WASHINGTON — In the latest indication that North Korea’s cyber operations are more sophisticated than commonly realized, computer security researchers have identified a group of government hackers and spies in the hermit kingdom who are capable of stealing documents from computers that aren’t connected to the internet.

In a new paper published Tuesday morning, leading cyber security firm FireEye says its iSight intelligence arm has tracked a national-security related spying arm it calls APT37 that has “expanded its operations in both scope and sophistication.”

That hacking group — which is not the one that attacked Sony Pictures entertainment in December 2014 — has been active since 2012 and focuses on defense targets in South Korea, FireEye says.

CrowdStrike, another top cyber security firm, told NBC News it identifies the group by the name “Labyrinth Chollima.”

“Their malware is quite sophisticated and is capable of stealing documents from the air-gapped or disconnected networks,” says a CrowdStrike intelligence paper. “Primary targets include government, military, defense, finance, energy and electric utility sectors.”


North Korea stages a military parade in Pyongyang on Feb. 8 to mark the 70th anniversary of the Korean People’s Army at Kim Il Sung Square. KNS / AFP – Getty Images


Keeping sensitive information on computers disconnected from the internet is a primary method of defending it from hackers. The ability to jump that “air gap,” was once limited to a small number of sophisticated countries, but it has become more common, experts say. For example, last year, researchers showed how a tiny drone can steal information by reading a computer’s blinking LED lights.

John Hultquist, FireEye’s manager of analysis, told NBC News: “There is no question that North Korea has become increasingly aggressive with their use of cyber capabilities. They are not just focused on espionage – we’ve seen them use it for attack, we’ve seen them use it for crime. A lot of that has been a fairly well-known group that’s been tracked fairly well.”

APT37 or Labyrinth Chollima, he added, “isn’t as well known, has always been South Korea-focused, has stayed in the shadows.”

However, he said, “They are showing up in places outside South Korea, continuing to expand capabilities. If we don’t pay attention to this actor, we risk being surprised again.”

The group has regularly exploited what are known as “zero day vulnerabilities,” Hultquist said — previously unknown flaws in operating systems that allow hackers to breach defenses and can sell for hundreds of thousands of dollars on the black market.

U.S. blames North Korea for massive cyber attack

autoplay autoplay

The U.S. intelligence community is also tracking North Korea’s cyber operations. In a worldwide threats assessment last week, intelligence agencies said: “We expect the heavily sanctioned North Korea to use cyber operations to raise funds and to gather intelligence or launch attacks on South Korea and the United States. Pyongyang probably has a number of techniques and tools it can use to achieve a range of offensive effects with little or no warning, including distributed denial of service attacks, data deletion, and deployment of ransomware.”

According to FireEye, APT37 has targeted a Middle Eastern company that entered into a joint venture with the North Korean Government to provide telecommunications service to the country; the general director of a Vietnamese international trading and transport company; and possibly individuals working with Olympics organizations assisting in securing resources for athletes.

The group also has hacked a research fellow, advisory member, and journalist associated with North Korean human rights issues and a Japanese organization associated with the United Nations missions on sanctions and human rights, FireEye said.

CrowdStrike says APT37 or Labrinth Chollima is one of three main cyber actors in the North Korean government that some researchers collectively call the Lazarus group. The others are Silent Chollima, which is involved in destructive attacks and is believed responsible for the hack that destroyed Sony computers in 2014.

Take a rare look inside the border between North and South Korea

autoplay autoplay

A group CrowdStrike calls Stardust Chollima is mainly involved in stealing money, said Dmitri Alperovitch, CrowdStrike’s co-founder, whp helped the Democratic National Committee identify and respond to the Russian hack of its systems during the 2016 presidential election.

This was the group that has targeted the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system and global banking networks, and was able to steal $81 million from Bangladesh’s central bank, officials have said.

U.S. intelligence officials have linked North Korea to the WannaCry ransomware attack, an outbreak of malware last year reported to have infected more than 230,000 computers in over 150 countries, making data irretrievable in many cases.

Kim Heung-Kwang, a former North Korean computer expert who defected to the south in 2004, told NBC News in an interview in Seoul last year that the North has trained thousands of military hackers capable of inflicting damage on South Korean and Western infrastructure.

“North Korea is able to use its cyber army to attack South Korea and the U.S.,” he said.