North Korean APT43 Group Finances Spy Activities Via Cybercrime

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Mar 29, 2023 05:30 am PST

The North Korean APT43 cybercrime group, the threat intelligence firm Mandiant thinks is using cybercrime to finance espionage operations, was the subject of a report released by Mandiant. 

The group, also known as Hidden Cobra, has a history of participating in numerous cyberattacks, including the infamous WannaCry ransomware assault in 2017. This impacted over 200,000 machines located in more than 150 countries. The organization is thought to be closely connected to the North Korean government and to be constantly engaged in cyberespionage activities.

APT43 is a cyber espionage organization that has been linked to state-sponsored cyber activities in North Korea. It is thought that the group, which has been active at least since 2012, works for the North Korean government. The group has a history of attacking a variety of sectors, including the automotive, aerospace, and financial services businesses.

According to the threat intelligence firm Mandiant, the North Korean APT43 gang has been using cybercrime to finance its espionage activities. The organization, also known as Hidden Cobra, is thought to be working for the North Korean government and has been active at least since 2012.

Strategies, Techniques, And Protocols of North Korean APT43

It is well known that the organization employs both freely accessible and specially created malware to accomplish its goals. The use of different TTPs by North Korean APT43, such as spear-phishing, watering hole attacks, and the exploitation of known flaws in software and hardware systems, is highlighted in Mandiant’s report. Additionally, the group has been observed using trusted remote access programs like VNC, RDP, and TeamViewer to keep control of infected systems.

APT43 has allegedly been actively engaged in cybercrime operations, such as stealing cryptocurrencies, hacking banks, and launching ransomware attacks, to finance its spying activities, claims a Mandiant report. Because of North Korea’s economic sanctions, it is believed that the group has financial motivations which have seriously restricted the country’s capacity to produce foreign currency. Cybercrime activities carried out by North Korean APT43 are a way for the regime to raise much-needed funds.

Mandiant claims that APT43 has made millions of dollars from its cybercrime operations, with the money going to support its state-sponsored spying operations.

Cybercrime Operations By APT43 And Their Consequences

The cybercrime activities of APT43 have a major impact on international cybersecurity. If the group is effective in carrying out cyberattacks against crucial infrastructure systems and financial institutions, there could be severe disruption and monetary losses. Additionally, APT43’s use of sophisticated TTPs and custom malware makes it difficult for organizations to identify and react to their actions.

The threat presented by North Korean APT43 highlights the necessity of global collaboration in the fight against cybercrime and cyber espionage. The US and other nations have put economic restrictions against North Korea to restrict the regime’s access to financial resources. 

APT43 was also accused of using Android malware to gather login information from Chinese citizens seeking to borrow cryptocurrency. Additionally, the organization runs several spoof websites for targeted credential harvesting.

Numerous crypto-heists, including the latest $195 million Euler exploit, have North Korea as a suspect. According to the United Nations, North Korean hackers made a record-breaking $630 million to over $1 billion in 2022. Chainalysis estimated that amount to be at least $1.7 billion.

The North Korean government has been known to fund several cyber espionage organizations to gather information and advance its weapons programs. One such organization that allegedly works for the North Korean government is the APT43 group.

For governments around the globe, the use of cybercrime to finance espionage operations is an alarming development. It is a sign of the complexity and increased sophistication of cyber threats that countries must contend with. Governments must proactively safeguard their sensitive data and vital infrastructure from these dangers.

The discovery of APT43’s activities emphasizes the continuing danger presented by state-sponsored hacking organizations. It also underscores the necessity for increased international cooperation to stop these organizations’ activities. Governments and defense companies must cooperate to find and stop the activities of state-sponsored hacking organizations.


The fact that Mandiant was able to identify APT43 as a North Korean hacking group emphasizes the ongoing danger that state-sponsored cyberattacks pose to vital infrastructure and targets of national security. The group’s attention to the aerospace and defense sectors in the US and South Korea indicates that they are hoping to gain a tactical edge in future military engagements.  The strategies employed by APT43, such as spear-phishing, social engineering, and the use of fake websites, highlight the necessity for businesses to exercise constant vigilance and put strong cybersecurity measures in place.

Organizations must take the measures recommended by Mandiant to defend against these strategies, such as multifactor authentication and regular security audits, to prevent state-sponsored cyberattacks.  Overall, this news should serve as a warning that both the public and private sectors continue to face serious challenges from the threat of cyberattacks from nation-state actors and that proactive steps must be taken to reduce these risks.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x