- Original Labyrinth Chollima continues espionage against military, government, and nuclear sectors
- Golden Chollima targets fintech firms worldwide to steal cryptocurrency
- Pressure Chollima attacks centralized exchanges, behind record-breaking crypto heists
One of the largest and most successful North Korean state-sponsored threat actors has split into three separate entities, each with their own tactics, malware tools, targets, and goals, experts have warned.
In a recent in-depth analysis, researchers from CrowdStrike expalined the move is a strategic evolution to make Labyrinth Chollima cyberattacks more efficient, and that the newly formed teams will continue working together.
“LABYRINTH CHOLLIMA’s segmentation into specialized operational units represents a strategic evolution that enhances the DPRK regime’s ability to simultaneously pursue multiple objectives,” the researchers explained.
Fake jobs and fake employees
The three groups are now tracked as Labyrinth Chollima, Golden Chollima, and Pressure Chollima.
The “OG” Labyrinth Chollima is mostly tasked with cyber-espionage and intelligence gathering. Its targets include military and defense, government, logistics, and nuclear organizations, located primarily in the US, Europe, and South Korea.
Golden Chollima will be focusing on small fintech firms in the US, Canada, South Korea, India, and Western Europe, with the goal of cryptocurrency theft.
Pressure Chollima has a similar task (to steal cryptos), but unlike its partners from Golden Chollima, it focuses on centralized exchanges, and technology companies in the west.
“PRESSURE CHOLLIMA conducted the DPRK’s highest-profile cryptocurrency heists, including the two largest cryptocurrency thefts on record,” Crowdstrike said. “Public reporting links additional high-value thefts ranging from $52 million USD to $120 million USD to PRESSURE CHOLLIMA based on reused cryptocurrency wallets.”
North Korean hackers are known for targeting crypto companies and using the stolen tokens to fund their state apparatus and nuclear weapons programs. Crowdstrike believes the goals have not changed, and that despite improving trade relations with Russia, North Korea still “requires additional revenue to fund ambitious military plans that include constructing new destroyers, building nuclear-powered submarines, and launching additional reconnaissance satellites.”
These groups, together with the dreaded Lazarus Group, often create fake jobs on LinkedIn, as well as fake job applicants, to target tech companies and professionals, install backdoors and infostealers.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
