North Korea is targeting defense, aerospace, nuclear, and engineering organizations on a global scale. The intention is to steal classified and sensitive technical information and intellectual property in order to support their military and nuclear agendas.
CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, North Korea State-Sponsored Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs.
The following organizations also contributed to this advisory:
- U.S. Cyber National Mission Force (CNMF);
- U.S. Department of Defense Cyber Crime Center (DC3);
- U.S. National Security Agency (NSA);
- Republic of Korea’s National Intelligence Service (NIS);
- Republic of Korea’s National Police Agency (NPA); and
- United Kingdom’s National Cyber Security Centre (NCSC).
This advisory focuses on the cyber espionage activity by Andariel ,sponsored by the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju. Andariel, also known as Onyx Sleet, (formerly known as PLUTONIUM, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa) focuses on defense, aerospace, nuclear, and engineering organizations not only in the U.S. but globally. Their goal is to steal classified and sensitive technical information and intellectual property in to advance North Korea’s military and nuclear agendas.
How Does North Korea Pay for This Espionage Activity?
Not surprisingly, Andariel hackers fund this espionage activity through ransomware operations against U.S. healthcare organizations by means of phishing campaigns that use malicious attachments, including Microsoft Windows Shortcut File (LNK) files or HTML Application (HTA) script files inside encrypted or unencrypted zip archives. In some cases, the hackers are launching ransomware attacks and cyber espionage operations at the same time against the same organization.
 Read more here: #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities and North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.
Targeted Industries:
Andariel bad actors are after specific information including contract specifications, bills of materials, project details, design drawings, and engineering documents which have military and civilian applications. They have also been known to targe energy and medical industries. The collective agencies believe these efforts are to further Pyongyang’s nuclear and defense programs.
Â
Industry |        Information Targeted |
Defense |
|
Aerospace |
|
Nuclear |
|
Engineering |
|
How It’s Done:
Attackers initially exploit widespread vulnerabilities in web server software, like Log4j, to install a web shell, which allows them to access sensitive data and applications for deeper exploitation. They proceed with standard system discovery and enumeration, establish persistence via Scheduled Tasks, and escalate privileges using prevalent credential theft tools such as Mimikatz. Subsequently, the attackers deploy custom malware, remote access tools (RATs), and utilize open-source tools for execution, lateral movement, and data exfiltration.
Where Are They Finding an Entry Point?
The North Korean hackers are exploiting some of our own resources by compiling open-source intelligence on their targets and researching Common Vulnerabilities and Exposures (CVEs) listed in the National Institute of Standards and Technology (NIST) National Vulnerability Database. While detailed information on the group's initial reconnaissance tactics is scarce, it is probable that the actors target vulnerable systems by accessing publicly available internet scanning tools that can disclose details like vulnerabilities in public-facing web servers.
CVEs researched include:
- CVE-2023-46604 – Apache ActiveMQ
- CVE-2023-42793 – TeamCityÂ
- CVE-2023-3519 – Citrix NetScaler
- CVE-2023-35078 – Ivanti Endpoint Manager Mobile (EPMM)Â
- CVE-2023-34362 – MOVEItÂ
- CVE-2023-33246 – RocketMQÂ
- CVE-2023-32784 – KeePassÂ
- CVE-2023-32315 – OpenfireÂ
- CVE-2023-3079 – Google Chromium V8 Type Confusion
- CVE-2023-28771 and CVE-2023-33010 – Zyxell firmware
- CVE-2023-2868 – Barracuda Email Security Gateway
- CVE-2023-27997 – FortiGate SSL VPNÂ
- CVE-2023-25690 – Apache HTTP Server
- CVE-2023-21932 – Oracle Hospitality Opera 5
- CVE-2023-0669 – GoAnywhere MFT
- CVE-2022-47966 – ManageEngineÂ
- CVE-2022-41352 and CVE-2022-27925 – Zimbra Collaboration Suite
- CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool
- CVE-2022-25064 – TP-LINKÂ
- CVE-2022-24990 and CVE-2021-45837 – TerraMaster NAS
- CVE-2022-24785 – Moment.jsÂ
- CVE-2022-24665, CVE-2022-24664, and CVE-2022-24663 – PHP EverywhereÂ
- CVE-2022-22965 – Spring4Shell
- CVE-2022-22947 – Spring Cloud GatewayÂ
- CVE-2022-22005 – Microsoft SharePoint ServerÂ
- CVE-2022-21882 – Win32k Elevation of PrivilegeÂ
- CVE-2021-44228 – Apache Log4jÂ
- CVE-2021-44142 – Samba vfs_fruit moduleÂ
- CVE-2021-43226, CEV-2021-43207, CVE-2021-36955 – Windows log file vulnerabilities
- CVE-2021-41773 – Apache HTTP Server 2.4.49
- CVE-2021-40684 – Talend ESB RuntimeÂ
- CVE-2021-3018 – IPeakCMS 3.5Â
- CVE-2021-20038 – SMA100 Apache httpd server (SonicWall)Â
- CVE-2021-20028 – SonicWall Secure Remote Access (SRA)Â
- CVE-2019-15637 – TableauÂ
- CVE-2019-7609 – Kibana
- CVE-2019-0708 – Microsoft Remote Desktop ServicesÂ
- CVE-2017-4946 – VMware V4H and V4PA
Resource Development, Tooling, and Remote Access Tools:
In order to exploit systems, these cyber criminals have created custom Remote Access Tools (RATs) and malware that grant remote access that allows for manipulation and lateral movement with an IT environment. Here’s a partial list:
- Atharvan
- ELF Backdoor
- Jupiter
- MagicRAT
- “No Pineapple”
- TigerRAT
- Valefor/VSingle
- ValidAlpha
- YamaBot
- NukeSped
- Goat RAT
- Black RAT
- AndarLoader
- DurianBeacon
- Trifaux
- KaosRAT
- Preft
- Andariel Scheduled Task Malware
- BottomLoader (see Cisco Talos blog Operation Blacksmith)
- NineRAT (see Cisco Talos blog Operation Blacksmith)
- DLang (see Cisco Talos blog Operation Blacksmith)
- Nestdoor (see AhnLab blog)
The tools possess capabilities for executing arbitrary commands, keylogging, taking screenshots, enumerating files and directories, retrieving browser history, inspecting processes, generating and modifying files, monitoring network connections, and transferring content to a command and control (C2) center. Each tool enables the operators to sustain access to the compromised system, with every implant linked to a specific C2 node.
It is imperative that all critical infrastructure, defense, aerospace, nuclear, and engineering organizations review the advisory and implement the recommended mitigations that include applying patches for vulnerabilities in a timely manner, protecting web servers from web shells, monitoring endpoints for malicious activities, and strengthening authentication and remote access protections. For more information on North Korean state-sponsored threat actor activity, see CISA’s North Korea Cyber Threat Overview and Advisories page.