It is important to emphasise that there is little consolidated, broadly-recognised knowledge about the Lazarus Group and its specific political affiliations within the North Korean state apparatus compared to the knowledge of other nation-state APTs. The name usually acts as an umbrella term for a wider subset of North-Korean cyber activities and responsible sub-groups, which makes the attribution of specific operations often difficult (see section “Attribution Ambiguities” below). The threat intelligence community, academics, and state authorities have no common understanding of a clearly-defined hierarchy or the organisation of North Korean cyber units and their respective APT designations so far. The present profile therefore seeks to differentiate the more general aspects that can be perceived as a given common denominator from more specific details that are still contested by varying actors analysing the regime’s cyber posture.

In general, the Lazarus Group refers to a large subset of state-sponsored cyber activities of the Democratic People’s Republic of Korea (DPRK), operating as an integral wing of North Korea’s central foreign intelligence agency, the Reconnaissance General Bureau (RGB) that comprises six different bureaus. It is a widely-accepted understanding that North Korean cyber activity of any kind is most likely directed or controlled by the RGB. Within the RGB, most sources, including academic analyses and threat intelligence reports, such as one from Mandiant in 2023, associate the Lazarus group with the RGB Lab 110. Mandiant represents Lab 110 as an expanded/reorganised version of the better-known Bureau 121, often referred to as North Korea’s primary hacking unit. Older sources, such as an academic chapter by South Korean researchers from 2019, consider Lab 110 to be subordinate to Bureau 121.