A new threat actor has appeared on the North Korean stage and looks set to supplant the Lazarus Group as the rogue state’s No.1 player in the cybercriminal world, says new research by Mandiant.
The recently formed Bureau 325 has quickly risen to prominence to become North Korea’s “Swiss army knife” cybercriminal gangs, according to Mandiant.
“Bureau 325’s activity has evolved greatly over a short period of time and its activity now varies from trying to acquire COVID-19 vaccine information, to crypto heists, to stealing nuclear trade secrets,” said Michael Barnhart, analyst at Mandiant.
Describing the group as North Korea’s new “all-star squad”, he added: “We anticipate it has a variety of sub-units within the group, each with their own unique specialties. This is a dangerous group that defenders need to learn how to protect against because we expect to continue seeing more from them.”
Moreover, it is believed that the new group reports directly to North Korea’s foreign intelligence department – which, if true, would place Bureau 325 firmly at or close to the top of the rogue state’s list of sponsored threat actors.
As for Lazarus Group, it is now thought that this is in fact an “umbrella” term intended to refer to a myriad of cybercriminal and espionage activities undertaken by or on behalf of the North Korean government.
In a sign of the growing complexity of the rogue nation’s cyber activities, threat actor groups APT38, TEMP.Hermit, and Andariel are believed to answer to Lab110, which in turn reports to the foreign intelligence department – the same body that allegedly commands Bureau 325.
“Lab 110 is likely an expanded and reorganized version of Bureau 121, often noted as North Korea’s primary hacking unit,” said the report by Mandiant. “Lab 110 contains some elements that are most closely aligned with the organization publicly reported as ‘Lazarus Group’.”
More from Cybernews:
Subscribe to our newsletter