Skip to main content
close search
site logo
Dive Brief

North Korea led the world in nation-state hacking in Q2 and Q3

Security leaders should prioritize anomalous-activity detection and zero-trust principles, a new report recommends.

Published Oct. 24, 2025
Eric Geller's headshot
Senior Reporter
The flag of North Korea flies from a propaganda tower near the Demilitarized Zone with South Korea
The flag of North Korea flies from a tower near the Demilitarized Zone between South and North Korea on Feb. 7, 2018, in Panmunjom, South Korea. North Korea's hacker army accounts for the plurality of nation-state cyber activity in recent months, according to a new report. Carl Court via Getty Images

Dive Brief:

  • Hackers affiliated with the North Korean government accounted for a plurality of nation-state cyberattacks between April and September, according to a threat report that Trellix published on Thursday.
  • Pyongyang’s cyber army has been deploying more sophisticated hacking techniques, including malware-free intrusion methods.
  • North Korean cyberattacks “are deepening and diversifying, from phishing and espionage to employment-based infiltration,” Trellix said in its report, “thus demanding a more dynamic, intelligence-led response from organizations and governments alike.”

Dive Insight:

“North Korean-affiliated groups dominate the threat detection landscape,” Trellix said in its report. The infamous Lazarus Group tops the list, accounting for 8.6% of Trellix’s detections, with Andariel and Kimsuky taking second and third place, respectively. 

Together, groups affiliated with North Korea account for 18.2% of all the nation-state-aligned activity that Trellix identified.

Trellix said the finding “represents a significant escalation” in North Korea’s cyber activity, and it noted that the country’s operatives are pursuing careful and difficult-to-detect intrusion strategies, including remote IT worker schemes.

Nation-state hacker groups in general are eschewing malware and vulnerabilities in favor of living-off-the-land techniques, according to the report. The built-in Windows features Command Prompt and PowerShell topped the list of hackers’ most commonly used tools, which Trellix said was consistent with “the use of advanced evasion strategies designed to blend with normal network activity.”

The company said its threat report revealed “a mature [advanced persistent threat] ecosystem with established tool preferences, continuous innovation, and clear alignment with strategic intelligence objectives.”

To address this threat environment, Trellix said, security leaders “must implement layered defenses” that can detect custom attack tools and abuses of legitimate processes. That includes detection software that can identify behavioral anomalies using contextual information, zero-trust principles such as least-privilege access, and isolation of high-value assets. System administrators should also strictly enforce access to privileged accounts, which are top targets for hackers seeking to move across a network.

“Collaboration between SOC, IT, and threat intelligence teams ensures that subtle deviations, such as unusual command-line usage or lateral movement through legitimate credentials, are identified early,” Trellix said.

The report also found that the telecommunications sector was both cybercriminals’ and nation-state hackers’ top target, accounting for 71% of attacks. Technology, transportation, business services and finance rounded out the top-five list.

Interestingly, Turkey accounted for the most detections of nation-state hacking victims, at 33%, with the U.S. coming in second, at 24%. Trellix speculated that Turkey’s prominence reflected “coordinated campaigns potentially related to its strategic position between Europe and Asia, its critical infrastructure, and regional geopolitical tensions.” Hackers overwhelmingly focused on Turkey’s telecom networks, while activity in the U.S. was spread more evenly between technology and business services.

“Organizations face a mature APT ecosystem characterized by persistent, targeted campaigns with clear geopolitical motivations,” Trellix said. “The concentration of activity in critical infrastructure sectors, combined with the dominance of state-sponsored actors, indicates APT operations are increasingly aligned with national security objectives rather than purely financial motivations.”

Editors' picks

Company Announcements

View all | Post a press release
Global economies could recover more than $3.3 trillion USD annually by using AI to reducing il…
From Napier AI
October 21, 2025
360 Privacy Launches 360 Strata, Transforming Digital Exposure into Dimensional Intelligence
From 360 Privacy
October 06, 2025
360 Privacy logo
BeyondTrust Strengthens FedRAMP-Authorized Portfolio with Identity Security Insights®, Advanci…
From BeyondTrust
October 22, 2025
BeyondTrust logo
Genians to Attend TechMixer XIII: Elevating Network Security and Zero Trust Objectives
From Genians
October 06, 2025
Genians logo
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.