Researchers from Dragos said last week that the advanced persistent threat (APT) group, called Covellite, has been previously linked to attacks against US, European and East Asian organizations in the civilian energy sector.
While Covellite appears to lack the means to attack industrial control systems (ICSs) at present, the APT is still able to gather intelligence on intellectual property and internal industrial operations.
Researchers first recorded attacks against US targets performed by Covellite in 2017. A targeting phishing campaign was launched at a number of select US electric companies, of which fraudulent emails contained remote access tool (RAT) payloads used to conduct reconnaissance and maintain persistence on victim PCs.
However, it now appears that the US has been crossed off the target list -- in what appears to be an interesting time to do so, as North Korea has a current interest in patching up its relationship with America.
US President Trump and North Korean leader Kim Jong Un are soon to meet at a summit in Singapore.
The APT is still actively targeting organizations in other countries.
According to Dragos, Covellite's infrastructure and malware arsenal are similar to the North Korean Lazarus Group, also known as Hidden Cobra.
North Korea was blamed for the attack due to the Lazarus connection, an accusation the country has deemed "absurd."
A technical analysis of the APT has also revealed that Covellite is making use of malware developed from Lazarus toolkits.
Beyond this connection, however, Dragos is not certain of whether or not both groups and their campaigns are connected.
"Given the group's specific interest in infrastructure operations, rapidly improving capabilities, and history of aggressive targeting, Dragos considers this group a primary threat to the ICS industry," the researchers say.
State-sponsored threat actors emerge from most countries, and with the backing of states and far greater resources than most individual operations, they have the potential to cause the most damage.