Back

North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime's Military and Nuclear Programs

July 25, 2024, 8:29 p.m.

Tags

2024-07-25
cisa

External References

https://www.cisa.gov/

https://otx.alienvault.com/

Description

The U.S. Federal Bureau of Investigation (FBI) and several partner agencies are releasing this advisory to highlight a North Korean state-sponsored cyber group known as Andariel, operating under the Reconnaissance General Bureau (RGB) 3rd Bureau. This group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive technical data to advance North Korea's military and nuclear programs. The actors gain initial access through exploitation of public-facing web servers, move laterally using remote access tools, and exfiltrate data over alternative protocols. They also conduct ransomware operations against healthcare entities to fund their espionage activities.

Date

Published Created Modified
July 25, 2024, 7:26 p.m. July 25, 2024, 7:26 p.m. July 25, 2024, 8:29 p.m.

Indicators

f1856188732f05612c7c05347463109e8fc0e11a3d2604196551d90b4f846513

def2f01fbd4be85f48101e5ab7ddd82efb720e67daa6838f30fd8dcda1977563

ce779e30502ecee991260fd342cc0d7d5f73d1a070395b4120b8d300ad11d694

c419f17b54d5b1dd356af3703e1c31064720521337abed3ffecfed0884d1e235

c1a09024504a5ec422cbea68e17dffc46472d3c2d73f83aa0741a89528a45cd1

b7435d23769e79fcbe69b28df4aef062685d1a631892c2354f96d833eae467be

b2cec2d6992bf41d2bab643968691e06722f830fc38f7776238fe88a1f892404

8c7d20b705d0a96c115f10dbd53268defdefeee207ea9c235eae1b23bb2b0c84

8cd16feb7318c0de3027894323a0ccaacb527e071aa4c4b691feb411b6bd0937

7f904d16371b40e24495d9cc91019a54a3f257129896db1698282a187dfd8808

7e9b7ebf36cfbd4b59b77fba3bba1bac0b8d2ac657530d945fd41c15937f0bb3

799d44f51e6ea84998d96570e8b597af82601260fada14bd7f08391e403bc02a

74529dd15d1953a47f0d7ecc2916b2b92865274a106e453a24943ca9ee434643

66415464a0795d0569efa5cb5664785f74ed0b92a593280d689f3a2ac68dca66

658c25c5c9ed34cd7835b7efc5f75b0cbb9a7f6b96a6922fce077e78aa5b08b4

5f71d7511bdd0b236d05b35396eddc20eae57ab2561f09ff62f212f32ef310cc

4e5e42b1acb0c683963caf321167f6985e553af2c70f5b87ec07cc4a8c09b4d8

4aadf767491077ab83c6436cf108b014fc0bf8c3bd01cc6087a0f2b80564bc08

452ca47230afd4bb85c45af54fcacbfa544208ef8b4604c3c5caefe3a64dcc19

3dffb684333ea8f036e0d2142d1f49ebeccb28806cf6407308a88e846f8f30ec

3d4ee28dd88e4f9a6647789edbfac38dd99821ca1bdcb6fe1d3df6dc80287462

323cbe7a3d050230cfaa822c2a22160b4f8c5fe65481dd329841ee2754b522d9

2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbc

2a1b556770982acd711188821bfd90bb7a3eb2a977232303d7e64ba0b8682934

1e4de822695570421eb2f12fdfe1d32ab8639655e12180a7ab3cf429e7811b8f

199ba618efc6af9280c5abd86c09cdf2d475c09c8c7ffc393a35c3d70277aed1

1962ebb7bf8d2b306c6f3b55c3dcd69a755eeff1a17577b7606894b781841c3a

17085ef59c256aabae656311399575ceb2cf7e2e904255ac4c920fab9d5215e1

16db0063e4aa666d94752414549fa09fb33142481d894b01a0fae45b339a09fb

02135f60f3edff0b9baa4c20715ee6a80c94f282079bf879265f5e020d37cf88

6db57bbc2d07343dd6ceba0f53c73756af78f09fe1cb5ce8e8008e5e7242eae1

664f8d19af3400a325998b332343a9304f03bab9738ddab1530869eff13dae54

40da2329b2b81f237fc30d2274529e6fda4364516b78b4b88659c572fbc4bc02

0996a8e5ec1a41645309e2ca395d3a6b766a7c52784c974c776f258c1b25a76c

0995f1f2e4bb43ef7e3dcd57c06154fc812394ac214861c5e30084a215018dbe

3ec2292dc5be0161d25f258f716d92e96c591ab084548679dd7b169f80b2e967

9f90670d2197496f7d9d20152fe822238d9806716baf55c0078eef937dc8dfdb

9033a46f756fa5225ed30692317d92b31fa5b23fa4587caa87172031efa25e12

4a87fc2f9da25152bf26fff375dd9a18e81eeb78c2b5c5babcc04dc93371d0aa

3bb8445c95142da1bda0e3440b53cc70e05a3fe996a77e6dcfb2919fd8878ca9

048698159bbb051af779d22eb5b1282ce895e8311d641d50cc23cbfd36cc020a

e830c677d51668133fbea5d900b7a8e0d8cdfed0a396f50be314c0591bf71f74

d14447f41d11e0ed192d9161a60cee139fe8b01d921bbdff56abc01a5a653161

c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c

9ac31ce26749874b8f9e080cbe10e6d9c4d0fa9c8edb17685291e031d7f82949

8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f

7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b

5758765a59abfdf5e255df4d0447f92132891d1b325faaa2fb155ebb41cba818

3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061

f67ee77d6129bd1bcd5d856c0fc5314169b946d32b8abaa4e680bb98130b38e7

d68036a30b99e8beba1c3aa52b6c5986eee823c21699a24d9af7022eaa9190ac

c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f

90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4

8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5

f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb

8aa6612c95c7cef49709596da43a0f8354f14d8c08128c4cb9b1f37e548f083b

38f0f2d658e09c57fc78698482f2f638843eb53412d860fb3a99bb6f51025b07

45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78

dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469

18b75949e03f8dcad513426f1f9f3ca209d779c24cd4e941d935633b1bec00cb

Attack Patterns

DLang

NineRAT

BottomLoader

Andariel Scheduled Task Malware

Preft

KaosRAT

Trifaux

Black RAT

Goat RAT

YamaBot

ValidAlpha

Valefor/VSingle

No Pineapple

MagicRAT

Jupiter

ELF Backdoor

Atharvan

DurianBeacon

Nestdoor

AndarLoader

TigerRAT

NukeSped

Andariel

T1596

T1591

T1021.002

T1587.001

T1039

T1587.004

T1048

T1572

T1567

T1087

T1021

T1083

T1071

T1595

T1592

T1027

T1560

T1190

T1090

T1003

T1059

Additional Informations

Engineering

Nuclear

Aerospace

Healthcare

Energy

Defense

Government

Manufacturing