Revealed: How North Korea's 'Reaper' hackers target the Middle East

Sophisticated network attacked regional telecommunications giant as revenge for pulling out of business deal

FILE - In this undated file photo distributed on Sept. 16, 2017, by the North Korean government, North Korean leader Kim Jong Un, right, celebrates what was said to be the test launch of an intermediate range Hwasong-12 missile at an undisclosed location in North Korea. North Korea says it will never give up its nuclear weapons as long as the United States and its allies continue their “blackmail and war drills” at its doorstep. Independent journalists were not given access to cover the event depicted in this image distributed by the North Korean government. The content of this image is as provided and cannot be independently verified. (Korean Central News Agency/Korea News Service via AP, File)
Powered by automated translation

A previously unknown network of North Korean hackers has targeted companies worldwide, including one in the Middle East, in retaliation for a failed business deal.

The network, known as 'Reaper' or APT37, has been operating since 2012, but has become increasingly active and sophisticated in recent months, a new report reveals.

According the cyber-security company FireEye, its victims included at least one company in the region, after it pulled out of a telecommunications deal with the regime of Kim Jong-un.

FireEye, which has offices in Dubai, says the organisation was hit because “it had been involved with a North Korean company and a business deal that went bad".

“The firm was targeted shortly [after] media reports of this schism had gone public," it said.

FireEye has declined to name the company, beyond saying it is based in Egypt, has “extensive relationships inside North Korea”, and that the Reaper network has expanded its sphere of operations worldwide and to a range of industries.

Mohammed Abukhater, FireEye's vice president for sales in the Middle East, said the Reaper network had come to the attention of the company's team of undercover investigators in 2015 but, speaking to The National, said they had recently become "very sophisticated and expanded their scope".

Mr Abukhater said that there was a lack of awareness in the region about the dangers of these attacks and that he "would not be surprised if there are more".

Complete protection against hackers was impossible, he said "but you need to have the right measures in place to to minimise the risk".


Read more:

UAE terminates diplomatic presence in North Korea and blocks entry visas into the Emirates


While the motivation in the attack on the Egyptian company was revenge, other incidents were designed to steal secrets or for extortion, Mr Abukhater said.

In December it was reported that the Egyptian telecommunications giant Orascom had pulled out of a mobile phone service it was providing to North Korea.

The deal had been set up in 2008, as a collaboration that established the country’s only 3G service with an estimated 300,000 new customers.

Orascom's chairman, the billionaire Naguib Sawaris, has told The Wall Street Journal that he was not aware of any North Korean cyberattack.

The company has also previously insisted that it has always followed UN requirements on trading with the regime.

The timing of the attacks appears to be linked to increasing pressure by the United States and the UN to enforce sanctions against Pyongyang as a result of its nuclear weapons and ballistic missile programme.

Last September, South Korean news agencies reported that Egypt’s defence minister, Sodki Sobhi, had agreed to cut all military ties to the North on a visit to Seoul.

According to FireEye: “The targeting effort may have been an attempt by the North Korean government to gather information on a former business partner.”

It reported that in May last year, APT37 used a bank liquidation letter as a front for a phishing attack on a board member of a company in the Middle East.

Phishing is a tactic in which an email closely resembles a genuine communication but can include attachments with malware or viruses.

In this instance, the report says, the board member was sent an attachment that exploited a known weakness in Microsoft Office that allowed the North Koreans to install a tool which could collect information and install more malicious files. Other attacks have used a vulnerability in Adobe Flash.

FireEye says it has “high confidence” that the Reaper attacks originate from North Korea because it inadvertently revealed IP addresses based in the country in at least one case.

Almost unknown until now, APT37: “has expanded its operations in both scope and sophistication”.

The timing of the attacks is also consistent with North Korean time zones, while the majority were aimed at defectors and South Korean organisations.

Last year the Reaper hackers expanded the range of their targets to include companies and organisations in Japan, Vietnam and the Middle East and in the fields of health care, electronics and aerospace.

In the past, North Korea has been blamed for the WannaCry ransomware, which infected an estimated 200,000 users, and the hacking of Sony Pictures, releasing confidential material, apparently in retaliation for the film The Interview, a comedy which imagined the assassination of Kim Jong-un by bumbling American agents.