North Korean Hacker Unit ‘Reaper’ Now A Global Threat


According to news reports, North Korea has started targeting foreign aerospace, defense and industrial sectors through their sophisticated hackers and hacker groups. There have been growing concerns about the North Korean cyber army, which is estimated to be of 6,000 hackers and handpicked by Pyongyang’s cyber warfare agency. They are trained to infiltrate international banks, military surveillance and to attack vital infrastructure.

Reaper, also known as APT37, was identified in research by American private security company FireEye. Last month, FireEye published a report titled ‘APT 37 (Reaper)’ which briefed about the malicious activities of the North Korean cyber-terrorist group. ‘Reaper’ group is rumored to have a wide range of Infiltration capabilities, like planting custom-coded malware on target’s devices, capable of eavesdropping, recording audio logs via the infected system and completely wiping the drive to leave no footprint. This has dramatically increased the reach of North Korea’s already intimidating cyber operations.

FireEye assumes Reaper was founded in 2012 in North Korea, from 2014 to 2017, its hackers have primarily focused on the South Korean government, military defenses, industrial bases, and media. Their malwares are primarily focused on stealing information and are set up to automatically exfiltrate data of interest from the infected user’s system. One of the identified malware by the Reaper is called ‘DogCall’, which allows them to, log keystrokes, access cloud storage services like Dropbox and take screenshots. In March and April of 2017, it was used to target South Korean government as well as military organizations.

In 2017, the group expanded operations by targeting Japan, Vietnam, and the Middle East. They recently targeted a Middle Eastern company after it entered into a joint venture with the DPRK (Democratic People’s Republic of Korea) to provide telecom service to the country. They also targeted individuals involved with international affairs, another target was a Middle Eastern company by using a bank liquidation letter as a spear phishing bait against a board member in May of 2017.

Social engineering and phishing operations are most common techniques used by Reaper to get a hold of user’s personal device. They also exploit zero-day vulnerabilities. Exploiting zero-day vulnerabilities means using unknown security vulnerabilities on the same day when they are found.

There are many prolific active groups in North Korea besides Reaper and Lazarus is one of them.  Lazarus has been blamed for initiating many speculative attacks around the world such as the leaking and destroying of Sony Pictures’ data in 2014. United States has already confirmed that Pyongyang was involved in May’s WannaCry ransomware attack, which affected over 230,000 computers in over 150 countries.

In December, it was speculated that Lazarus targeted a South Korean cryptocurrency exchange platform, stealing at least $7M worth of digital currency which ultimately forced South Korean Bitcoin exchange, Youbit, into bankruptcy.

One of the most recent scenarios is of January this year, when North Korean hackers got away with £380 million from Tokyo-based exchange operator Coincheck. This event is considered one of the largest cryptocurrency heists in modern history.

North Korean hacking rings are just the tip of the iceberg. Cyber threats are growing every day, from malwares to brute force attacks, if it’s digital and has fewer safeguards, it’s comprisable. It is important for  everyone to stay ahead of the curve and protect their digital assets.

“As the world is increasingly interconnected, everyone shares the responsibility of securing cyberspace.” – Newton Lee