Sanctioned North Korean unit tried to hack at least 3 US organizations this summer

Avatar

A sanctioned group of hackers working for the North Korean government appears to be continuing its attacks on U.S. organizations, targeting at least three in August.

Researchers at Symantec said they found evidence that APT45, also known as Andariel and Stonefly, conducted intrusions at three different organizations just one month after the Justice Department published an indictment of a member of the group. 

The Justice Department issued an arrest warrant for Rim Jong Hyok in July for his alleged role in using ransomware against U.S. hospitals and healthcare companies. He is accused of being an alleged member of the Andariel Unit within the country’s intelligence agency, the Reconnaissance General Bureau (RGB). The full group was sanctioned in 2019 by the U.S. Treasury.

Symantec said that in the three recent incidents, the hackers were not successful in deploying ransomware. The researchers noted that the attacks were likely financially motivated because all of the victims were private companies and involved in businesses with no obvious intelligence value. The North Korean government is known for using cybercrime proceeds to evade Western economic sanctions. 

The researchers attributed the attacks to the group based on the use of custom malware used exclusively by APT45. They also found several indicators of compromise that were recently documented by Microsoft

The attackers “used a fake Tableau certificate documented by Microsoft in addition to two other certificates that appear to be unique to this campaign,” they said. 

Symantec noted that in addition to extorting U.S. hospitals, the group has previously launched attacks against two U.S. Air Force bases, a NASA office and organizations located in Taiwan, South Korea and China. 

The researchers added that the group’s sophistication has evolved significantly since it first emerged in 2009 through distributed denial-of-service (DDoS) attacks against a number of South Korean, U.S. government and financial websites.

“In recent years, the group’s capabilities have grown markedly and, since at least 2019, Symantec has seen its focus shift mainly to espionage operations against select, high-value targets,” they said. 

“It appears to specialize in targeting organizations that hold classified or highly sensitive information or intellectual property. While other North Korean groups are well known for mounting financial attacks driven by the need to raise foreign currency for the regime, Stonefly had until recent years appeared not to be involved in financially motivated attacks.”

Symantec added that the indictments and naming of at least one member “has not yet led to a cessation of activity.” 

The FBI and other agencies said earlier this year that Andariel, based out of the RGB’s 3rd Bureau in Pyongyang and Sinuiju, has repeatedly targeted “defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.”

Nation-stateCybercrimeNewsGovernment
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Telegram has disclosed criminal data to authorities for years, Durov says

Next Post

Experts warn of DDoS attacks using linux printing vulnerability

Related Posts

THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 11 – Nov 17)

What do hijacked websites, fake job offers, and sneaky ransomware have in common? They’re proof that cybercriminals are finding smarter, sneakier ways to exploit both systems and people. This week makes one thing clear: no system, no person, no organization is truly off-limits. Attackers are getting smarter, faster, and more creative—using everything from human trust to hidden flaws in
Avatar
Read More

Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild. Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based
Omega Balla
Read More