A NEW FRONTLINE: PYONGYANG’S DIGITAL OFFENSIVE
The name “Lazarus Group” is a source of alarm for cybersecurity experts globally. For years, this North Korean state-sponsored entity operated in the shadows, targeting international banks and technology firms. Now, these hackers have significantly advanced their methods, and India, with its rapidly expanding digital economy, is facing the consequences directly.
The threat is no longer distant; it has arrived at the nation’s digital doorstep. At the core of this escalating cyber offensive is North Korea’s 227 Research Centre, a secretive unit reportedly using artificial intelligence to broaden the scope and effectiveness of its hacking operations. For India, this threat can no longer be ignored. From individual bank accounts and digital wallets to critical government infrastructure, North Korean hackers are actively targeting Indian assets, leaving behind a trail of financial losses and data breaches.
THE 227 RESEARCH CENTRE: WARFARE FOR THE DIGITAL AGE
Earlier this year, North Korean leader Kim Jong Un is reported to have ordered the establishment of the 227 Research Centre within the country’s formidable Reconnaissance General Bureau (RGB). Its mission is to pioneer 24/7 AI-enhanced hacking, staffed by a dedicated team of approximately 90 highly skilled experts. This represents a strategic shift towards arming elite digital operatives with intelligent systems that can learn, adapt, and execute attacks with unprecedented speed and scale. The centre’s explicit focus on artificial intelligence is what makes it particularly dangerous. Pyongyang is moving beyond conventional malware, which can often be detected by security systems, and is now integrating AI with its traditional hacking strategies.
This allows for the automation of attacks that can modify their behaviour in real-time to evade advanced cyber defences and outmanoeuvre human security analysts. The strategy is clear and methodical: automate every stage of an attack, including reconnaissance to find targets, penetration to breach defences, and the theft and exfiltration of data. These operations serve two main purposes: espionage and, more critically, generating revenue. Facing severe international sanctions, North Korea relies on cybercrime as a vital economic lifeline to fund its prohibited nuclear and weapons programs. Consequently, every rupee stolen from an Indian citizen or company could be directly financing the development of a missile.
LAZARUS GROUP: A PERSISTENT PREDATOR TARGETING INDIA
The Lazarus Group consistently features as a top threat in Indian cybersecurity reports. Directly linked to the North Korean state and known by aliases such as “Hidden Cobra” and “APT38,” the group has a documented history of targeting India. Its victims span from major financial institutions and sensitive nuclear facilities to the country’s growing cryptocurrency exchanges.
HISTORY OF CONFIRMED ATTACKS ON INDIAN TARGETS
India is not merely a potential target but has already suffered significant attacks: * The Cosmos Bank Heist (2018): The Lazarus Group was linked to the theft of approximately $14 million from Pune-based Cosmos Bank. The highly coordinated attack involved orchestrating simultaneous ATM withdrawals across 28 countries using cloned debit cards.
Kudankulam Nuclear Plant Breach (2019): Malware known as Dtrack, a tool associated with Lazarus, successfully infiltrated an administrative network at India’s Kudankulam Nuclear Power Plant, raising serious national security concerns. The attack was likely aimed at espionage to steal sensitive nuclear technology. * WazirX Crypto Hack (2024): In a major blow to India’s crypto market, a staggering $235 million was stolen from one of the nation’s largest exchanges. A joint statement from the United States, Japan, and South Korea officially attributed the hack to the Lazarus Group. These incidents are not random but part of a calculated campaign to fund the Pyongyang regime while creating instability in economies like India’s.
EVOLVING TACTICS: THE AI-HUMAN HACKING ALLIANCE
The emergence of the 227 Research Centre signals a significant evolution in North Korean cyber tactics, blending human ingenuity with the power of AI. This new approach is defined by its sophistication, precision, and scale:
AI-Enhanced Phishing: Malicious emails and text messages are now crafted by AI to be nearly indistinguishable from legitimate communications from banks or government agencies. AI can analyse a target’s digital footprint to create highly personalized messages, dramatically increasing the chances of tricking a user into clicking a malicious link or divulging sensitive credentials.
Automated Vulnerability Scanning: AI-powered tools can scan India’s vast digital infrastructure for weaknesses at incredible speeds.
An AI can analyse millions of websites and applications in minutes, identifying vulnerabilities that would take a human team months to find. This allows hackers to exploit security flaws almost as soon as they emerge.Sophisticated Job Lures: Lazarus is targeting skilled professionals, not just financial assets. The group uses professional networking platforms like LinkedIn to send enticing but fake job offers to Indian software engineers. These “offers” are bait, delivering malware that gives hackers a foothold inside corporate networks to steal intellectual property and access critical systems.
Advanced Money Laundering: After a successful heist, stolen digital assets must be laundered. North Korean operatives use complex networks and cryptocurrency mixers to obscure the money trail, converting stolen funds into untraceable cash to support state objectives. This process is increasingly being automated, making it even more difficult for international law enforcement to track the illicit funds. These evolving tactics enable North Korean hackers to inflict economic damage, gather strategic intelligence, and create uncertainty, all while remaining beyond the reach of Indian authorities.
BROADER STAKES: BEYOND FINANCIAL THEFT
The implications of North Korea’s cyber operations against India extend far beyond monetary losses. The attacks serve a dual purpose: Funding a Sanctioned Regime: The primary motive is economic. Cryptocurrency and cash stolen from India are funnelled directly to bankroll North Korea’s nuclear and ballistic missile programs, which pose a threat to regional and global security. * Strategic Espionage: Breaches of government, research, and critical infrastructure networks yield sensitive data that can undermine India’s national security and technological advantage. The Indian government is actively coordinating with international partners, including the US, Japan, and South Korea, to share intelligence on North Korean cyber threats. This global collaboration acknowledges that the frontline of modern conflict is increasingly digital.
LOOKING AHEAD: BUILDING A RESILIENT DIGITAL DEFENCE
As North Korea’s Lazarus Group and the 227 Research Centre continue to advance the frontiers of cyber warfare, India’s defences must be equally adaptive.
Government initiatives for a national cyber command and enhanced international partnerships are crucial steps. However, the decentralized nature of cyber threats means this is a continuous battle of evolution. Every Indian, from ordinary citizens to corporate leaders and policymakers, is on the frontlines of this new battlefield. While Pyongyang’s hackers are geographically distant, their digital fingerprints are already present across India’s most critical networks. In an era defined by AI-driven conflict, the most effective defence is a vigilant and informed society. Our collective awareness and proactive security measures will serve as the ultimate shield for India’s digital future.
Brijesh Singh is a senior IPS officer and an author (@ brijeshbsingh on X). His latest book on ancient India, “The Cloud Chariot” (Penguin) is out on stands. Views are personal.
