North Korean hackers are increasingly trying to steal cash rather than secrets, a South Korean government-backed report suggests.
Cyber-criminals are targeting financial institutions as Pyongyang faces tough nuclear sanctions, the Financial Security Institute (FSI) claims.
Suspected hacking attempts were until recently thought to be aimed at causing disruption or accessing data.
North Korea has routinely denied involvement in cyber-attacks.
The FSI analysed cyber-attacks between 2015 and 2017.
The impoverished country is now facing even tougher international sanctions aimed at stopping the flow of money that would support the development of its weapons programme.
Perhaps the most high profile hack linked to North Korea in recent years targeted Sony’s entertainment business in 2014 – wiping out massive amounts of data and leading to the online distribution of emails, personal and sensitive employee data as well as pirated copies of new movies.
However the FSI is not alone in saying there had been a shift away from this kind of disruptive, embarrassing hack, and towards cyber-attacks raising money.
Some cyber-security firms have also connected North Korea with the global “WannaCry” cyber attack that affected 150 countries in May and crippled parts of Britain’s National Health Service (NHS). and demanded victims pay to access data.
US officials are also believed to be building a case linking last year’s $81m (£62m) cyber-heist at the Bangladesh central bank to North Korean hackers.
And Russian firm Kaspersky has linked North Korea to attacks on Polish banks.
A report by FireEye says that North Korean cyber-operators are “increasingly engaged in financially motivated activity” and targeting virtual currency services.
“Actors are targeting virtual currency service providers such as exchanges and brokerage services based in South Korea,” FireEye said.
“It is not yet clear how North Korean actors are leveraging virtual currencies, although targeting of these services demonstrates definite interest.”
North Korea is also reported to be mining the virtual currency Bitcoin.
Fireye said that such currencies were attractive to criminals because they could be traded in relative anonymity, compared with currencies that are managed and tracked by central banks.
New hacking group
The FSI report identifies eight specific instances where hackers targeted South Korean government and commercial institutions.
The report also identified a hacking group named Andariel that “has been active since at least May 2016,” according to a translation of the document by Reuters.
Andariel is believed to have tried to steal bank card information by hacking into automated teller machines to either withdraw cash or sell the data on the black market.
It has also allegedly created malware to hack into online poker and other gambling sites and steal cash.
The FSI was launched by the South Korean government in 2015, following attacks on major South Korean banks.
This week BBC News is taking a close look at all aspects of cyber-security. The coverage is timed to coincide with the two biggest shows in the security calendar – Black Hat and Def Con.