APT43: Unveiling a North Korean Hacker Group’s Cyber Espionage and Crypto Laundering Operations

In the shadowy world of cyber espionage, a new player has been unmasked: APT43, a prolific threat actor operating on behalf of the North Korean regime. This group isn’t just stealing data; they’re funding their espionage operations through cybercrime, blurring the lines between national security and digital banditry. This report represents the culmination of endless hours of research and connecting the dots across numerous Mandiant groups, and highlights collaboration with our new colleagues at Google Cloud as well. It also marks our first official graduation since Mandiant announced APT42 in September 2022.

Who is APT43? Unmasking the North Korean Cyber Espionage Group

Mandiant has been tracking this group since 2018, and now officially recognizes them as APT43. Their activities align strongly with the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence service. This suggests a direct link between the group’s cyber operations and the strategic objectives of the North Korean government.

What are APT43’s Activities? Funding Espionage Through Cybercrime

APT43’s activities are multifaceted, encompassing both espionage and financial crime. Here’s a breakdown:

• Stealing and Laundering Cryptocurrency: APT43 obtains cryptocurrency through illicit means and then launders it to purchase operational infrastructure.
• Mining Cryptocurrency: They buy hash rental and cloud mining services to provide hash power, which is used to mine cryptocurrency to a wallet selected by the buyer without any blockchain-based association to the buyer’s original payments—in other words, they use stolen crypto to mine for clean crypto.
• Espionage: They target a range of sectors to gather intelligence.

Who are APT43’s Targets? A Regionally Focused Approach

APT43’s espionage efforts are primarily focused on South Korea, Japan, Europe, and the United States. Specific sectors of interest include:

• Government
• Business Services
• Manufacturing
• Education, Research, and Think Tanks (focused on geopolitical and nuclear policy)
• Health-related verticals (particularly during 2021, likely related to pandemic response)

How Does APT43 Operate? Tactics, Techniques, and Procedures (TTPs)

APT43 employs a variety of tactics to achieve its objectives, including:

• Social Engineering: Creating spoofed and fraudulent personas to deceive targets.
• Masquerading: Impersonating key individuals within target areas, such as diplomacy and defense.
• Stolen PII: Leveraging stolen personally identifiable information (PII) to create accounts and register domains.
• Cover Identities: Establishing cover identities for purchasing operational tooling and infrastructure.

Why Does APT43 Matter? Implications for Cybersecurity

The emergence of APT43 highlights several critical issues in the cybersecurity landscape:

• Cybercrime as a Funding Source: APT43 demonstrates how cybercrime can be used to directly fund state-sponsored espionage, creating a self-sustaining operation.
• Long-Term Operations: The group’s willingness to engage in operations over extended periods underscores the need for persistent monitoring and threat intelligence.
• Collaboration Among Threat Actors: APT43’s collaboration with other North Korean espionage operators highlights the interconnectedness of the cyber threat landscape.

APT43’s ability to seamlessly blend cybercrime with espionage makes them a particularly dangerous threat actor. By understanding their tactics, targets, and motivations, organizations can better defend themselves against this evolving threat.