Executive Summary
In early 2024, researchers from CrowdStrike revealed that the long-active North Korean threat group known as Labyrinth Chollima has formally split into three specialized entities: Labyrinth Chollima (espionage), Golden Chollima, and Pressure Chollima (both focused on cryptocurrency theft). This change followed observed divergences in tactics, malware usage, and sector targeting, with Labyrinth Chollima shifting focus to manufacturing, logistics, aerospace, and defense, often leveraging social engineering and sharing infrastructure with its counterparts. Notably, Pressure Chollima was behind the record-breaking $1.46 billion cryptocurrency heist in 2023, illustrating the scale and sophistication of the new operational structure.
This realignment signals increasing specialization and growth within North Korea's cyber apparatus, enabling more targeted attacks and efficient monetization strategies. Organizations in critical industries and the crypto sector face heightened risks as these groups adapt rapidly and circumvent international sanctions by fueling cyber operations with illicit gains.
Why This Matters Now
The strategic split of North Korea's cyber units enables more sophisticated, scalable, and industry-specific attack campaigns, increasing threat levels for defense, logistics, manufacturing, and cryptocurrency sectors. With state-backed groups innovating and broadening their reach amid geopolitical tensions and sanctions, organizations must rapidly adapt their cyber defenses to counter evolving TTPs and prevent high-impact data loss or financial theft.
Attack Path Analysis
The attacker initiated compromise via tailored phishing and supply chain attacks, then elevated privileges through manipulation of credentials or cloud roles. Using advanced tooling, they moved laterally within cloud and hybrid environments to target sensitive workloads and services. Persistent command and control channels were established to coordinate the operation and evade detection. Data was exfiltrated, including intellectual property and, in other operations, cryptocurrency, through encrypted or covert outbound channels. The impact manifested as large-scale data theft, financial loss, and reputational damage to the victim organization.
Kill Chain Progression
Initial Compromise
Description
Adversaries executed spearphishing and supply chain attacks, exploiting external-facing services or user access to gain a foothold within the target's cloud or hybrid environment.
Related CVEs
CVE-2023-3CX
CVSS 9.8A supply chain attack involving the 3CXDesktopApp allowed attackers to distribute malicious updates, leading to potential remote code execution.
Affected Products:
3CX 3CXDesktopApp – 18.12.407, 18.12.416, 18.12.422
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Core TTPs mapped for filtering and enrichment; full coverage can be expanded with STIX/TAXII feeds.
Phishing: Spearphishing Attachment
Gather Victim Identity Information
Valid Accounts
Command and Scripting Interpreter
Exfiltration Over Web Service
Remote Access Software
Brute Force
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Authentication Management
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 10
CISA ZTMM 2.0 – Zero Trust: Identity, Devices, and Network Segmentation
Control ID: ID.AM-03
NIS2 Directive – Security of Network and Information Systems
Control ID: Art. 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Defense/Space
North Korean nation-state espionage directly targets defense manufacturers and aerospace companies, requiring enhanced east-west traffic security and zero trust segmentation.
Aviation/Aerospace
European aerospace companies face targeted espionage campaigns exploiting employment-themed social engineering, necessitating egress security and multicloud visibility controls.
Logistics/Procurement
Shipping and logistics companies targeted by sophisticated threat groups require encrypted traffic protection and threat detection capabilities against persistent espionage operations.
Utilities
Critical infrastructure providers including hydroelectric power face nation-state threats requiring kubernetes security, anomaly detection, and secure hybrid connectivity solutions.
Sources
- Long-running North Korea threat group splits into 3 distinct operationshttps://cyberscoop.com/north-korea-labyrinth-chollima-splits-crowdstrike/Verified
- LABYRINTH CHOLLIMA Evolves into Three Adversarieshttps://www.crowdstrike.com/en-us/blog/labyrinth-chollima-evolves-into-three-adversaries/Verified
- CrowdStrike Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customershttps://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/Verified
- CrowdStrike Releases 2025 Threat Hunting Reporthttps://www.crowdstrike.com/en-us/press-releases/crowdstrike-releases-2025-threat-hunting-report/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
This incident directly illustrates CNSF and Zero Trust relevance: segmentation, strong identity controls, workload isolation, and rigorous egress governance could have restricted attacker movement, limited privilege escalation, detected malicious C2, and disrupted data exfiltration. Coordinated enforcement at each stage reduces blast radius and constrains techniques commonly exploited in sophisticated cloud/hybrid attacks.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Detection and containment of unauthorized access attempts via external services.
Control: Zero Trust Segmentation
Mitigation: Restricted privilege escalation paths and rapid alerting on unauthorized role assumptions.
Control: East-West Traffic Security
Mitigation: Containment or blocking of unauthorized east-west traffic between cloud workloads.
Control: Multicloud Visibility & Control
Mitigation: Visibility into and alerting on suspicious outbound C2 activity across cloud platforms.
Control: Egress Security & Policy Enforcement
Mitigation: Egress filtering or blocking of unauthorized data transfers and unusual encrypted traffic.
Effective controls at earlier stages could have limited the scope of loss and business impact.
Impact at a Glance
Affected Business Functions
- Manufacturing
- Logistics
- Defense
- Aerospace
- Cryptocurrency
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive business and customer data due to espionage activities.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy zero trust segmentation and granular east-west controls to constrain lateral movement within cloud and hybrid environments.
- • Implement centralized multicloud visibility and anomaly detection to rapidly detect suspicious automation and outbound C2 activity.
- • Enforce strict egress filtering with FQDN and application-level controls, paired with encryption visibility, to block unauthorized data exfiltration.
- • Apply real-time, inline IPS and distributed inspection to reduce the effectiveness of exploitation attempts and malicious payload delivery.
- • Regularly audit IAM posture and network policies for privilege minimization, ensuring credentials and access are strictly aligned with least privilege.
