Targeting at least three U.S. organisations in August, a sanctioned group of hackers working for the North Korean government appeared to be continuing its attacks.
Symantec researchers have discovered evidence that APT45, also known as Andariel and Stonefly, carried out breaches at three distinct organisations in less than a month following the Justice Department’s publication of an indictment against one of the group’s members.
For his suspected involvement in the use of ransomware against American hospitals and healthcare organisations, the Justice Department filed an arrest warrant for Rim Jong Hyok in July. He is charged with belonging to the country’s intelligence service, the Reconnaissance General Bureau (RGB), as a member of the Andariel Unit. The U.S. Treasury imposed sanctions on the entire organisation in 2019.
According to Symantec, the hackers were unable to use ransomware in any of the three recent attacks. The fact that all of the victims were private companies engaged in unremarkable activities with little intelligence value suggested to the researchers that the attacks were probably driven by financial gain. It is well known that the North Korean government uses the earnings of cybercrime to get around Western economic sanctions.
The usage of unique malware that APT45 only uses led the researchers to conclude that the organisation was responsible for the attacks. Additionally, they discovered a number of breach signs that Microsoft had just lately reported.
The attackers claimed to have “used two additional certificates that seem to be unique to this campaign in addition to a fake Tableau certificate documented by Microsoft.”
According to Symantec, the gang has attacked two US Air Force facilities, a NASA office, and establishments in Taiwan, South Korea, and China in addition to extorting US hospitals.
Since the group first surfaced in 2009 through distributed denial-of-service (DDoS) operations against several South Korean, American government, and financial websites, the researchers noted, the group’s sophistication has increased dramatically.
“In recent years, the group’s capabilities have grown markedly, and, since at least 2019, Symantec has seen its focus shift mainly to espionage operations against select, high-value targets,” they said.
“It appears to specialize in targeting organizations that hold classified or highly sensitive information or intellectual property. While other North Korean groups are well known for mounting financial attacks driven by the need to raise foreign currency for the regime, Stonefly had until recent years appeared not to be involved in financially motivated attacks.”
Symantec added that the indictments and naming of at least one member “has not yet led to a cessation of activity.”
The FBI and other agencies said earlier this year that Andariel, based out of the RGB’s 3rd Bureau in Pyongyang and Sinuiju, has repeatedly targeted “defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.”
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.