Sanctioned North Korean unit tried to hack at least 3 US organizations this summer

A sanctioned group of hackers working for the North Korean government appears to be continuing its attacks on U.S. organizations, targeting at least three in August.

Researchers at Symantec said they found evidence that APT45, also known as Andariel and Stonefly, conducted intrusions at three different organizations just one month after the Justice Department published an indictment of a member of the group. 

The Justice Department issued an arrest warrant for Rim Jong Hyok in July for his alleged role in using ransomware against U.S. hospitals and healthcare companies. He is accused of being an alleged member of the Andariel Unit within the country’s intelligence agency, the Reconnaissance General Bureau (RGB). The full group was sanctioned in 2019 by the U.S. Treasury.

Symantec said that in the three recent incidents, the hackers were not successful in deploying ransomware. The researchers noted that the attacks were likely financially motivated because all of the victims were private companies and involved in businesses with no obvious intelligence value. The North Korean government is known for using cybercrime proceeds to evade Western economic sanctions. 

The researchers attributed the attacks to the group based on the use of custom malware used exclusively by APT45. They also found several indicators of compromise that were recently documented by Microsoft. 

The attackers “used a fake Tableau certificate documented by Microsoft in addition to two other certificates that appear to be unique to this campaign,” they said. 

Symantec noted that in addition to extorting U.S. hospitals, the group has previously launched attacks against two U.S. Air Force bases, a NASA office and organizations located in Taiwan, South Korea and China. 

The researchers added that the group’s sophistication has evolved significantly since it first emerged in 2009 through distributed denial-of-service (DDoS) attacks against a number of South Korean, U.S. government and financial websites.

“In recent years, the group’s capabilities have grown markedly and, since at least 2019, Symantec has seen its focus shift mainly to espionage operations against select, high-value targets,” they said. 

“It appears to specialize in targeting organizations that hold classified or highly sensitive information or intellectual property. While other North Korean groups are well known for mounting financial attacks driven by the need to raise foreign currency for the regime, Stonefly had until recent years appeared not to be involved in financially motivated attacks.”

Symantec added that the indictments and naming of at least one member “has not yet led to a cessation of activity.” 

The FBI and other agencies said earlier this year that Andariel, based out of the RGB’s 3rd Bureau in Pyongyang and Sinuiju, has repeatedly targeted “defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.”