Navigating the LABYRINTH: An In-Depth Examination of Interactive Intrusions by a North Korean APT
Contents
NAVIGATING THE LABYRINTH:
AN IN-DEPTH EXAMINATION OF
INTERACTIVE INTRUSIONS BY A
NORTH KOREAN APT
OBJECTIVE BY THE SEA V6.0
INTROS
AGENDA
§ Adversary overview
§ Tools and tradecraft
§ In the crosshairs
§ Day in the life
LABYRINTH CHOLLIMA
§ LABYRINTH CHOLLIMA is one of the
most prolific Democratic People’s
Republic of Korea (DPRK) threat
actors
§ Active since 2009
RGB’s Third Bureau
(Technical Surveillance Bureau)
§ Intelligence collection
§ Currency generation
Specialized
Cybercrime Unit
§ Responsible for state-sponsored,
high profile attacks
§ Recently targeted verticals include:
§ Financial
§ Technology
§ Media
§ Energy
§ Manufacturing
110 Research Institute
63 Research Center
Office 970
- LABYRINTH CHOLLIMA
- STARDUST CHOLLIMA
- VELVET CHOLLIMA
- SILENT CHOLLIMA
(Lazarus Group)
(Kimsuky)
(Andariel)
414 Liaison Office
§ Defense
Source: UN Security Council Final report of the Panel of Experts submitted pursuant to resolution 2627
TRADECRAFT
§ LABYRINTH CHOLLIMA maintains an
extensive toolset consisting of custom
implants targeting Windows, Linux,
macOS, and Android operating systems
§ Operations vary in complexity across the
spectrum of tradecraft
§ Rapid capability development enabled
through use of cross-platform implant
framework
§ Tooling observed unique to target-set
LABYRINTH
CHOLLIMA
STARDUST
CHOLLIMA
TARGETING
§ In 2022, $1.7+ billion of cryptocurrency stolen by DPRK-nexus actors
§ …
AN IN-DEPTH EXAMINATION OF
INTERACTIVE INTRUSIONS BY A
NORTH KOREAN APT
OBJECTIVE BY THE SEA V6.0
INTROS
AGENDA
§ Adversary overview
§ Tools and tradecraft
§ In the crosshairs
§ Day in the life
LABYRINTH CHOLLIMA
§ LABYRINTH CHOLLIMA is one of the
most prolific Democratic People’s
Republic of Korea (DPRK) threat
actors
§ Active since 2009
RGB’s Third Bureau
(Technical Surveillance Bureau)
§ Intelligence collection
§ Currency generation
Specialized
Cybercrime Unit
§ Responsible for state-sponsored,
high profile attacks
§ Recently targeted verticals include:
§ Financial
§ Technology
§ Media
§ Energy
§ Manufacturing
110 Research Institute
63 Research Center
Office 970
- LABYRINTH CHOLLIMA
- STARDUST CHOLLIMA
- VELVET CHOLLIMA
- SILENT CHOLLIMA
(Lazarus Group)
(Kimsuky)
(Andariel)
414 Liaison Office
§ Defense
Source: UN Security Council Final report of the Panel of Experts submitted pursuant to resolution 2627
TRADECRAFT
§ LABYRINTH CHOLLIMA maintains an
extensive toolset consisting of custom
implants targeting Windows, Linux,
macOS, and Android operating systems
§ Operations vary in complexity across the
spectrum of tradecraft
§ Rapid capability development enabled
through use of cross-platform implant
framework
§ Tooling observed unique to target-set
LABYRINTH
CHOLLIMA
STARDUST
CHOLLIMA
TARGETING
§ In 2022, $1.7+ billion of cryptocurrency stolen by DPRK-nexus actors
§ …
IoC
55554944de78734d3ae638288f74df13714f924b