Shift of North Korean Hackers from Digital Surveillance to Ransomware Campaigns
A North Korea-linked threat actor recognized for its digital surveillance operations has progressively expanded into financially-driven attacks involving the use of ransomware, making it unique among other nation-state hacking groups associated with the nation.
Mandiant, a company owned by Google, is documenting the activity cluster under a fresh alias APT45, which coincides with designations such as Andariel, Nickel Hyatt, Onyx Sleet, Stonefly, and Silent Chollima.
“APT45 is a well-established, moderately advanced North Korean cyber operative that has conducted surveillance campaigns dating back to 2009,” according to researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart mentioned. “APT45 has been consistently observed targeting critical infrastructure.”
It’s important to note that APT45, alongside APT38 (also known as BlueNoroff), APT43 (also known as Kimsuky), and Lazarus Group (also known as TEMP.Hermit), are components within North Korea’s Reconnaissance General Bureau (RGB), the state’s primary military intelligence organization.
APT45 is notably linked to the utilization of ransomware families identified as SHATTEREDGLASS and Maui which targeted entities in South Korea, Japan, and the United States during the years 2021 and 2022. Details regarding SHATTEREDGLASS were provided by Kaspersky in June 2021.
“There is a possibility that APT45 is engaging in financially-driven cybercrime not only to further its own actions but also to gather funds for other top priorities of the North Korean state,” specified Mandiant.
One of the significant malware tools in their arsenal is a backdoor identified as Dtrack (also known as Valefor and Preft), which was initially employed in a cyber attack directed at the Kudankulam Nuclear Power Plant in India in 2019 – marking one of the few publicly known instances of North Korean actors targeting critical infrastructure.
“APT45 stands out as one of the longest-serving cyber groups of North Korea, and their actions are in line with the political goals of the regime as their operations have evolved from traditional cyber espionage against government and defense establishments to encompass sectors such as healthcare and agricultural science,” Mandiant remarked.
“Given the nation’s reliance on cyber activities as a tool of national influence, the operations executed by APT45 and other North Korean cyber groups could reflect the evolving priorities of the country’s leadership.”
The discovery coincides with the announcement by KnowBe4, a cybersecurity awareness training firm, that it had mistakenly hired an IT professional from North Korea as a software developer, who assumed the stolen identity of a U.S. citizen and enhanced their photograph using artificial intelligence (AI).
“This was a proficient IT worker from North Korea, backed by a state-supported criminal structure, who utilized the stolen identity of a U.S. citizen, engaged in multiple rounds of video interviews, and succeeded in bypassing standard background verification procedures typically used by corporations,” the firm stated.
The IT professional group, considered to be an element of the Workers’ Party of Korea’s Munitions Industry Department, has a history of seeking job opportunities in U.S.-based companies by pretending to be geographically located in the country when they are actually stationed in China and Russia, logging in remotely through laptops provided by a “laptop farm.”
KnowBe4 confirmed detecting suspicious activities on the Mac device sent to the individual on July 15, 2024, at 9:55 p.m. EST, including manipulation of session history files, transfer of potentially harmful data, and execution of malicious software. The malware was planted using a Raspberry Pi device.
Twenty-five minutes later, the cybersecurity firm from Florida said they isolated the employee’s device. There is no proof indicating unauthorized access to sensitive information or systems by the attacker.
“The deception involves them doing the actual work, receiving good pay, and channeling a significant amount to North Korea to fund their illicit programs,” mentioned Stu Sjouwerman, the CEO of KnowBe4 stated.
“This incident underscores the critical necessity for more rigorous vetting processes, ongoing security monitoring, and enhanced collaboration between HR, IT, and security departments to defend against sophisticated persistent threats.”
About Author
