Microsoft (MS) said it has confirmed the first instance of North Korea joining the "ransomware as a service (RaaS)" ecosystem as a partner. The RaaS model, which handles ransomware in a service format, enables individuals without hacking skills to launch attacks, leading analysts to say North Korea's cyberattack methods are becoming more sophisticated.
According to the "2025 Digital Defense Report" released by MS on Oct. 17, the company's threat intelligence team detected a move by North Korean hackers to join RaaS and outsource parts of their operations. The report said, "North Korea aims to allocate resources efficiently and focus on infiltration activities," warning that "the frequency and sophistication of ransomware attacks could rise further."
The report said North Korea has also stepped up phishing operations to steal intellectual property (IP) related to weapons systems and confirmed cases of using cloud infrastructure to conceal command and control (C2) servers. This makes detection and blocking of attacks more difficult, indicating that defenses are being evaded with increasingly advanced techniques.
MS analyzed that North Korea's hacking targets are concentrated in IT (33%), academia (15%), and think tanks and nongovernmental organizations (8%). By country, the United States accounted for half (50%) of the total and suffered the most attacks, followed by Italy (13%), Australia (5%), and the United Kingdom (4%). Korea was tallied at around 1% of the total.
The report noted that North Korea is primarily targeting blockchain and cryptocurrency, defense and manufacturing, and institutions related to East Asia policy, reflecting national aims of revenue generation and intelligence collection. Meanwhile, Russian cyberattacks also increased this year, with 9 of the top 10 most-targeted countries being members of the North Atlantic Treaty Organization (NATO).