As per recent media reports, the United States (US) Department of Justice (DoJ) released an indictment against a threat actor being deemed responsible for North Korean ransomware attacks. It has been identified that the threat actor is an intelligence operative of the North Korean military.

In this article, we’ll learn more about who the threat actor is, the attacks, and what the indictment entails. Let’s begin!

North Korean Ransomware Attacks: Unmasking The Threat Actor

The threat actor behind these North Korean ransomware attacks is known to have launched attacks against healthcare facilities in the country. These ransomware attacks on healthcare facilities were backed with monetary intents. Media reports claim that the financial resources were to be used for additional intrusions.

As of now, it’s believed that the additional intrusions would have been targeted at technology, defense, and government organizations worldwide. Shedding light on the identity of the North Korean cyber espionage threat actor, Paul Abbate, Deputy Director of the Federal Bureau of Investigation (FBI), has stated that:

“Rim Jong Hyok and his co-conspirators deployed ransomware to extort U.S. hospitals and health care companies, then laundered the proceeds to help fund North Korea’s illicit activities. These unacceptable and unlawful actions placed innocent lives at risk.”

The Andariel Hacking Group

The North Korean ransomware attacks threat actor, Rim Jong Hyok, is believed to be part of the cybercrime group named Andariel. The Andariel hacking group is also referred to as APT45, Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2. It’s worth mentioning here that this group is said to be behind Maui.

The Maui ransomware strain was a series of extortion-related cyber attacks targeting varying organizations in Japan and the US. Providing insights into the group and their attacks, the National Security Agency (NSA) said:

“This group poses an ongoing threat to various industry sectors worldwide, including, but not limited to, entities in the United States, South Korea, Japan, and India. The group funds their espionage activity through ransomware operations against U.S. healthcare entities.”

Attack Chain, Tools, And Techniques

The attack chain and methodology are concerned; the group behind the North Korean ransomware attacks acquired initial access to target networks by exploiting N-day security flaws in internet-facing applications. This allowed the group to engage in a number of different activities that include:

• Reconnaissance.
• File system enumeration.
• Privilege escalation.
• Persistence.
• Lateral movements.
• Data exfiltration.

The tools used in the attacks were custom backdoors, remote access trojans (RATs), open-source utilities, and other off-the-shelf tools. Varying mediums used for malware distribution include Microsoft Windows Shortcut (LNK) files and HTML Application (HTA) script files inside ZIP archives.

Given the severity of such an attack, the DoJ has announced a reward of up to $10 million for information pertaining to the whereabouts or identity of others in connection with the malicious activity.

Conclusion

The indictment of North Korean operative Rim Jong Hyok marks a significant step in combating cyber threats. His group’s ransomware attacks on healthcare and other sectors reveal a disturbing trend of state-sponsored cybercrime aimed at funding illicit activities.

The DoJ’s $10 million reward emphasizes the urgency of apprehending those behind these malicious acts. Given the rapid evolution of cyber threats, organizations must adopt sophisticated security protocols to ensure protection.

The source for this piece includes articles in The Hacker News and The Record.

The post North Korean Ransomware Attacks: DoJ Indicts Threat Actor appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/north-korean-ransomware-attacks-doj-indicts-threat-actor/