. They have taken interest in subject matter of direct importance to the Democratic People’s Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors.”
In the new update, FireEye says the group is being tracked as APT37 and operations “are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware.”
“We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests,” said the cybersecurity firm.
Targets have primarily been South Korea, “though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare” employing “social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyber espionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately.”
The group’s command and control infrastructure employs “compromised servers, messaging platforms, and cloud service providers to avoid detection,” and APT37 “has shown increasing sophistication by improving their operational security over time.”