Full Report
North Korea-backed threat group operating since 2009 has splintered into three distinct groups with specialized malware and objectives, CrowdStrike said in a report released Thursday. Labeled “Labyrinth Chollima” by the company, the group follows a divergence pattern CrowdStrike observed previously. Labyrinth Chollima has spawned two additional groups: Golden Chollima and Pressure Chollima. The spin-offs, which have been…
Analysis Summary
# Threat Actor: Labyrinth Chollima (and descendants Golden Chollima and Pressure Chollima)
## Attribution & Identity
* **Attribution:** North Korea-backed threat group.
* **Known Aliases and Associated Groups:** The primary entity is identified as "Labyrinth Chollima." It has splintered into three distinct groups: Labyrinth Chollima (narrowed focus), Golden Chollima, and Pressure Chollima.
## Activity Summary
* **Historical Operations:** The original group has been operating since 2009.
* **Recent Divergence (Since 2020):** The group has diverged into three specialized entities.
* **Labyrinth Chollima (Original):** Focuses on espionage.
* **Golden Chollima & Pressure Chollima:** Both are squarely focused on stealing cryptocurrency to fund the North Korean regime.
* **Notable Campaign:** Pressure Chollima was responsible for a "record-breaking $1.46 billion cryptocurrency theft" last year.
## Tactics, Techniques & Procedures
* **Specialization:** The spin-off groups demonstrate specialized malware and objectives related to their mission (espionage vs. financial theft).
* **Advancement:** Pressure Chollima is noted as one of North Korea's most technically advanced threat groups.
* **TTPs Mentioned:** Specialized malware (implied for financial theft/espionage).
* **MITRE ATT&CK IDs:** Not mentioned in the provided text.
## Targeting
* **Sectors (Labyrinth Chollima/Espionage):** Manufacturing, logistics, defense, and aerospace industries.
* **Sectors (Golden Chollima & Pressure Chollima):** Cryptocurrency organizations/entities providing high-payout opportunities.
* **Geography:** Not explicitly detailed, but attribution points to North Korea as the sponsor operating globally.
* **Victims:** Specific organizations are not named, aside from the financial valuation of Pressure Chollima's cryptocurrency theft.
## Tools & Infrastructure
* **Malware Families Used:** Specialized malware (specific names not provided).
* **Infrastructure:** Not mentioned in the provided text.
## Implications
* **Evolving Structure:** The divergence pattern suggests a mature strategy where components are carved out to focus intensely on specific objectives (espionage vs. high-yield financial gain).
* **Financial Threat:** The continued focus on cryptocurrency theft (especially by Pressure Chollima) poses a significant funding mechanism for the regime, with high-impact single events ($1.46 billion theft).
* **Technical Sophistication:** The rise of Pressure Chollima as technically advanced enhances their ability to conduct complex financial operations.
## Mitigations
* **For Espionage Targets (Manufacturing, Defense, etc.):** Harden defenses against industrial espionage.
* **For Cryptocurrency Targets:** Enhance security measures against high-value cryptocurrency theft attempts, anticipating highly sophisticated attacks from Pressure Chollima.
* **General:** Monitor for activity consistent with previously observed Labyrinth Chollima operations while specifically tracking the specialized malware/TTPs used by the two financial wings.