The US Department of Justice (DoJ) on Thursday unsealed an indictment against a North Korean military intelligence operator for allegedly carrying out ransomware attacks on the country’s medical facilities and sending payments to orchestrate additional intrusions into defense, technology and government organizations across the country. the world
“Rim Jeong Hyuk and his associates developed extortion programs to extort money from American hospitals and health care companies, and then laundered the proceeds to help finance North Korea’s illicit activities.” said Paul Ebbett, Deputy Director of the Federal Bureau of Investigation (FBI). “These unacceptable and illegal actions put innocent lives at risk.”
Simultaneously with the indictment, the US State Department announced a reward of up to $10 million for information leading to his location or the identification of others in connection with malicious activity.
Hyuk, part of the hacking team, duplicated Andariel (aka APT45, Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2) is said to be behind ransomware-related cyberattacks using a strain of ransomware called Mauiwhich was first revealed in 2022 as a target organization in Japan and the United States
The ransom payments were laundered through intermediaries in Hong Kong, converting the illicit proceeds into Chinese yuan, which were then withdrawn from ATMs and used to purchase virtual private servers (VPS), which in turn were used to steal classified defense and technology information.
The campaign targets two US Air Force bases, NASA-OIG, as well as South Korean and Taiwanese defense contractors and a Chinese energy company.
In one case highlighted by the State Department, a cyber attack that began in November 2022 resulted in threat actors stealing more than 30 gigabytes of data from an unnamed US defense contractor. This included unclassified technical information regarding materials used in military aircraft and satellites.
The agencies also announced “the forfeiture of approximately $114,000 in virtual currency proceeds from ransomware attacks and related money laundering transactions, and the seizure of online accounts used by conspirators to conduct their malicious cyber activities.”
Andariel, associated with the 3rd Bureau of the Intelligence General Bureau (RGB), has track record attacks on foreign businesses, governments, aerospace, nuclear and defense industries to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear ambitions.
Other recent targets of interest include South Korean educational institutions, construction companies and manufacturing organizations.
“This group poses a persistent threat to various industry sectors worldwide, including but not limited to organizations in the United States, South Korea, Japan, and India,” the National Security Agency (NSA) said. said. “Group Funds Its Espionage Activities Through Ransomware Operations Against US Medical Institutions.”
Initial access to target networks is achieved by exploiting known N-day security flaws in Internet applications, allowing the hacking group to perform subsequent reconnaissance, file system enumeration, retention, privilege escalation, lateral movement, and data extortion steps using a combination of custom backdoors, remote Trojans access, ready tools and open source utilities at their disposal.
Other documented malware distribution vectors involve the use of phishing emails containing malicious attachments such as Microsoft Windows Shortcut (LNK) files or HTML Application Script (HTA) files in ZIP archives.
“Actors are well versed in using their own tools and processes in systems known as Life Off Land (LotL),” US Cybersecurity and Infrastructure Security Agency (CISA) said. “They use the Windows command line, PowerShell, the Windows Management Instrumentation (WMIC) command line, and Linux bash to enumerate the system, network, and accounts.”
Microsoft, in its own guidance for Andariel, describes it as an ever-evolving toolkit to add new functionality and implement new ways to circumvent detection, while exhibiting a “fairly uniform attack pattern.”
“Onyx Sleet’s ability to develop a range of tools to launch a proven chain of attacks makes it a persistent threat, particularly to targets of North Korean intelligence interest, such as organizations in the defense, engineering, and energy sectors.” — Windows Creator noted.
Some of the noteworthy tools highlighted by Microsoft are listed below –
- TigerRAT – Malware that can steal sensitive information and execute commands, such as keyboard and screen recording, from the command and control server (C2).
- Little tiger – C++ backdoor
- LightHand – A lightweight backdoor for remote access to infected devices
- ValidAlpha (aka Black RAT) is a Go-based backdoor that can run an arbitrary file, list the contents of a directory, download a file, take screenshots, and run a shell to execute arbitrary commands
- Dora RAC – “Simple Malware” with reverse shell support and file upload/download capabilities
“They have evolved from devastating attacks on South Korean financial institutions to attacks on US healthcare with ransomware known as Maui, although not on the scale of other Russian-speaking cybercriminal groups,” Alex Rose, director of threat research and government policy partnership in Secureworks. The threat management department said.
“This is in addition to their primary mission of gathering intelligence on foreign military operations and acquiring strategic technology.”
Andariel is just one of a number of state-sponsored hacking groups operating under the direction of the North Korean government and military, along with other clusters tracked as Lazar’s group, BlueNoroff, Kimsukiand ScarCruft.
“For decades, North Korea has engaged in illicit revenue generation through criminal enterprises to compensate for its lack of domestic industry and its global diplomatic and economic isolation,” Rose added.
“Cyber was quickly embraced as a strategic capability that could be used for both intelligence gathering and money-making. While historically these targets have been covered by different groups, the past few years have seen a blurring of the lines and many of the Cyber Threat Groups acting on behalf of North Korea are also in the business of making money.”
