North Korean hackers have conducted a global cyber espionage campaign to steal classified military secrets in support of Pyongyang’s banned nuclear weapons program, according to a joint advisory from the United States (U.S.), Britain, and South Korea released on Thursday, July 25th. The hackers, known as Anadriel or APT45 by cybersecurity researchers, are believed to be part of North Korea’s intelligence agency, the Reconnaissance General Bureau, which was sanctioned by the U.S. in 2015.

“The global cyber espionage operation that we have exposed today shows the lengths that D.P.R.K. state-sponsored actors are willing to go to pursue their military and nuclear programs,” said Paul Chichester at Britain’s National Cyber Security Centre, part of the G.C.H.Q. spy agency. Last August, Reuters reported that an elite group of North Korean hackers had breached systems at N.P.O. Mashinostroyeniya, a rocket design bureau in Reutov, near Moscow.

The cyber unit has targeted or breached computer systems at a wide range of defense and engineering firms, including manufacturers of tanks, submarines, naval vessels, fighter aircraft, and missile and radar systems, the advisory said. U.S. victims have included the National Aeronautics and Space Administration (N.A.S.A.), Randolph Air Force Base in Texas, and Robins Air Force Base in Georgia, F.B.I. and U.S. Justice Department officials revealed.

In February 2022, the hackers allegedly used a malware script to gain unauthorized access to N.A.S.A.’s computer system for three months, extracting over 17 gigabytes of unclassified data. “The authoring agencies believe the group and their cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India,” the advisory stated.

North Korea, formally known as the Democratic People’s Republic of Korea (D.P.R.K.), has a long history of using covert hacking teams to steal sensitive military information. To fund their operations, the hackers also targeted U.S. hospitals and healthcare companies with ransomware, U.S. officials allege. On Thursday, the U.S. Justice Department charged Rim Jong Hyok with conspiring to access computer networks in the United States and with money laundering. Rim is accused of being involved in a May 2021 hack against a Kansas-based hospital, which paid ransom after the hackers encrypted four of its computer servers. The hospital paid the ransom in bitcoin, which was transferred to a Chinese bank and then withdrawn from an A.T.M. in Dandong, China, near the Sino-Korean Friendship Bridge connecting the city to Sinuiju, North Korea, according to the indictment. The F.B.I. is offering a reward of up to $10 million for information leading to Rim’s arrest, as he is believed to be in North Korea. F.B.I. and Justice Department officials said they have seized some of the online accounts belonging to the hackers, including $600,000 in virtual currency that will be returned to ransomware victims.

APT45, part of North Korea’s Reconnaissance General Bureau, used common phishing techniques and computer exploits to trick officials at targeted firms into giving away access to their internal computer systems, the advisory added.

The exposure of this operation underscores the persistent and evolving threat posed by North Korean cyber activities. These activities not only compromise global security but also fund the regime’s military ambitions. Continued vigilance and international cooperation are essential to counter these cyber threats and protect sensitive information from being exploited by adversarial state actors.