The group, known also as APT37, in 2017 began attacking targets in Japan, Vietnam and the Middle East after having focused on its southern neighbor for years, FireEye said in a report. The hacking group — traced to an IP address in North Korea — now infiltrates a range of industries from electronics and aerospace to automotive and health care, the cybersecurity firm said.
Reaper joins a growing list of hacking units linked to Kim Jong Un’s regime, including “Lazarus,” which the U.S. blamed for a 2014 data theft at Sony Pictures Entertainment. North Korea has been widening its cyber-operations in pursuit of cash and intelligence in an attempt to cushion the impact of international sanctions, and Reaper underscores the challenge in fending them off.
“They’ve laid low on the radar for a long time,” John Hultquist, director of FireEye’s intelligence unit, said by phone. “They are probably not getting their due, considering this is a tool of the regime that can be used in all the same ways that Lazarus is being used.”
Reaper has been active since at least 2012, and typically sends its targets emails laced with malware to steal confidential information. Its targets have included a Middle Eastern telecommunications company doing business in North Korea, a Japan-based entity associated with a United Nations group on sanctions and the general director of a Vietnamese trading company, FireEye said, declining to name the victims.
“North Korea appears to be confident about hacking South Korea and now wants to look beyond,” said Shin Jin, a professor of political science at South Korea’s Chungnam National University. “Foreign nations are an unexplored market and many of them have security infrastructure weaker than South Korea.”
The group came under FireEye’s scrutiny when South Korea warned last month about a security vulnerability in Adobe Flash. A developer believed to belong to Reaper made the mistake of revealing his or her North Korean IP address, Hultquist said. It’s unclear how large the group is, he added.
“Ignored, these threats enjoy the benefit of surprise, allowing them to extract significant losses on their victims, many of whom have never previously heard of the actor,” FireEye said in an emailed statement.