A North Korea-backed threat group operating since 2009 has splintered into three distinct groups with specialized malware and objectives, CrowdStrike said in a report released Thursday.
Labeled “Labyrinth Chollima” by the company, the group follows a divergence pattern CrowdStrike observed previously. Labyrinth Chollima has spawned two additional groups: Golden Chollima and Pressure Chollima. The spin-offs, which have been operating since 2020, allow Labyrinth Chollima to narrow its focus on espionage, targeting victims in the manufacturing, logistics, defense and aerospace industries.
Golden Chollima and Pressure Chollima are squarely focused on stealing cryptocurrency, which funnels money back to the regime, with some of the proceeds funding North Korea’s cyber operations. Pressure Chollima, which was responsible for last year’s record-breaking $1.46 billion cryptocurrency theft, targets high-payout opportunities and has evolved into one of North Korea’s most technically advanced threat groups, according to CrowdStrike.
The groups, which share lineage with the more broadly defined Lazarus Group, share some tools and infrastructure, which indicates centralized coordination, but they’ve also developed more specialized capabilities for their specific objectives, researchers said.
As North Korea’s threat groups continue to branch out, the rogue nation is developing more capabilities and expanding its reach and impact, Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.
“What we’re seeing down range is now aligned with what we’ve seen from a bureaucratic perspective up range,” Meyers said.
“Over time, as their mission was successful, the bureaucracy grew and the scope of the mission grew, and obviously the organization grew,” he added. “They’ve been operating a resistance economy for many, many years and cyber gives them the ability to do this deniably and at a distance.”
CrowdStrike currently tracks eight distinct North Korea-backed threat groups, with the addition of Golden Chollima and Pressure Chollima. The cybersecurity firm expects the groups focused on cryptocurrency theft to scale their operations as international sanctions impair North Korea’s economy.
Labyrinth Chollima has more recently targeted European aerospace companies, defense manufacturers, logistics and shipping companies, and U.S.-based critical infrastructure providers, including those involved in hydroelectric power. The threat group, which other firms track as Diamond Sleet and Operation Dream Job, has also developed a knack for employment-themed social engineering, researchers said.
“North Korea is probably one of the top-notch actors out there. A lot of people don’t give them credit for that,” Meyers said.
CrowdStrike’s research on Labyrinth Chollima’s spin-offs aims to help organizations defend against these distinct threats by also providing indicators of compromise and malware samples observed in various attacks.
“You need to know who the threats are to your specific industry and geolocation, because you can’t defend against all the threats all the time,” Meyers said. “You can’t boil the ocean.”