North Korean hackers have been accused of orchestrating some of the most high-profile cyber attacks of recent years — including the WannaCry ransomware attack that infected 200,000 computers across 150 countries. Now Pyongyang’s state-backed hackers are shifting focus to critical infrastructure, such as nuclear power plants and oil refineries, according to researchers at Dragos cybersecurity firm.

The latest threat comes from hacking group “Covellite,” which was spun out of the state-backed hacker group Lazarus, known for allegedly conducting some of the most high-profile cyber attacks of recent memory.

Researchers from Dragos said they were able to link the new group to Pyongyang because the hackers used many of the same cyber weapons and servers tracked in the attack on Sony Pictures in 2014. Dan Gunter, the company’s principal threat analyst, told VICE News that the shift in focus towards critical systems marked an escalation from Pyongyang:

“The hackers are now starting to look at industrial control systems, or get into that space, and that is worrisome.”

Industrial control systems are the points at which the cyber world meet the physical one. Because of their efficiency, they are increasingly used across major industries and in some of the most critical infrastructures around the world. These systems do everything from controlling nuclear power plants to monitoring electrical grids and oil fields. Recently hackers have started to exploit their vulnerabilities.

Dragos says it analyzed 163 new security vulnerabilities that appeared in industrial-control components in 2017. It found that 61 percent of them would likely cause “severe operational impact” if exploited in a cyberattack.

The vulnerability of these systems was most nakedly exposed in Ukraine, where a Russian-linked group of hackers shut off the power to hundreds of thousands of users in December 2016, in what security experts viewed as a stark warning of the hacking wars to come.

New hackers, new targets

Under the shadow of its nuclear missile program, North Korea has ramped up the size and sophistication of its cyber army in recent years. Given the level of sophistication the Lazarus group has demonstrated, researchers now worry the elite hacking group will share its techniques with Covellite, the team targeting critical systems in the West.

Dragos first spotted the North Korean group’s activity in September 2017, when they conducted a highly-targeted attack against an unnamed U.S. electric company.

The hackers used carefully-tailored emails to trick employees of the electric company into downloading malware, a tactic Gunter said that has grown common in these type of attacks.

“These attackers are not just shooting it out, they are actually looking at local topics to build their phishing messages around,” Gunter said, saying the group is also looking at targets in the Europe.

Darien Huss, a researcher at cybersecurity firm Proofpoint, believes it’s only a matter of time before more sophisticated attacks are launched on these industrial control systems.

“Repeated attacks and continued innovation from this group have been used to target other industries, including the financial sector,” said Huss. “Therefore it would not be surprising to see this level of sophistication aimed at ICS-related organizations.”

Proofpoint, which also tracks North Korea’s hacking efforts, said they have not observed any new attacks against critical infrastructure targets by the Covellite group since September 2017.

Observers paying close attention to western infrastructure's glaring vulnerabilities continue to point to the attack on Ukraine as the road flare for this nascent threat. Yet unlike those who attacked Ukraine, this new breed of North Korean hackers haven’t attracted much attention to date. That’s mainly because they haven’t conducted any attacks that have caused destruction to the systems they infiltrate.