A little-known North Korean hacking group is expanding its operations by targeting an increasing number of international entities.

According to a report from US-based cybersecurity firm FireEye Tuesday, the group, dubbed APT37 or Reaper, has begun focusing on major multinational corporations in South Korea, Vietnam, Japan and the Middle East.

Believed to have been active since at least 2012, Reaper remained under the radar given its regional focus on South Korean government, military, defense and media targets while North Korea’s infamous Lazarus hacking group made headlines for its brazen attacks on banks and Western companies.

“Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware,” FireEye said. “We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests.”

Industries of interest to Reaper include those related to “chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.”

Victims of the group mentioned in the report include a Japanese organization tied to U.N. sanctions enforcement, a Vietnamese transport and trading firm as well as a Middle Eastern company that had planned to work with North Korea on telecommunications issues before their deal fell through.

FireEye’s attribution also included details surrounding operational security mistakes made by members of Reaper.

In a 2016 incident, FireEye discovered that a developer for the group inadvertently infected himself with Reaper spyware, potentially during the tool’s testing phase, causing the developer’s files and IP address to be sent to an unprotected command-and-control server run by the hacking team. After gaining access to the server, FireEye was able to trace the developer’s IP address back to Pyonyang.

“That was a very fortunate event, and a fairly rare one,” John Hultquist, FireEye’s director of intelligence analysis, told Wired Magazine. “The discovery, along with an analysis of the compile times of the group’s programs, shared infrastructure and code between different tools, and its perpetual targeting of North Korean adversaries allowed FireEye to confidently link all of APT37’s activities to the North Korean government.”

Hultquist warns that despite the group’s mistake, it should not be underestimated due to its aggressive nature.

“We expect very aggressive activity in the near future,” Hultquist said.

Got a tip? Contact Mikael securely: keybase.io/mikaelthalen

Related Articles