An indictment was unveiled by the U.S. Department of Justice (DoJ) against a North Korean military intelligence agent accused of conducting ransomware assaults on medical institutions in the nation and channelling the payments to orchestrate further penetrations into defense, technology, and government bodies worldwide.
Paul Abbate, the deputy director of the Federal Bureau of Investigation (FBI), stated, “Rim Jong Hyok and his collaborators utilized ransomware to extort U.S. healthcare establishments, later laundering the profits to support North Korea’s wrongful activities.” Abbate emphasized that these unauthorized and illegal deeds endangered innocent lives.
Simultaneous with the indictment, the U.S. Department of State disclosed a bounty of up to $10 million for details that could reveal his location or identify other individuals involved in the malicious actions.
Hyok, a member of a hacking team called Andariel (also known as APT45, Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2), has been linked to ransom-based cyber attacks employing a ransomware variant known as Maui, which was initially identified in 2022 targeting organizations in Japan and the United States.
The illicit payments from the ransom were passed through facilitators based in Hong Kong, converting the unlawful earnings into Chinese yuan, which were then withdrawn from an ATM to purchase virtual private servers (VPSes) used to siphon off sensitive defense and tech data.
The primary targets of these operations include two U.S. Air Force bases, NASA-OIG, South Korean and Taiwanese defense contractors, and a Chinese energy firm.
An incident highlighted by the State Department revealed that a cyber assault in November 2022 resulted in threat actors exfiltrating over 30 gigabytes of data from an unidentified U.S.-based defense firm, containing unclassified technical details on materials used in military aircraft and satellites.
The authorities have also reported the “seizure of about $114,000 in virtual currency proceeds from ransomware attacks, along with the confiscation of online accounts used by associates to conduct their malevolent cyber operations.”
Andariel, linked to the Reconnaissance General Bureau (RGB) 3rd Bureau, has a history of targeting foreign entities in industries such as businesses, governments, aerospace, nuclear, and defense to acquire confidential technical information and intellectual property to bolster the regime’s military and nuclear ambitions.
Recent targets have included South Korean educational institutions, construction firms, and manufacturing entities.
The National Security Agency (NSA) remarked, “This group remains a persistent threat to various industry sectors globally, including entities in the United States, South Korea, Japan, and India. The group sustains its spying activities through ransomware operations against U.S. healthcare establishments.”
The hackers initially enter target networks by exploiting known security vulnerabilities in web applications, allowing them to conduct subsequent reconnaissance, file system research, persistence, privilege escalation, lateral movement, and data exfiltration through custom backdoors, remote access trojans, off-the-shelf tools, and open-source utilities.
Other documented methods for malware delivery involve phishing emails containing malicious attachments like Microsoft Windows Shortcut (LNK) files or HTML Application (HTA) script files enclosed in ZIP archives.
“The actors exhibit proficiency in utilizing native tools and processes on systems, known as living-off-the-land (LotL),” as stated by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). “They leverage Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash for system, network, and user enumeration.”
In a separate advisory, Microsoft characterized Andariel as continually enhancing its toolkit, introducing new features, and devising innovative methods to avoid detection, whiledisplaying a “quite uniform modus operandi.”
“Highlighting Onyx Sleet’s capability to create a range of tools for executing its well-established sequence of attacks renders it a persistent menace, especially for entities of interest to North Korean intelligence, such as firms in the defense, engineering, and energy industries,” the software giant pointed out.
Outlined below are some of the notable tools emphasized by Microsoft –
- TigerRAT – A malicious software capable of pilfering confidential data and executing commands, like keylogging and screen recording, from a command-and-control (C2) server
- SmallTiger – A C++ backdoor
- LightHand – A lightweight backdoor designed for remote access to compromised devices
- ValidAlpha (also known as Black RAT) – A Go-based backdoor capable of running arbitrary files, listing directory contents, downloading files, capturing screenshots, and initiating a shell to execute arbitrary commands
- Dora RAT – A “simple malware variant” supporting reverse shell and file download/upload functionalities
“They have transitioned from targeting South Korean financial institutions with disruptive assaults to attacking U.S. healthcare entities with ransomware, dubbed Maui, albeit not on the same level as other Russian-speaking cybercriminal groups,” stated Alex Rose, head of threat research and government partnerships at Secureworks Counter Threat Unit.
“This is in addition to their primary objective of gathering intelligence on foreign military operations and strategic technology acquisition.”
Andariel represents just one of the numerous state-backed hacking groups functioning under the supervision of the North Korean government and military, alongside other factions identified as the Lazarus Group, BlueNoroff, Kimsuky, and ScarCruft.
“For years, North Korea has been engaged in illicit revenue generation through criminal ventures, to make up for the lack of domestic industry and their global diplomatic and economic isolation,” Rose further commented.
“Cyber operations were swiftly embraced as a strategic asset that could serve for both intelligence gathering and profit generation. Traditionally, these objectives would have been managed by separate teams, but in recent years there has been a merging of roles, with many of the cyber threat groups acting on behalf of North Korea also venturing into profit-making endeavors.”
About Author
