An indictment against a North Korean military intelligence agent was unsealed by the U.S. Department of Justice (DoJ) on Thursday for allegedly orchestrating additional intrusions into defense, technology, and government organizations worldwide through ransomware attacks on healthcare facilities in the country.
Paul Abbate, deputy director of the Federal Bureau of Investigation (FBI), stated, “Rim Jong Hyok and his co-conspirators deployed ransomware to extort U.S. hospitals and health care companies, then laundered the proceeds to help fund North Korea’s illicit activities.” These inadmissible and unlawful activities put guiltless lives in danger.”
The U.S. Department of State announced a reward of up to $10 million in conjunction with the indictment for information that could lead to his whereabouts or the identification of additional individuals involved in the malicious activity.
Hyok is a member of a group of hackers known as Andariel (also known as APT45, Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2), and he is believed to be responsible for extortion-related cyberattacks involving a ransomware strain called Maui. This strain was first revealed in 2022 to be targeting organizations in the United States and Japan.
The ransom payments were laundered through Hong Kong-based facilitators, changing over the illegal returns into Chinese yuan, following which they were withdrawn from an ATM and used to secure virtual privatel servers (VPSes) that, thus, were utilized to exfiltrate delicate guard and innovation data.
The campaign has as its targets a South Korean and Taiwanese defense contractor, a Chinese energy company, two U.S. Air Force bases, and NASA-OIG.
A cyber attack that began in November 2022 resulted in the threat actors exfiltrating more than 30 gigabytes of data from an unidentified U.S. defense contractor in one instance that the State Department highlighted. This included unclassified technical information about the materials that are used in military satellites and aircraft.
“The interdiction of approximately $114,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions, as well as the seizure of online accounts used by co-conspirators to carry out their malicious cyber activity,” the authorities have also announced.
Andariel, a unit of the Reconnaissance General Bureau (RGB) 3rd Bureau, has a history of attacking foreign governments, aerospace, nuclear, and defense companies with the intention of obtaining confidential technical information and intellectual property to advance the regime’s military and nuclear goals.
Other ongoing focuses of interest envelop South Korean instructive establishments, development organizations, and assembling associations.
“This gathering represents a continuous danger to different industry areas around the world, including, however not restricted to, substances in the US, South Korea, Japan, and India,” the Public safety Office (NSA) said. ” The group uses ransomware attacks on healthcare providers in the United States to pay for their espionage.
Using a combination of custom backdoors, remote access trojans, off-the-shelf tools, and open-source utilities, the hacking group is able to carry out follow-on reconnaissance, filesystem enumeration, persistence, privilege escalation, lateral movement, and data exfiltration steps after gaining initial access to the target networks by taking advantage of known N-day security flaws in internet-facing applications.
Phishing emails with malicious attachments, such as Microsoft Windows Shortcut (LNK) files or HTML Application (HTA) script files contained within ZIP archives, are another well-documented malware distribution channel.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated, “The actors are well-versed in using native tools and processes on systems, known as LotL.” System, network, and account enumeration is done with the Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash.
In its own advisory on Andariel, Microsoft said that the program had a “fairly uniform attack pattern” and that its toolset was always changing to add new features and new ways to get around detection.
“Onyx Sleet’s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors,” the Windows maker noted.
They have evolved from targeting South Korean financial institutions with disruptive attacks to targeting U.S. healthcare with ransomware, known as Maui, although not at the same scale as other Russian speaking cybercrime groups,” Alex Rose, director of threat research and government partnerships at Secureworks Counter Threat Unit, said.
“This is in addition to their primary mission of gathering intelligence on foreign military operations and strategic technology acquisition.”
Along with other clusters tracked as the Lazarus Group, BlueNoroff, Kimsuky, and ScarCruft, Andariel is just one of the numerous state-sponsored hacking teams operating under the direction of the North Korean government and military.
“For quite a long time, North Korea has been engaged with illegal income age through criminal endeavors, to make up for the absence of homegrown industry and their worldwide discretionary and monetary separation,” Rose added.
“Cyber was quickly adopted as a strategic capability that could be utilized for both the collection of intelligence and the production of wealth. Where generally these targets would have been covered by various groups, over the most recent couple of years there has been a blurring of the lines and many of the cyber threat groups operating on behalf of North Korea have also dabbled in money making activities.”
