Menu
Browse

Cyber Threat Actor: North Korea

Actor Type Location Known Incidents
 Icon
Nation State
North Korea
3 incidents
Profile

North Korea isa state‑linked threat actor commonly referred to in open sources as North Korean hackers or the North Korean government’s cyber units. The actor operates from North Korea and has been publicly attributed by U.S. and UK authorities to several cyber incidents, indicating a direct nexus to the North Korean state. Its targeting spans multiple sectors, including government agencies, media and entertainment companies, military institutions, and financial entities, with operations observed in the United States, South Korea, the United Kingdom and globally. Strategic objectives observed in the cited incidents include financial gain through ransomware, espionage aimed at accessing classified military documents, and retaliatory disruption intended to deter perceived slights against the regime, such as the hacking of a British television company producing a drama about North Korea.

The actor’s tactics, techniques and procedures highlighted in the available material involve the deployment of ransomware families like WannaCry, which leveraged leaked NSA exploit tools to infect unpatched Windows systems and propagate rapidly across networks. In addition to ransomware, the actor has used unspecified malware to infiltrate internal networks, as seen in the breach of South Korea’s military cyber command where an intranet server was contaminated and potential access to classified material was sought. Initial access in the WannaCry case relied on exploiting known vulnerabilities in outdated software, while the attack on the television production company involved gaining entry to the corporate network without causing overt damage, suggesting a focus on establishing presence and signaling capability rather than immediate destruction. The actor’s tooling style appears to blend the use of powerful, publicly available exploits with custom or bespoke malware tailored to specific intrusion goals.

Notable campaigns publicly linked to North Korea include the global WannaCry ransomware outbreak in May 2017, which affected the UK’s National Health Service and a Connecticut state government network, among many others; the 2014 Sony Pictures breach attributed to the Guardians of Peace, where emails were exfiltrated and parts of the network destroyed; the 2016 intrusion into South Korea’s military cyber command that sought to obtain defense‑related data; and the 2014 cyber‑attack on Mammoth Screen, the UK producer of a North Korea‑themed television series, undertaken in retaliation for the program’s perceived slander. These incidents collectively illustrate the actor’s reliance on ransomware for financial motives, malware‑based espionage for intelligence collection, and network intrusions as a means of political signalling and disruption.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
1 source