A group of hackers from North Korea dubbed APT37 (Reaper) have recently expanded their operations in scope and sophistication, according to cybersecurity firm FireEye. This follows their recent use of an Adobe Flash Zero-Day exploit, which FireEye also reported on.
FireEye recently issued a new brief on the group it titled as “APT37 (Reaper): The Overlooked North Korean Actor”, warning that the group needed to be taken seriously for its wide-ranging tool set, including destructive malware and zero-day vulnerabilities and its seeming lack of concern regarding breaking norms and heightening tensions in the Northeast Asian region. FireEye said, “We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests”.
Their confidence stems in part from personal information accidentally disclosed by one of the developers behind several of Reaper’s payloads, along with other data points gathered. Additionally, the development cycle fits with North Korea’s time zone and its targets align with the government’s objectives.
FireEye said that Reaper was aligned with the actions of a group reported by Kaspersky called ScarCruft and Group123, which were investigated earlier this year by Cisco’s Talos group.
Reaper appears to have been active since 2012, and initially focused on intelligence gathering in South Korean public and private sector organizations. However, since last year it has expanded its operations to include targets in Japan, Vietnam and the Middle East. It has also begun to infiltrate targets in the chemicals, electronics, aerospace, healthcare, automotive, and manufacturing sectors; in addition to its existing target interests in the government and defense industrial base, plus NGOs and media organizations.
“A research fellow, advisory member, and journalist associated with different North Korean human rights issues and strategic organizations were targeted by APT37. An entity in Japan associated with the United Nations missions on sanctions and human rights was also targeted,” FireEye’s report notes.
Reaper frequently uses highly tailored cyberattacks for maximum impact. They also compromise legitimate websites to host customized malware, from which it can build further attacks. The malware itself is usually developed to target flaws in Hangul Word Processor (HWP) as it is popular in South Korea. However, Reaper also quickly weaponized exploits in Flash after they became public knowledge, and even processed their own zero-day vulnerabilities.
It is likely that Reaper is state-sponsored. “North Korea has repeatedly demonstrated a willingness to leverage its cyber capabilities for a variety of purposes, undeterred by notional redlines and international norms,” FireEye says. “Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions, APT37 is an additional tool available to the regime, perhaps even desirable for its relative obscurity.”
“We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor,” the company added.