Feds warn of North Korean Andariel cyber group, offer $10 million reward


Pyongyang’s global cyber espionage campaign is targeting defense, aerospace, nuclear, and engineering organizations.

The US Federal Bureau of Investigation (FBI) together with the Cybersecurity and Infrastructure Security Agency (CISA) and international partners, released an advisory warning about the increased risks posed by North Korea’s Reconnaissance General Bureau (RGB) 3rd Bureau.

This state-sponsored cyber group is publicly known as Andariel, Onyx Sleet, Plutonium, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa.

ADVERTISEMENT

Authorities caution defense, aerospace, nuclear, and engineering entities as the cyber menace is increasingly targeting them “to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.”

The cybergang’s activities are very destructive, as it funds the primary espionage activity through ransomware operations against US healthcare organizations.

To gain initial access, the threat actor usually exploits web servers with known software vulnerabilities, such as Log4j. Hackers then deploy a web shell, gain access to sensitive information and applications, and further exploit systems.

“The actors then employ standard system discovery and enumeration techniques, establish persistence using Scheduled Tasks, and perform privilege escalation using common credential-stealing tools such as Mimikatz,” the advisory reads.

Andariel’s arsenal includes multiple custom malware implants, remote access tools (RATs), and open-source tools for execution, lateral movement, and data exfiltration. They conduct phishing activities using malicious attachments, such as LNK (Windows Shortcut File) or HTA (HTML application) script files inside encrypted or unencrypted zip archives.

Andariel was previously interested in intel on heavy and light tanks, self-propelled howitzers, other strike and supply vehicles, combat ships, submarines, aircraft, missile systems, satellites, uranium processing and enrichment, nuclear power plants, and other facilities.

The threat actor also targeted industries containing information about shipbuilding and marine engineering, robot machinery, mechanical arms, 3D printing, fabrication, machining processes, and other tech.

The authorities combined a long list of detection methods, indicators of compromise, and other mitigation measures to help organizations protect themselves. They recommend organizations implement them to improve cybersecurity posture based on threat actors' activity.

ADVERTISEMENT

“If you have information about illicit DPRK activities in cyberspace, including past or ongoing operations, providing such information through the Department of State’s Rewards for Justice program could make you eligible to receive an award of up to $10 million,” the advisory reads.

Previously, it was estimated that hackers backed by the rogue state stole $3 billion in crypto in six years.