The U.S. Department of Justice (DoJ) on Thursday unsealed an indictment against a North Korean military intelligence operative for allegedly carrying out ransomware attacks against healthcare facilities in the country and funneling the payments to orchestrate additional intrusions into defense, technology, and government entities across the world.
“Rim Jong Hyok and his co-conspirators deployed ransomware to extort U.S. hospitals and health care companies, then laundered the proceeds to help fund North Korea’s illicit activities,” said Paul Abbate, deputy director of the Federal Bureau of Investigation (FBI). “These unacceptable and unlawful actions placed innocent lives at risk.”
Concurrent with the indictment, the U.S. Department of State announced a reward of up to $10 million for information that could lead to his whereabouts, or the identification of other individuals in connection with the malicious activity.
Hyok, part of a hacking crew dubbed Andariel (aka APT45, Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2), is said to be behind extortion-related cyber attacks involving a ransomware strain called Maui, which was first disclosed in 2022 as targeting organizations in Japan and the U.S.
The ransom payments were laundered through Hong Kong-based facilitators, converting the illicit proceeds into Chinese yuan, following which they were withdrawn from an ATM and used to procure virtual private servers (VPSes) that, in turn, were employed to exfiltrate sensitive defense and technology information.
Targets of the campaign include two U.S. Air Force bases, NASA-OIG, as well as South Korean and Taiwanese defense contractors and a Chinese energy company.
In one instance highlighted by the State Department, a cyber attack that began in November 2022 led to the threat actors exfiltrating more than 30 gigabytes of data from an unnamed U.S.-based defense contractor. This comprised unclassified technical information regarding material used in military aircraft and satellites.
The agencies have also announced the “interdiction of approximately $114,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions, as well as the seizure of online accounts used by co-conspirators to carry out their malicious cyber activity.”
Andariel, affiliated with the Reconnaissance General Bureau (RGB) 3rd Bureau, has a track record of striking foreign businesses, governments, aerospace, nuclear, and defense industries with the goal of obtaining sensitive and classified technical information and intellectual property to further the regime’s military and nuclear aspirations.
Other recent targets of interest encompass South Korean educational institutions, construction companies, and manufacturing organizations.
“This group poses an ongoing threat to various industry sectors worldwide, including, but not limited to, entities in the United States, South Korea, Japan, and India,” the National Security Agency (NSA) said. “The group funds their espionage activity through ransomware operations against U.S. healthcare entities.”
Initial access to target networks is accomplished by means of exploiting known N-day security flaws in internet-facing applications, enabling the hacking group to conduct follow-on reconnaissance, filesystem enumeration, persistence, privilege escalation, lateral movement, and data exfiltration steps using a combination of custom backdoors, remote access trojans, off-the-shelf tools, and open-source utilities at their disposal.
Other documented malware distribution vectors entail the use of phishing emails containing malicious attachments, such as Microsoft Windows Shortcut (LNK) files or HTML Application (HTA) script files inside ZIP archives.
“The actors are well-versed in using native tools and processes on systems, known as living-off-the-land (LotL),” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “They use Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash, for system, network, and account enumeration.”
Microsoft, in its own advisory on Andariel, described it as constantly evolving its toolset to add new functionality and implement novel ways to bypass detection, while exhibiting a “fairly uniform attack pattern.”
“Onyx Sleet’s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors,” the Windows maker noted.
Some of the noteworthy tools highlighted by Microsoft are listed below –
- TigerRAT – A malware that can steal confidential information and carry out commands, like keylogging and screen recording, from a command-and-control (C2) server
- SmallTiger – A C++ backdoor
- LightHand – A lightweight backdoor for remote access to infected devices
- ValidAlpha (aka Black RAT) – A Go-based backdoor that can run an arbitrary file, list contents of a directory, download a file, take screenshots, and launch a shell to execute arbitrary commands
- Dora RAT – A “simple malware strain” with support for reverse shell and file download/upload capabilities
“They have evolved from targeting South Korean financial institutions with disruptive attacks to targeting U.S. healthcare with ransomware, known as Maui, although not at the same scale as other Russian speaking cybercrime groups,” Alex Rose, director of threat research and government partnerships at Secureworks Counter Threat Unit, said.
“This is in addition to their primary mission of gathering intelligence on foreign military operations and strategic technology acquisition.”
Andariel is just one of the myriad state-sponsored hacking crews operating under the direction of the North Korean government and military, alongside other clusters tracked as the Lazarus Group, BlueNoroff, Kimsuky, and ScarCruft.
“For decades, North Korea has been involved in illicit revenue generation through criminal enterprises, to compensate for the lack of domestic industry and their global diplomatic and economic isolation,” Rose added.
“Cyber was rapidly adopted as a strategic capability that could be used for both intelligence gathering and money making. Where historically these objectives would have been covered by different groups, in the last few years there has been a blurring of the lines and many of the cyber threat groups operating on behalf of North Korea have also dabbled in money making activities.”
