APT37, popularly known as Reaper, has been identified as one of the largest cyber espionage groups in the world by cybersecurity firm FireEye. The group has been active since at least 2012. Although they primarily targets the public and private sectors in South Korea, since last year the group has started attacking targets spread all across Asia including Japan, Vietnam and the Middle East. FireEye has discovered that the group's primary targets include various sectors ranging from electronics and manufacturing to aerospace and healthcare.
"APT37 has been primarily targeting the chemicals, electronics, manufacturing, aerospace, automotive, and healthcare industries. We judge that APT37’s primary mission is covert intelligence gathering in support of North Korea’s strategic military, political and economic interests," told Bryce Boland, FireEye's CTO APAC in a statement to IDG.
Exploiting zero-day vulnerabilities
FireEye's analysis of the group's latest activity has revealed that its operations are growing in both scope and sophistication, including access to zero-day vulnerabilities and wiper malware. Using social engineering tactics and strategic web compromises, Reaper is considered to be targeting any global entity for furthering North Korean state interests.
“The group recently demonstrated access to zero-day vulnerabilities and has the flexibility to quickly incorporate recently publicized vulnerabilities into spear phishing and strategic web compromise operations. These capabilities suggest a high operational tempo and specialized expertise.”
Bryce Boland, Asia Pacific CTO - FireEye
According to FireEye, the group has been exploiting vulnerabilities in popular software such as Adobe Flash and Hangul Word Processor. In the past, APT37 has also abused legitimate platforms ike AOL Instant Messenger, pCloud and Dropbox as command-and-control for its malware tools. The spy group is also found to indiscriminately distribute malware through torrent file-sharing websites. Small websites focused on trivial subjects such as aromatherapy and scuba diving have also been leveraged to host malicious payloads.
"APT37 has repeatedly deployed exploits, especially in Flash, quickly after vulnerabilities are initially publicized. The group recently demonstrated access to zero-day vulnerabilities (CVE-2018-0802) and has the flexibility to quickly incorporate recently publicized vulnerabilities into spear phishing and strategic web compromise operations. These capabilities suggest a high operational tempo and specialized expertise," stated Boland.
What can organizations do to safeguard themselves?
For many years North Korea has been belligerent in the cyber space to provide itself some cushion against the trade sanctions. It is now expected that such attacks are only going to rise with increasing tensions, and hold potential to cause damage to the normal operations of various government and private organizations across the world.
"North Korea has consistently shown it will not be constrained by established norms. We have seen North Korean actors carry out destructive attacks and conduct operations for financial gain. Along with custom malware used for espionage purposes, APT37 also has access to destructive malware which could be used to do significant harm," stated Bryce Boland.
Businesses should therefore prepare themselves for more vigilant security measures to counter cyber risks arising out of powerful government-sanctioned attacks. Businesses should address all possible vulnerabilities before they can be abused, and be ready to quickly respond to attacks to minimize the damage.
"Cyber security is a significant challenge for many organizations. Organizations aren’t in a position to prevent attacks themselves; but they can stop attackers from being successful by responding quickly. They should ensure their security posture addresses the threats they face and detect new attacks which have never been seen before," added Boland.