NICKEL ACADEMY

NICKEL ACADEMY encompasses cyber operations conducted by North Korea’s Reconnaissance General Bureau (RGB) that are not attributed to a subgroup such as NICKEL GLADSTONE or NICKEL HYATT. NICKEL ACADEMY has been in operation at least since 2009, targeting South Korean government and commercial entities. It gained notoriety for attacking Sony Pictures Inc. in November 2014. Although the group primarily focuses on South Korean organizations, it has targeted organizations globally. Targets have included government agencies, think tanks, financial institutions, transportation organizations, utility companies, non-governmental organizations (NGOs), cryptocurrency exchanges, and defense contractors.

NICKEL ACADEMY uses customized malware tools and delivers its payloads through spearphishing. Other methods include disguising malware as legitimate applications, sometimes signed with stolen certificates, and conducting distributed denial of service operations. The threat actors routinely evolve their tooling, producing new variants of known malware families or new families that contain code components from older families. In the resulting tapestry of malware, some signature components persist for years. NICKEL ACADEMY has conducted isolated destructive cyber operations and continues to actively support North Korea's domestic and foreign agenda.