Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Government
Agencies Warn of North Korean Hacks on Nuclear Installations
Andariel Group Seeking Classified Technology to Power Pyongyang's Nuclear ProgramUnited States, British and South Korean government agencies blamed a North Korean espionage group for targeting their defense, aerospace and energy sectors to steal Western nuclear and military technologies to advance Kim Jong Un regime's military and nuclear ambitions.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Spearheading the campaign is the Pyongyang- and Sinuiju-based division of the Reconnaissance General Bureau, North Korea's premier intelligence agency, which includes Andariel, a cyberespionage group that weaponizes vulnerabilities in enterprise software and web servers to infiltrate corporate networks and steal information of interest to the regime, according to a joint advisory from multiple agencies including South Korea's National Intelligence Service and the National Police Agency, the U.K.'s National Cybersecurity Center, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI.
The group, also tracked as Onyx Sleet, DarkSeoul, Silent Chollima and Stonefly, primarily targets Western and allied defense, aerospace, nuclear and engineering organizations and funds its operations through ransomware attacks on U.S. healthcare institutions, the agencies said.
Last week, cybersecurity company Mandiant accused the hacking group, which it tracks as APT45, of seeking intelligence on government nuclear facilities, research institutes and defense systems, among other targeted espionage campaigns. The group recently expanded its operations to target the healthcare, energy and financial sectors (see: Mandiant: North Korean Hackers Targeting Healthcare, Energy).
In recent years, the group has actively pursued classified technical information related to military systems such as battle tanks, artillery guns, small combat ships, submarines and underwater vehicles, fighter aircraft, and satellites to help shore up North Korea's weapons development capabilities.
According to the joint advisory, Andariel's reliance on cyberespionage to access classified military technologies marks a shift from its earlier operations, which focused on launching destructive cyberattacks against U.S. and South Korean organizations. The group currently relies on exploiting vulnerabilities in popular applications and servers to infiltrate targeted networks.
South Korea's AhnLab Security Intelligence Center in early July said the state-sponsored hacking group weaponized vulnerabilities in a South Korean ERP solution and decade-old Windows IIS web servers to infect and steal data from the networks of South Korean organizations (see: Andariel Group Using Software Flaws to Target South Korea).
According to the agencies, the hacking group researches common vulnerabilities and exposures, or CVEs, published in the NIST National Vulnerability Database, gathers open-source information about its victims and develops exploits to infiltrate their networks. In recent years, the group exploited CVEs in MOVEIt, Citrix NetScaler, Ivanti Endpoint Manager Mobile, GoAnywhere MFT, ManageEngine, Apache HTTP Server and other widely used software platforms.
After infiltrating a network, the group uses "living off the land" techniques, deploying native tools and processes such as Windows command line, PowerShell, Windows Management instrumentation command line and Linux Bash to enumerate systems, networks and accounts. It also uses commercial tools with advanced anti-debugging and detection capabilities to operate undetected, and tools such as Mimikatz, ProcDump and Dumpert to steal credentials and access the Active Directory domain database.
The group's custom tools enable it to execute malicious commands, log keystrokes, retrieve browser history, snoop on processes, capture network connections, write to files and upload content to a command-and-control server.