Shift in North Korea’s Cyber Operations: The Rise of New Threats
Recent revelations from CrowdStrike highlight a significant transformation in one of North Korea’s most established cyber operations. The group, known as LABYRINTH CHOLLIMA, which has been active since at least 2009, has now diversified into three distinct entities—each with its unique focus, malware tools, and operational strategies. This evolution marks a critical shift in how North Korea approaches cyber warfare.
The Breakdown of LABYRINTH CHOLLIMA
CrowdStrike’s analysis reveals that LABYRINTH CHOLLIMA has expanded into two additional groups: GOLDEN CHOLLIMA and PRESSURE CHOLLIMA. Even though these groups operate as separate units, they still share resources, infrastructure, and operational techniques. This interconnectedness suggests a well-organized command structure within North Korea’s cyber landscape, reinforcing the notion that these entities function under a centralized strategy.
Espionage and Financial Intrusion: Differing Objectives
LABYRINTH CHOLLIMA remains focused on cyber espionage, targeting key sectors like industrial manufacturing, logistics, and defense. These operations reflect North Korea’s ongoing intelligence objectives—primarily aimed at acquiring crucial geopolitical and military insights.
Conversely, GOLDEN CHOLLIMA and PRESSURE CHOLLIMA have pivoted toward financially driven cybercrime, with a pronounced focus on cryptocurrency firms globally. GOLDEN CHOLLIMA is primarily associated with financial technology and cryptocurrency platforms, while PRESSURE CHOLLIMA has been implicated in attacks on centralized exchanges and several notable cryptocurrency thefts. This shift allows North Korea to satisfy diverse strategic goals—including both intelligence gathering and generating revenue—while enhancing its resilience in the cyber domain.
Shared Foundation, Evolving Technologies
Despite their distinct functions, the malware utilized by these three groups shares common origins. CrowdStrike highlights that they all use advanced iterations of malware families initially deployed by LABYRINTH CHOLLIMA in the 2000s and 2010s. This continuity points to North Korea’s commitment to nurturing scalable and flexible cyber capabilities over an extended timeline.
A Purposeful Strategy Shift
Security experts interpret this split as a strategic decision rather than a mere random separation. By distributing tasks across these different units, North Korea can improve operational efficiency, lower the chances of detection, and broaden its influence worldwide. This operational model aligns with previously observed trends in other DPRK-linked groups, such as those within the Lazarus ecosystem.
Impact on Global Cybersecurity
The advent of these three coordinated adversaries substantially escalates the threat level for governments, essential infrastructure operators, and cryptocurrency businesses across the globe. With their specialized missions and shared tools, the CHOLLIMA groups present a more agile and formidable threat than in the past.
To combat this evolving risk, organizations need to fortify their threat intelligence frameworks, enhance their monitoring capabilities, and implement proactive defense measures. The increasing sophistication of North Korea’s cyber operations underscores the necessity for vigilance and preparedness in today’s digital landscape.
