North Korean hackers are demonstrating a growing interest in breaching the critical infrastructure underpinning all of modern life, and they’re getting better at thwarting attempts to stop them.

Latest example: the North Korea-based “Lazarus Group” hacker team broke into a U.S. healthcare company and a British company that operates part of the internet’s core infrastructure. The U.K. cyberattack took advantage of a software vulnerability that had only been demonstrated five days earlier, according to new research published on Thursday by Cisco cybersecurity experts. 

It was the group’s third documented campaign in less than a year, a series of attacks that included one in September 2022 in which North Korean hackers penetrated U.S., Canadian and Japanese energy companies using a major vulnerability in widely used open-source code. 

Pyongyang’s cyber army is best known for hacking Sony Pictures Entertainment in 2014 and breaking into an endless series of cryptocurrency companies to steal money to fund the country’s heavily sanctioned government. For years, U.S. intelligence officials have treated North Korea as a junior player in a space dominated by more disruptive and sophisticated Russian, Chinese and Iranian cyberattacks. But the new research from Cisco suggests that North Korea is becoming a more serious threat.

Cisco’s report did not name the U.K. infrastructure provider or the U.S. healthcare company hacked in the newly disclosed campaign. But the infrastructure firm is a medium- to large-sized operator, a Cisco spokesperson told The Messenger.

The report, combined with a February warning from U.S. and South Korean security agencies about North Korean ransomware attacks on healthcare companies, sheds light on the increasing boldness and potential destructiveness of North Korea’s operations.

The consequences of cyberattacks on healthcare companies have been well documented, including the closures of emergency rooms and the cancellations of important elective procedures. But less attention has focused on the damage that North Korean hackers might be able to do by sabotaging the internet’s “backbone” infrastructure—the core networks run by companies like AT&T and Verizon to which all other internet service providers connect.

With the right access to a backbone provider like the one they hacked in the U.K., Pyongyang’s cyber warriors could intercept, redirect, tamper with or block internet traffic. This kind of interference could enable them to steal or corrupt valuable data. And while the U.S. and its allies transmit classified intelligence through secure means, less well-protected data—potentially including people’s private photos and emails—could be vulnerable to hackers camped out on an infrastructure provider’s networks.

Cisco only observed limited activity on both recent victims’ networks after the intrusions, the Cisco spokesperson said. Researchers aren’t sure why this was, but the spokesperson said that it could have been “because the activity was detected within a reasonable time frame or Lazarus deemed that the victims weren't valuable enough to pursue further malicious activity.”

The new report contains other interesting details about how North Korean hackers do their work. It describes a new remote access trojan, or RAT, called CollectionRAT, which gathers information about infected computers and executes commands transmitted by the hackers. The report also describes how the hackers are increasingly relying on publicly available hacking tools instead of custom-built malware in the initial stage of their attacks.

In a separate report also published Thursday, Cisco researchers explained how North Korea made one piece of its hacking arsenal—a tool that it used to breach the British internet infrastructure company—hard for experts to study.

The hackers wrote their code in a program called Qt, which “increases the code complexity, making human analysis harder,” the researchers wrote. Plus, because Qt is “rarely used” to write malware, automated analysis is also “less reliable.”

Notably, the North Korean attacks aren’t especially novel. Rather, they’ve continually reused internet servers and attack strategies that have been well documented. Hackers generally avoid reusing servers tagged as malicious and strategies that defenders know to look out for. North Korea’s continued success using these straightforward techniques shows how weakly guarded much of the internet remains. 

The Lazarus Group’s approach “highlights the group’s confidence in their operations,” Cisco researchers wrote, “but also presents opportunities for security researchers” to spot hackers’ activities and uncover their new tools.