Cyber security news for all

More

    North Korean Hackers Shift Focus from Cyber Espionage to Ransomware Attacks

    A North Korean threat actor known for its long-standing cyber espionage activities has expanded its operations to include financially-motivated ransomware attacks. This shift distinguishes it from other nation-state hacking groups associated with North Korea.

    The activity cluster, now tracked by Google-owned Mandiant under the name APT45, overlaps with groups such as Andariel, Nickel Hyatt, Onyx Sleet, Stonefly, and Silent Chollima.

    “APT45 is a long-running, moderately sophisticated North Korean cyber operator that has conducted espionage campaigns since 2009,” stated researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart. “APT45 has been the most frequently observed targeting critical infrastructure.”

    APT45, along with other groups like APT38 (aka BlueNoroff), APT43 (aka Kimsuky), and Lazarus Group (aka TEMP.Hermit), operates within North Korea’s Reconnaissance General Bureau (RGB), the nation’s premier military intelligence agency.

    APT45 is linked to ransomware families such as SHATTEREDGLASS and Maui, targeting entities in South Korea, Japan, and the U.S. in 2021 and 2022. Details of SHATTEREDGLASS were documented by Kaspersky in June 2021.

    Mandiant noted, “APT45 may be engaging in financially-motivated cybercrime not only to support its operations but also to generate funds for other North Korean state priorities.”

    One notable malware in its arsenal is the backdoor known as Dtrack (aka Valefor and Preft), first used in a cyber attack on the Kudankulam Nuclear Power Plant in India in 2019, a rare instance of North Korean actors targeting critical infrastructure.

    “APT45 is one of North Korea’s longest-running cyber operators, and its activities reflect the regime’s geopolitical priorities. Operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science,” Mandiant stated.

    “As the country has become reliant on its cyber operations as an instrument of national power, APT45 and other North Korean cyber operators’ activities may reflect the changing priorities of the country’s leadership.”

    These findings come as KnowBe4, a security awareness training firm, reported being deceived into hiring a North Korean IT worker posing as a U.S. citizen. The individual used a stolen identity and enhanced their picture with artificial intelligence (AI).

    “This was a skilled North Korean IT worker, supported by state-backed criminal infrastructure, who used a stolen identity, participated in video interviews, and bypassed standard background checks,” the company revealed.

    The IT worker, part of the Workers’ Party of Korea’s Munitions Industry Department, has a history of seeking employment in U.S. firms while actually operating from China and Russia. They accessed systems remotely through company-issued laptops delivered to a “laptop farm.”

    On July 15, 2024, at 9:55 p.m. EST, KnowBe4 detected suspicious activities on the Mac workstation sent to the individual. These activities included manipulating session history files, transferring potentially harmful files, and executing malicious software using a Raspberry Pi.

    Twenty-five minutes later, the Florida-based cybersecurity company contained the employee’s device. There is no evidence that the attacker gained unauthorized access to sensitive data or systems.

    “The scam involves doing the work, getting paid well, and funneling a significant portion of the earnings to North Korea to fund their illegal programs,” stated Stu Sjouwerman, KnowBe4’s chief executive.

    “This case underscores the critical need for robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams to protect against advanced persistent threats.”

    Recent Articles

    Related Stories