North Korean and Chinese Cyber Crime Threats to the HPH
Contents
North Korean and Chinese
Cyber Crime Threats to the HPH
September 21, 2023
TLP:CLEAR, ID# 202309211300
1
Agenda
Chinese and North Korean Cybercrime
• Cybercrime Overview and Theory
• China
APT41
• North Korea
APT43
Lazarus Group
• Defense and Mitigations
• Conclusions
• References
Slides Key:
Non-Technical: Managerial, strategic
and high-level (general audience)
Technical: Tactical / IOCs; requiring
in-depth knowledge (sysadmins, IRT)
2
Cybercrime Overview
An overview of common cybercriminal
features and characteristics
3
The Typical, Modern Cybercriminal Gang
• Modern and sophisticated cybercriminal groups are
run like companies:
Most cybercrime originates from small teams
bringing in moderate revenues.
They advertise and recruit, track revenues, form
partnerships, and track and mimic competition.
Larger cybercriminal groups can be organized and
operate like a corporation (various departments,
staffing challenges, overhead, quality control, etc.).
Many groups have political connections and are
generally aware of their public relations.
They grow capabilities organically/internally and also
leverage the black market to bring in new
capabilities.
Guidelines for ascertaining criminal business size.
Image Source: Trend Micro
4
A Brief Analysis of
the GozNym Network
• Midsize cybercriminal gang
~$100M in …
Cyber Crime Threats to the HPH
September 21, 2023
TLP:CLEAR, ID# 202309211300
1
Agenda
Chinese and North Korean Cybercrime
• Cybercrime Overview and Theory
• China
APT41
• North Korea
APT43
Lazarus Group
• Defense and Mitigations
• Conclusions
• References
Slides Key:
Non-Technical: Managerial, strategic
and high-level (general audience)
Technical: Tactical / IOCs; requiring
in-depth knowledge (sysadmins, IRT)
2
Cybercrime Overview
An overview of common cybercriminal
features and characteristics
3
The Typical, Modern Cybercriminal Gang
• Modern and sophisticated cybercriminal groups are
run like companies:
Most cybercrime originates from small teams
bringing in moderate revenues.
They advertise and recruit, track revenues, form
partnerships, and track and mimic competition.
Larger cybercriminal groups can be organized and
operate like a corporation (various departments,
staffing challenges, overhead, quality control, etc.).
Many groups have political connections and are
generally aware of their public relations.
They grow capabilities organically/internally and also
leverage the black market to bring in new
capabilities.
Guidelines for ascertaining criminal business size.
Image Source: Trend Micro
4
A Brief Analysis of
the GozNym Network
• Midsize cybercriminal gang
~$100M in …