97 reports
Unit 42 identified continued Blockbuster-linked attack activity targeting individuals associated with United States defense contractors. The campaign used weaponized Microsoft Office documents with malicious macros and decoys copied from defense-contracto…
Trend Micro reassessed OnionDog activity that had been publicly linked to alleged attacks on South Korean energy and transportation organizations and concluded the samples were part of cyber drills rather than a targeted intrusion campaign. Historical pas…
Financial Security Institute profiled the Rifle campaign as a series of linked intrusions and malware cases targeting South Korea. The excerpt says FSI tracked multiple incidents over several years and assessed them as activity by the same attacker, publi…
AhnLab’s defense-industry study describes sustained cyberattacks against defense manufacturers and related political or diplomatic sectors from 2010 onward, with attackers seeking trade secrets and national-security information. The DPRK-relevant portion …
The excerpt identifies a WannaCry outbreak technical overview and includes a long list of targeted file extensions, indicating ransomware-style file encryption behavior across documents, databases, source code, multimedia, archives, disk images, and offic…
Intezer analyzed WannaCry samples and found code-level overlaps with malware families associated in the report with North Korean hackers or attacks on South Korean organizations. The ransomware outbreak used EternalBlue to spread across Windows networks, …
Bithumb announced compensation after a hacking incident involving an employee’s personal PC exposed customer personal information. The exchange said every member whose personal information exposure was confirmed would receive 100,000 KRW, with payment sch…
AhnLab examines sustained attacks against South Korean defense contractors and related political, diplomatic, energy, security, and large-enterprise targets from 2010 through 2017. The report separates activity into groups and malware families including I…
Recorded Future frames North Korean cyber activity as consistent with the state's asymmetric military strategy and self-financing needs rather than irrational behavior. The report identifies the Reconnaissance General Bureau, and likely Bureau 121, as cen…
DHS and FBI attribute HIDDEN COBRA activity to North Korean government cyber actors targeting media, aerospace, financial, and critical infrastructure sectors in the United States and globally. The alert focuses on DeltaCharlie, a DDoS botnet tool used to…
The conference excerpt describes an APT attack case in South Korea in which the threat actor used both general exploits and a custom exploit to infect potential victims. The session focuses on the custom exploit and the actor’s TTPs across the APT attack …
WannaCry spread worm-like across Windows hosts by probing SMB services for the MS17-010 remote code execution vulnerability and using SMB response values to decide whether a target was vulnerable or already compromised. The infection flow used SMB negotia…
MITRE ATT&CK’s Lazarus Group entry maps a broad set of observed behaviors across the actor also tracked as Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, Diamond Sleet, and related names. The excerpt describes credential and environment disco…
Seongsu Park’s DCC 2017 Lazarus presentation examines the boundary between cybercrime and cyber espionage through 2016 Korea-focused APT case studies. The slides cover Operation Gh0stRat, the Interpark breach, the Korean Ministry of National Defense breac…
Group-IB attributes a shift in Lazarus operations from espionage and destructive attacks against South Korean and U.S. targets toward attacks on banks and financial institutions worldwide. The report details the Bangladesh Central Bank SWIFT theft attempt…