State-sponsored North Korean threat actor Andariel stole over 1.2TB of defense technology-related files from South Korean firms. It then extorted, and then laundered, ransom payments worth $356,000.
Cyberattackers from Pyongyang managed to steal about 250 files related to defense technology, including anti-aircraft laser weapons, from a dozen companies in South Korea, according to an announcement by the Seoul Metropolitan Police. Some victims were unaware of the breach, while others tried to hide it.
South Korean Police coordinated with the FBI to uncover Andariel’s hacking efforts, unraveling the network used for evasion. During the investigation, officials tracked the laundered proceeds from the ransom flow to North Korea.
Hackers extorted about 470 million won ($356,000) worth of Bitcoins from three domestic and foreign victims in exchange for restoring systems. Before transferring money to North Korea, Andariel hackers laundered money using overseas crypto exchanges and a foreign bank account belonging to a woman named Ms. A. More than a quarter of stolen bitcoins were sent to a Chinese bank near the North Korean border.
South Korean police seized servers used by Andariel in South Korea and searched the residence and devices of the suspected woman. Ms. A, a former employee in a Hong Kong-based currency exchange, denied involvement in money laundering, stating that she only provided her account “for convenience.”
North Korean hackers attacked using a local IP address, leading to a domestic server rental company providing services to unidentified customers. That enabled hackers, who used the server at least 83 times between December 2022 and March 2023, to avoid detection.
After seizing the servers, the Police confirmed that defense companies, financial companies, research institutes, and pharmaceutical companies were hacked, and approximately 1.2TB of files were stolen, containing presumably important technology and data, including credentials
“Some companies were unaware of the damage, and some refrained from reporting the damage to the police due to concerns about a decline in corporate trust,” the police report reads.
The Korea Times reported that some stolen critical data included anti-aircraft laser technology.
Andariel is believed to be a unit of Lazarus, the most notorious North Korean cybercrime group. Andariel has been active since at least 2009 and is primarily focused on destructive attacks against South Korean government agencies, military organizations, and a variety of domestic companies. Andariel has been involved in cyber financial operations against banks and crypto exchanges. The gang is controlled by the Reconnaissance General Bureau (RGB), which is North Korea’s primary intelligence bureau.
Cybernews has already reported that hackers backed by the rogue state of North Korea stole $3 billion in crypto in six years. Cryptocurrency theft and ransoms have been a major revenue source for the regime, particularly for funding military and weapons programs.
North Korea allegedly has 6,000 hackers and uses them for financial gain, as well as intelligence gathering, the US Federal Bureau of Investigation said earlier in the year.
More from Cybernews:
Subscribe to our newsletter