Several U.S. government agencies including the FBI and the National Security Agency (NSA) issued an advisory today warning about a North Korean state-sponsored hacking group that they say is conducting a “global espionage campaign” aimed at advancing North Korean military and nuclear programs.
The agencies said the espionage threat is tied to the North Korean government’s Reconnaissance General Bureau (RGB) 3rd Bureau, which includes the “state-sponsored cyber group known publicly as Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa.”
“The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions,” the U.S. agencies said.
The North Korean group and its cyber techniques, NSA said, pose “an ongoing threat to various industry sectors worldwide, including, but not limited to, entities in the United States, South Korea, Japan, and India.”
The group funds its espionage activity through proceeds from ransomware attacks against U.S. healthcare targets, NSA said.
According to the U.S. agencies, the North Korean threat actors “gain initial access through widespread exploitation of web servers through known vulnerabilities in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation.”
“As North Korean state-sponsored cyber actors evolve their operations to attempt to infiltrate vital systems, we will pivot to counteract these actions,” pledged NSA Cybersecurity Director Dave Luber.
Luber said the joint advisory issued by U.S. agencies, along with their counterparts in South Korea, include “detailed techniques this group employs and various detection and mitigation methods to empower the international cybersecurity community to continue improving how we prevent and respond to compromises.”
