Full Report
The trio, which share lineage with the more broadly defined Lazarus Group, are focused on espionage and cryptocurrency theft, according to CrowdStrike. The post Long-running North Korea threat group splits into 3 distinct operations appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Labyrinth Chollima & Spin-offs (Pressure Chollima, Golden Chollima)
## Attribution & Identity
* **Attribution:** North Korea-backed threat group, operating since 2009.
* **Associated Groups:** Shares lineage with the broadly defined Lazarus Group. Has recently splintered into three distinct operations: Labyrinth Chollima, Golden Chollima, and Pressure Chollima. CrowdStrike currently tracks eight distinct North Korea-backed threat groups overall.
* **Other Aliases (Labyrinth Chollima):** Diamond Sleet, Operation Dream Job.
## Activity Summary
The original group, Labyrinth Chollima, has specialized following its split, allowing it to narrow its focus:
* **Labyrinth Chollima (Remaining focus):** Espionage activities.
* **Golden Chollima & Pressure Chollima:** Focused squarely on stealing cryptocurrency to fund the regime, with some proceeds supporting North Korea's cyber operations.
* **Pressure Chollima:** Responsible for a record-breaking **$1.46 billion cryptocurrency theft** last year and is described as one of North Korea’s most technically advanced threat groups.
* **Historical Context:** The organization has been operating a "resistance economy" for many years, utilizing cyber capabilities for deniable financial gain.
## Tactics, Techniques & Procedures
* **Employment-themed Social Engineering:** Labyrinth Chollima has developed a knack for using fake job offers as a social engineering lure.
* **Specialized Malware & Objectives:** The spin-off groups have developed more specialized malware and capabilities aligned with their specific missions (espionage vs. financial theft).
* **Shared Infrastructure:** The groups share some tools and infrastructure, indicating centralized coordination.
## Targeting
* **Sectors (Labyrinth Chollima - Espionage):** Manufacturing, Logistics, Defense, Aerospace, and U.S.-based critical infrastructure providers (including hydroelectric power).
* **Sectors (Spin-offs - Cryptocurrency Theft):** Implied targeting of cryptocurrency exchanges or entities holding high-value digital assets due to the nature of their objectives.
* **Geography (Labyrinth Chollima):** European aerospace companies, defense manufacturers, logistics and shipping companies, and U.S.-based critical infrastructure providers.
* **Victims:** Not explicitly named beyond targeted industries.
## Tools & Infrastructure
* **Malware Families Used:** Specific malware families were not detailed in the context provided, but the article notes specialized malware development within the spin-offs.
* **Infrastructure (C2, domains, IPs):** Specific indicators of compromise were not detailed in the summary provided, though CrowdStrike's full report is noted to contain them.
## Implications
* **Increased Capability:** The splintering allows the overall North Korean cyber apparatus to develop more specialized capabilities and expand its overall reach and impact simultaneously across multiple objectives.
* **Financial Threat Escalation:** The cryptocurrency theft operations (Golden Chollima and Pressure Chollima) are expected to scale their activities as international sanctions continue to impair North Korea’s economy.
* **High Sophistication:** North Korea is recognized as a "top-notch actor" in the threat landscape.
## Mitigations
* Organizations must understand the specific threats relevant to their industry and geolocation, as defending against all potential threats simultaneously is impractical.
* Defenses should specifically address employment-themed social engineering lures.