The hacking campaign, identified as Operation GhostSecret by cyber researcher McAfee LLC, now spans 17 countries and many industries. The attacks highlight how hackers linked to Pyongyang have evolved beyond their traditional focus on military secrets and cyber provocations.

From roughly March 14 to March 26, suspected Pyongyang-linked hackers sought to obtain sensitive information from a variety of industries: critical infrastructure, telecommunications, health care, higher education and others. McAfee, which released the report on Wednesday, didn’t name the affected organisations but said most of the attacks were in the Asia-Pacific region.

The cyberoffensive remains active, McAfee said. As with nearly all digital assaults, it is difficult to know exactly what was taken. But hackers prying into compromised computers could delete files, steal data or study networks for weaknesses that inform future strikes.

“They’re in your network. They’re learning about you, understanding how you operate,” said Raj Samani, McAfee’s chief scientist.

North Korea, stung by economic sanctions, has wielded its cyberwarriors in increasingly dangerous ways, targeting infrastructure systems and stealing money, according to cybersecurity specialists who track the regime’s behaviour. The more menacing tactics are amplified by Pyongyang’s improving coding skills and swift mobilisation, these people say.

North Korea’s approach is distinctive because Kim Jong Un’s regimen is already isolated politically, so it isn’t afraid of diplomatic repercussions that other state actors typically seek to avoid, according to cyber researchers.

McAfee doesn’t officially identify nation-state cyber units as culprits. But in its report released Wednesday, the company says it has “high confidence” that Operation GhostSecret is the work of a North Korea-linked hacking operative known as Lazarus, based on similarities in malware and infrastructure. Lazarus has been blamed for last year’s WannaCry ransomware attack and the 2014 Sony Pictures hack. North Korea has denied involvement in those attacks.

In early March, McAfee identified cyberattacks on Turkish financial institutions and government groups that deployed a “Bankshot” implant that embedded malicious files in Microsoft Word documents sent to victims via email attachment. Computers were infected if users downloaded the attachment.

But that episode turned out to be just the first stage of Operation GhostSecret, McAfee said. The broader assault grew beyond the Bankshot implant and used other types of malware. McAfee researchers classified the various malware under a single operation because of similarities in coding and capability, as well as the attack’s timing.

One of the additional tactics was a variant of a wiper tool that had a more than 80 per cent similarity to the one used in the Sony Pictures hack, said Christiaan Beek, McAfee’s senior principal engineer. The updated wiper tool — which can delete files on infected computers — wasn’t a direct copy of the prior version, but rather a new, hybrid variant, McAfee said.

Another malware implant, observed broadly with Operation GhostSecret, helped cover the hackers’ digital footprints with encryptions, McAfee said.

Though McAfee publicised the attacks on Turkish banks, Mr Samani, the chief scientist, said the expansion of the data-stealing offensive showed how persistent the suspected North Korean hacking machine has become.

“They are carrying out attacks with impunity,” Mr Samani said.

WSJ

More related stories

Wall Street Journal

When play is not a game

Apparent addiction to video games may be hiding other issues.

Read more

Wall Street Journal

Xi’s China fills void left by US

Moves in Europe highlight America’s fading influence.

Read more