Suspected North Korean hackers are carrying out a wide-spread reconnaissance campaign against numerous industries across the globe.
According to a report from Cybersecurity firm McAfee, the campaign, dubbed GhostSecret, has targeted critical infrastructure, entertainment, finance, health care, and telecommunications in 17 countries, including the U.S.
The group behind the attack is said to have used tools and techniques associated with North Korean state-sponsored hacking group Hidden Cobra, also known as Lazarus Group and Guardians of Peace.
“Based on our technical analysis, telemetry, and data from submissions, we can assert with high confidence that this is the work of the Hidden Cobra group,” McAfee writes.
Describing the campaign as “extremely complicated,” the cybersecurity firm says the hackers gathered information from infected systems with implants “intricately designed to evade detection and deceive forensic investigators.”
“This analysis by the McAfee Advanced Threat Research team has found previously undiscovered components that we attribute to Hidden Cobra, which continues to target organizations around the world,” McAfee says. “The evolution in complexity of these data-gathering implants reveals an advanced capability by an attacker that continues its development of tools.”
The research team says it uncovered the campaign last month when they observed the hackers targeting Turkish banks.
North Korea’s hackers have grown in brazenness and sophistication in recent years, specifically targeting financial systems in an attempt to offset international sanctions.
A North Korean defector with knowledge of the country’s cyber training revealed to The Wall Street Journal earlier this month how the regime has prioritized offensive digital capabilities.
“Once you have been selected to get into the cyber unit, you receive a title that makes you a special citizen, and you don’t have to worry about food and the basic necessities,” the defector said.
In recent months North Korea has focused specifically on banks and cryptocurrency exchanges in order to fund the government.
“To maintain the nuclear program and build more weapons and maintain the North Korean regime, a lot of hard currency is needed, so naturally attacking banks is of first importance,” the defector added.
North Korea’s so-called cyber army, which operates secretly from numerous locations including China, is said to be roughly 7,000 strong.
The U.S. and other governments accused North Korea of being behind last year’s WannaCry ransomware attack that crippled countless computers worldwide.