On Friday, a South Korean intelligence agency, along with its international partners, issued a joint cybersecurity advisory concerning a North Korean hacking group. This announcement followed the indictment of one of the group’s members by the United States government a day earlier. The individual is accused of infiltrating U.S. hospitals and infecting them with ransomware.
In the joint statement, eight organizations were listed, including the U.S. Federal Bureau of Investigation (FBI), the U.S. Cyber National Mission Force (CNMF), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Defense Cyber Crime Center (DC3), the U.S. National Security Agency (NSA), South Korea’s National Intelligence Service (NIS), South Korea’s National Police Agency (NPA), and the United Kingdom’s National Cyber Security Centre (NCSC).
The advisory warned that a North Korean state-sponsored cyber group, known publicly as Andariel, Onyx Sleet, DarkSeoul, Silent Chollima, and Stonefly, is persistently targeting defense, aerospace, nuclear, and engineering entities. The goal of these attacks is to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.
According to the authoring agencies, Andariel operates under the Reconnaissance General Bureau (RGB)’s Third Bureau, based in Pyongyang and Sinuiju, North Korea. The group has been active since at least 2009, carrying out a variety of cyber operations that serve the interests of the North Korean regime. These operations include espionage campaigns against government agencies and defense industries, and they now also encompass financially motivated activities.
The authoring agencies stated that Andariel and its cyber techniques pose an ongoing threat to various industry sectors worldwide, including those in Japan and India. Furthermore, they revealed that the hackers finance their espionage activities through ransomware operations targeting U.S. healthcare entities.
According to the advisory, the hackers initially gain access by exploiting known vulnerabilities in software, such as Log4j, to infiltrate web servers and access sensitive information and applications. After establishing a foothold, they use common credential-stealing tools like Mimikatz for privilege escalation. The attackers then deploy custom malware implants, remote access tools (RATs), and open-source tools to execute their operations, move laterally within networks, and exfiltrate data.
The advisory also warned that the attackers conduct phishing activities using malicious attachments. These include Microsoft Windows Shortcut File (LNK) files or HTML Application (HTA) script files contained within encrypted or unencrypted zip archives.
The authoring agencies encouraged critical infrastructure organizations to promptly apply patches for vulnerabilities, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections to defend against Andariel’s operations.
In a report published on July 26, Google-owned Mandiant named Andariel as ‘APT (Advanced Persistent Threat) 45,’ marking an elevation in the hacking group’s status. “Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defense organizations around the world,” said Mandiant Principal Analyst Michael Barnhart in a statement. “When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him.”
On July 25, the U.S. State Department announced rewards of up to $10 million for information on Rim Jong Hyok, a North Korean hacker and alleged member of Andariel. The State Department’s Rewards for Justice (RFJ) program stated, “Rim and others conspired to hack into the computer systems of U.S. hospitals and other healthcare providers, install Maui ransomware, and extort ransoms.”
The announcement further detailed, “In one computer intrusion operation that began in November 2022, the malicious cyber actors targeted a U.S.-based defense contractor and extracted more than 30 gigabytes of data. This data included unclassified technical information about materials used in military aircraft and satellites, much of which dated back to 2010 or earlier. U.S. law enforcement investigators have documented that Andariel actors have victimized five healthcare providers, four U.S.-based defense contractors, two U.S. Air Force bases, and the National Aeronautics and Space Administration’s Office of Inspector General.”
On July 24, a federal arrest warrant was issued for Rim in the U.S. District Court for the District of Kansas. He was charged with conspiracy to commit computer hacking and conspiracy to commit money laundering.
