North Korea Repositions Hacking Unit for Global Cyberattacks

The Reaper group’s emergence means two major North Korean cyber units have been unleashed to make global attacks. The other, often called “Lazarus” by foreign cybersecurity firms, has been linked to North Korea’s headline-grabbing campaigns, such as last year’s WannaCry ransomware attack and the 2014 Sony Pictures hack.

Unlike Lazarus, with hackers deployed around the world, the Reaper group appears to be primarily based in Pyongyang, FireEye said. Their malware attacks track a typical North Korean workday, FireEye says, peaking at 11 a.m. and 3 p.m. local time, while quieting significantly at noon.

North Korean leader Kim Jong Un looks at a computer as he inspects an artillery unit. Photo: kns/Agence France-Presse/Getty Images

“In this case, [Reaper] has come right out of the Pyongyang IP space,” said John Hultquist, FireEye’s director of intelligence analysis, referring to a computer’s location-identifying Internet Protocol address.

Most nation-state hacking groups will refrain from daring attacks over fears of diplomatic or economic blowback. But as sanctions ratchet up against North Korea, “they don’t care as much if they are caught,” Mr. Hultquist said.

South Korean cyber experts—based in a country that has withstood Pyongyang hacks for two decades—have sorted North Korea’s cyber army into three teams: The A team, or Lazarus, attacked foreign banks and companies. The B team, or Reaper, focused, until recently, on South Korea and the C team blasted out emails and collects information.

North Korea has denied involvement in hacking attacks.

Reaper’s newer foreign assaults have gone after private companies in the chemicals, aerospace, automotive and health-care industries, FireEye says.

One such attack identified by FireEye was on a Middle Eastern company that had entered into a joint venture with the North Korean government to offer telecommunications service. The attack, FireEye suspects, was an attempt by the North Korean government to gather information on the company after the business deal soured.

FireEye didn’t disclose the company’s name. But Egypt’s Orascom Telecom Media and Technology entered a joint venture with the North Korean government in 2008 to operate the country’s Koryolink mobile network.

Orascom Chairman Naguib Sawiris told The Wall Street Journal he was unaware of any North Korean cyberattack last year, and doubted that one occurred. He said a Ukrainian outfit launched an attack on Orascom, but it was unsuccessful.

The Reaper group is still going after South Korean targets, though recent attacks are noteworthy because of their skill level, FireEye said.

In recent months, Reaper targeted South Koreans when it executed a “zero-day” attack that exploited previously unknown vulnerabilities with Adobe Flash, the multimedia player used by many internet browsers.

Such attacks are rare and seen as one of the hacking world’s most sophisticated—and expensive—cyberweapons because the malware is difficult to create. By embedding malware into Adobe Flash files, North Korean hackers could gain remote access of infected computers.

“They’ve been off the radar,” Mr. Hultquist said, referring to Reaper, whose earlier attacks weren’t as sophisticated. “But now they may have a global mandate and the government is leveraging them more and more for other tasks.”

Write to Timothy W. Martin at timothy.martin@wsj.com