What makes North Korean hacking groups more creative?

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

North Korean leader Kim Jong Un meets with former U.S. President Donald Trump within the demilitarized zone (DMZ) separating South and North Korea in 2019. (Handout photo by Dong-A Ilbo via Getty Images/Getty Images)

When cybersecurity experts talk about APT groups targeting the U.S. and its allies, they usually end up connecting the activity to one of “The Big Four:” Russia, China, Iran and North Korea. While these countries are far from the only ones conducting clandestine operations in cyberspace today, they’re often pegged as the most sophisticated and thus tend to get much of the attention.

But that doesn’t mean they all operate the same way. From a preference for writing custom malware code to pioneering new strategies, North Korean hacking groups have shown an innovative spirit that allows them to punch above their weight despite crushing sanctions.

At the 2021 RSA Conference, Dmitri Alperovitch, former co-founder and chief technology officer at Crowdstrike, said North Korean hacking groups, many of which operate under the umbrella name Lazarus Group, stand out considerably from their other Big Four counterparts in the creativity of their hacking campaign tactics and the way they eschew popular commercial offensive tools.

“They’re in some ways my favorite actor in cyberspace, because they’re just so incredibly innovative,” said Alperovitch, now executive chairman at the Silverado Policy Accelerator.

In the early 2000s, North Korean intelligence agencies like the Reconnaissance General Bureau “pioneered” the concept of destructive cyberattacks in digital skirmishes with their South Korean neighbors, while the country’s 2014 hack of entertainment giant Sony foretold the coming era of hack and leak operations that would be picked up by Russia just a few more years down the line.

Alperovitch said that in recent years, Russian, Chinese and Iranian APTs have increasingly incorporated publicly available commercial offensive hacking tools like Cobalt Strike or open-source tools like the credential harvesting Mimikatz in their operations in lieu of writing their own malware, because they are less expensive and because using…