Threat Research

“North Korean Cyber Group Launches Global Espionage to Boost Military and Nuclear Programs | CISA”

CISA

The RGB 3rd Bureau of DPRK conducts global cyber espionage targeting defense, aerospace, nuclear, and engineering sectors to support Pyongyang’s military and nuclear programs, using web server exploits, credential access, custom RATs, and phishing to gain and maintain access. The advisory highlights Andariel/Onyx Sleet/DarkSeoul/Silent Chollima/Stonefly as the threat group and notes ransomware-linked activity funding espionage, with mitigations urged across patching, monitoring, and access controls. #Andariel #OnyxSleet #DarkSeoul #SilentChollima

Keypoints

  • Andariel (RGB 3rd Bureau) is the North Korean state-sponsored group behind the activity, targeting defense, aerospace, nuclear, and engineering entities to obtain sensitive information.
  • Initial access is gained by exploiting public-facing web servers and known vulnerabilities (e.g., Log4j) to deploy web shells and access internal assets.
  • The operation uses standard discovery, enumeration, persistence (Scheduled Tasks), and credential theft (Mimikatz) for privilege escalation.
  • Actors deploy custom malware implants, remote access tools (RATs), and open-source tooling for execution, lateral movement, and data exfiltration; they also conduct phishing with malicious LNK/HTA attachments.
  • Ransomware activity against U.S. healthcare entities funds espionage; some operations combine ransomware and cyber espionage against the same targets.
  • Victims span defense, aerospace, nuclear, and engineering sectors, with some targeting medical and energy industries; Table 1 lists affected domains and data types.
  • MITRE ATT&CK mapping is provided, along with extensive mitigation guidance (patching, web shell defense, endpoint monitoring, MFA, network segmentation).

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The actors exploit weaknesses in Internet-facing systems (e.g., Log4j) to deploy web shells and access sensitive information. ‘The actors gain initial access through widespread exploitation of web servers through known vulnerabilities, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation.’
  • [T1595] Active Scanning – They identify vulnerable systems via public internet scanning tools to reveal weaknesses in public-facing web servers. ‘identify vulnerable systems using publicly available internet scanning tools that reveal information such as vulnerabilities in public-facing web servers [T1595].’
  • [T1591] Gather Victim Org Information – They collect open-source information about victims to aid targeting. ‘gather open source information about their victims for use in targeting [T1591].’
  • [T1592] Gather Victim Host Information – They obtain host details to assist targeting. ‘gather information about their victims for use in targeting [T1592].’
  • [T1596] Search Open Technical Databases – They research CVEs in NVD for exploitation opportunities. ‘research Common Vulnerabilities and Exposures (CVEs) when published to the National Institute of Standards and Technology (NIST) National Vulnerability Database [T1596].’
  • [T1021.002] Remote Services: SMB/Windows Admin Shares – Lateral movement via SMB directory/file enumeration on connected devices. ‘enumerate directories and files of connected devices using Server Message Block (SMB) protocol’ [T1021.002].
  • [T1021] Remote Services – Use of RDP for lateral movement. ‘The actors have also used Remote Desktop Protocol (RDP) to move laterally [].’
  • [T1003] OS Credential Dumping – Credential theft with tools like Mimikatz; includes NTDS.dit extraction. ‘The actors change settings on compromised systems to force the system to store credentials and then use the aforementioned tools to steal credentials.’
  • [T1083] File and Directory Discovery – Custom .NET tooling enumerates files/directories to find sensitive data. ‘enumerate directories and files’ [T1083].
  • [T1087] Account Discovery – They enumerate user accounts to map access. ‘Account Discovery’ [T1087].
  • [T1059] Command and Scripting Interpreter – Use of Windows CMD, PowerShell, WMIC, and Linux Bash for in-system actions. ‘living off the land (LOTL). They use Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash’ [T1059].
  • [T1027] Obfuscated Files or Information – Pack tooling with VMProtect/Themida to evade detection. ‘packed with VMProtect and Themida’ [T1027].
  • [T1560] Archive Collected Data – Data is compressed/encrypted prior to exfiltration. ‘Archive Collected Data’ [T1560].
  • [T1567] Exfiltration Over Web Service – Data exfiltrated to cloud storage or actor-controlled services. ‘exfiltrate data to web services such as cloud storage’ [T1567].
  • [T1048] Exfiltration Over Alternative Protocol – Data moved via FTP/alternative protocols. ‘using PuTTY and WinSCP to exfiltrate data to North Korea-controlled servers via FTP’ [T1048].
  • [T1071] Application Layer Protocol – C2 traffic over HTTP(S) and other application layer protocols. ‘disguise their malware within HTTP packets to appear as benign network traffic’ [T1071].
  • [T1090] Proxy – Use of proxies to route C2 traffic and evade network controls. ‘tunneling enables C2 over NAT or proxies’ [T1090].

Indicators of Compromise

  • [MD5] MD5 Hashes – 88a7c84ac7f7ed310b5ee791ec8bd6c5, 6ab4eb4c23c9e419fbba85884ea141f4, and 2 more hashes
  • [SHA-256] Hashes – ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6, db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984, and many more
  • [User-Agent] Strings – Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0, Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a