Escalating Cyber Threats from North Korea and China Target Asia-Pacific Financial Institutions
Executive Summary
In 2025, cyber threat groups linked to North Korea and China intensified their attacks on financial institutions and cryptocurrency assets in the Asia-Pacific region. North Korean adversaries, notably PRESSURE CHOLLIMA, executed the largest financial theft to date, stealing $1.46 billion in cryptocurrency through a supply chain compromise. Concurrently, Chinese threat actors like HOLLOW PANDA targeted financial institutions across multiple countries, including the Philippines, Indonesia, and Brazil. These operations leveraged advanced techniques, including AI-generated identities and sophisticated social engineering tactics, to infiltrate organizations and exfiltrate sensitive data. (crowdstrike.com)
The escalation of these cyber activities underscores a growing trend of state-sponsored cybercrime aimed at financial gain and intelligence collection. The increasing sophistication and frequency of these attacks highlight the urgent need for enhanced cybersecurity measures and international collaboration to protect financial infrastructures from such persistent threats.
Why This Matters Now
The surge in state-sponsored cyberattacks targeting financial institutions, especially in the Asia-Pacific region, poses significant risks to global financial stability. The use of AI and advanced social engineering by these threat actors necessitates immediate and robust cybersecurity strategies to mitigate potential economic and operational disruptions.
Attack Path Analysis
North Korean and Chinese state-sponsored threat groups targeted financial institutions in the Asia-Pacific region through spear-phishing campaigns, leading to initial compromises. Once inside, they escalated privileges by exploiting vulnerabilities and misconfigurations. The attackers then moved laterally within the networks to access critical systems. They established command and control channels to maintain persistent access. Sensitive financial data and cryptocurrency assets were exfiltrated. The attacks resulted in significant financial losses and operational disruptions.
Kill Chain Progression
Initial Compromise
Description
Attackers used spear-phishing emails to deliver malicious payloads, leading to the initial compromise of financial institutions.
MITRE ATT&CK® Techniques
Phishing
Application Layer Protocol: Web Protocols
Data from Local System
Drive-by Compromise
Exploitation for Client Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Awareness Training
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Zero Trust Architecture
Control ID: Identity and Access Management
NIS2 Directive – Incident Response
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Primary target of Chinese and North Korean threat groups conducting financial cybercrime, cryptocurrency theft, and social engineering attacks across Asia-Pacific region.
Banking/Mortgage
Exposed to state-sponsored attackers using encrypted traffic exploitation, lateral movement, and egress security bypasses for multi-billion dollar cryptocurrency and financial fraud.
Capital Markets/Hedge Fund/Private Equity
Vulnerable to sophisticated social engineering campaigns impersonating recruiters and investors targeting VPN access, credentials, and high-value infrastructure for data exfiltration.
Information Technology/IT
Targeted through fake hiring processes and business impersonation attacks designed to steal source code, SSO access, and exploit zero trust segmentation weaknesses.
Sources
- Chinese, N. Korean Threat Groups Build on Asia-Pacific Successhttps://www.darkreading.com/cyberattacks-data-breaches/chinese-korean-threat-groups-asia-pacific-successVerified
- CrowdStrike 2026 Financial Services Threat Landscape Reporthttps://www.crowdstrike.com/en-us/press-releases/crowdstrike-2026-financial-services-threat-landscape-report/Verified
- CrowdStrike 2026 Global Threat Reporthttps://ir.crowdstrike.com/news-releases/news-release-details/2026-crowdstrike-global-threat-report-ai-accelerates-adversariesVerified
- North Korea's crypto thieving went into overdrive in 2025, with one firm estimating it's responsible for roughly 60% of the $3.4 billion stolen in totalhttps://www.pcgamer.com/gaming-industry/north-koreas-crypto-thieving-went-into-overdrive-in-2025-with-one-firm-estimating-its-responsible-for-roughly-60-percent-of-the-usd3-4-billion-stolen-in-total/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attackers' ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial compromise via spear-phishing may still occur, subsequent unauthorized access to other workloads could be significantly constrained.
Control: Zero Trust Segmentation
Mitigation: Even if attackers escalate privileges within a compromised workload, their ability to access other workloads would likely be restricted.
Control: East-West Traffic Security
Mitigation: Lateral movement across the network would likely be significantly limited, reducing the attacker's ability to reach critical systems.
Control: Multicloud Visibility & Control
Mitigation: Establishing and maintaining command and control channels would likely be more challenging due to enhanced monitoring and control.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts would likely be detected and blocked, reducing the risk of data loss.
While some impact may still occur, the overall damage would likely be reduced due to constrained attacker activities.
Impact at a Glance
Affected Business Functions
- Digital Asset Management
- Online Banking Services
- Customer Data Management
Estimated downtime: 14 days
Estimated loss: $2,020,000,000
Personal and financial information of customers, including account details and transaction histories.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Establish Multicloud Visibility & Control to maintain oversight across all cloud environments.
