The US Department of Justice (DoJ) on Thursday unsealed an indictment against North Korean military intelligence officers for allegedly carrying out ransomware attacks on North Korean medical facilities and using the money to orchestrate further intrusions into defense, technology and government organizations around the world.
“Lim Jeong-hyuk and his co-conspirators used ransomware to extort money from U.S. hospitals and healthcare companies, then laundered the money to fund North Korea’s illicit activities,” FBI Deputy Director Paul Abbate said. “These unacceptable illegal activities put innocent lives at risk.”
Concurrent with the indictments, the U.S. State Department announced a reward of up to $10 million for information leading to the location of the defendants or others involved in the nefarious conduct.
Hyok is part of a hacking team known as Andariel (aka APT45, Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly and TDrop2) that is alleged to be behind a string of extortion-related cyber attacks, including a ransomware strain called Maui that was first revealed to be targeting organizations in Japan and the United States in 2022.
The ransom money was laundered through Hong Kong-based intermediaries and the illicit proceeds were converted into Chinese Yuan and then withdrawn from ATMs to fund virtual private servers (VPS) that were used to steal sensitive defense and technical information.
Targets in the attack included two US Air Force bases, NASA-OIG, defense contractors in South Korea and Taiwan, and a Chinese energy company.
In one case highlighted by the State Department, a cyberattack that began in November 2022 led threat actors to steal more than 30 gigabytes of data from an unnamed U.S.-based defense contractor, including unclassified technical information about materials used in military aircraft and satellites.
Authorities also announced “the seizure of approximately $114,000 in cryptocurrency obtained from the ransomware attacks and related money laundering transactions, as well as online accounts used by the conspirators to carry out their malicious cyber activities.”
Andariel, an agent of the Reconnaissance General Bureau’s (RGB) Third Directorate, has a track record of attacking foreign companies, governments, and the aerospace, nuclear, and defense industries with the aim of obtaining classified technical information and intellectual property to further the regime’s military and nuclear ambitions.
Recent areas of interest include educational institutions, construction companies and manufacturing organizations in South Korea.
“The group poses ongoing threats to various industrial sectors around the world, including the United States, South Korea, Japan and India,” the NSA said. “The group funds its espionage operations through ransomware attacks on U.S. healthcare organizations.”
Initial access to a target network is achieved by exploiting known N-day security flaws in internet-facing applications, allowing the hacking group to perform subsequent reconnaissance, file system enumeration, persistence, privilege escalation, lateral movement, and data exfiltration procedures using a combination of custom backdoors, remote access trojans, commercially available tools, and open source utilities.
Other documented malware distribution vectors include the use of phishing emails containing malicious attachments such as Microsoft Windows Shortcut (LNK) files or HTML Application (HTA) script files within ZIP archives.
“Attackers are adept at using native tools and processes on the system known as Living-Off-The-L (LotL),” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “They have used Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash for system, network, and account enumeration.”
In its own advisory on Andariel, Microsoft explained that while Andariel is constantly evolving its toolset to add new capabilities and implement new ways to evade detection, it exhibits “fairly uniform attack patterns.”
“Onyx Sleet’s ability to develop a variety of tools to launch proven attack chains makes it a continuing threat, particularly against targets of interest to North Korean intelligence, such as organizations in the defense, engineering, and energy sectors,” the Windows maker noted.
Here are some of the notable tools highlighted by Microsoft:
- TigerRAT – Malware capable of stealing sensitive information from a command and control (C2) server and executing commands such as keylogging and screen recording
- SmallTiger – C++ backdoor
- LightHand – A lightweight backdoor for remote access to infected devices
- ValidAlpha (aka Black RAT) – A Go-based backdoor capable of executing arbitrary files, listing directory contents, downloading files, taking screenshots, and starting a shell to execute arbitrary commands.
- Dora RAT – “Simple malware” that supports reverse shell and file download/upload functionality
“While not on the same scale as other Russian-speaking cybercrime groups, they have evolved from targeting financial institutions in South Korea with destructive attacks to targeting US healthcare organizations with ransomware known as Maui,” said Alex Rose, director of threat research and government partnerships at SecureWorks Counter Threat Unit.
“This is in addition to their primary mission of gathering intelligence on foreign military operations and strategic technology acquisitions.”
Andariel is just one of numerous state-sponsored hacking groups operating under the direction of the North Korean government and military, along with other clusters tracked as Lazarus Group, BlueNoroff, Kimsuky, and ScarCruft.
“For decades, North Korea has engaged in illicit revenue generation through criminal enterprises to compensate for domestic industrial shortfalls and global diplomatic and economic isolation,” Rose added.
“Cyber has been rapidly adopted as a strategic capability that can be used for both intelligence gathering and financial gain. Historically, these objectives were covered by different groups, but the lines have blurred in recent years, with many of the cyber threat groups operating on behalf of North Korea now dabbling in financial gain activities as well.”
