Cybersecurity research firm FireEye published a report Tuesday saying North Korea’s newest hacking group, Reaper, has stepped up its efforts to spy on major South Korean conglomerates and beyond.
“We’re talking multinationals, they have offices all over the world. Companies like that, any effect can reverberate, because it’s global already,” said John Hultquist, FireEye’s director of intelligence analysis.
The group, which is also known as APT37, began attacking targets in Japan, Vietnam, and the Middle East last year after having previously focused on its South Korean neighbors. The hacking group, which was traced to an IP address in North Korea, is now infiltrating a range of industries from electronics and aerospace to automotive and health care, FireEye said.
Reaper joins a growing list of hacking units linked to Kim Jong Un’s regime. The hacking group “Lazarus” is one of the most most well known after a 2014 data theft at Sony Pictures Entertainment.
Read This Next: North Korea’s Most Powerful Weapon Isn’t What You Think It Is
North Korea has been expanding its cyber operations in pursuit of cash and intelligence since the U.S. invaded Iraq in 2003. After Kim Jong-il—Kim Jong Un’s now-deceased father—watched the American “shock and awe” campaign on CNN, he issued a warning to his military, “If warfare was about bullets and oil until now… warfare in the 21st century is about information.”
The hermit regime has more recently upped its hacking game in an attempt to cushion the impact of international sanctions. Reaper underscores the challenge of fending off North Korean attacks.
“They’ve laid low on the radar for a long time,” Hultquist said. “They are probably not getting their due, considering this is a tool of the regime that can be used in all the same ways that Lazarus is being used.”
While just coming on the radar now, there’s evidence Reaper has been active since at least 2012. The group typically sends its targets emails laced with malware in an effort to steal confidential information.
Reaper has drawn little attention as it has so far discreetly spied on South Korea’s government, military, defense, and media sectors. The group, however, became more ambitious last year when it began targeting multinational companies.
Its known targets include a Middle Eastern telecommunications company that does business in North Korea, a Japan-based entity associated with a United Nations group on sanctions, and the general director of a Vietnamese trading company, according to FireEye who declined to specifically name the victims.
“North Korea appears to be confident about hacking South Korea and now wants to look beyond,” said Shin Jin, a political science professor at South Korea’s Chungnam National University. “Foreign nations are an unexplored market and many of them have security infrastructure weaker than South Korea.”
FireEye said that Reaper is a threat that governments and companies need to keep an eye on.
“We expect very aggressive activity in the near future,” Hultquist said.
Reaper’s efforts so far have taken on the form of classic espionage that has focused on covertly gathering intelligence, Hultquist said. However, he warned that they are capable of inflicting serious damage.
“If you wanted to target South Korea’s economy, it could be as easy as a ransomeware attack on a series of major companies,” he said.
North Korea has repeatedly denied involvement in international cyber attacks. FireEye says though that it is highly confident that Reaper is acting on behalf of Kim Jong Un’s regime.
FireEye began scrutinizing the hacking group last month when South Korea issued a warning about a security vulnerability in Adobe Flash. A developer that is believed to belong to the Reaper group made the mistake of revealing their North Korean IP address, according to Hultquist.
“They have shown very little regard for norms and red lines, and again and again pushed the limits of acceptable behavior for a nation state,” Hultquist said.
“Ignored, these threats enjoy the benefit of surprise, allowing them to extract significant losses on their victims, many of whom have never previously heard of the actor,” FireEye said in a statement.