North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime's Military and Nuclear Programs

July 25, 2024, 8:29 p.m.

Description

The U.S. Federal Bureau of Investigation (FBI) and several partner agencies are releasing this advisory to highlight a North Korean state-sponsored cyber group known as Andariel, operating under the Reconnaissance General Bureau (RGB) 3rd Bureau. This group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive technical data to advance North Korea's military and nuclear programs. The actors gain initial access through exploitation of public-facing web servers, move laterally using remote access tools, and exfiltrate data over alternative protocols. They also conduct ransomware operations against healthcare entities to fund their espionage activities.

Date

  • Created: July 25, 2024, 7:26 p.m.
  • Published: July 25, 2024, 7:26 p.m.
  • Modified: July 25, 2024, 8:29 p.m.

Indicators

  • f1856188732f05612c7c05347463109e8fc0e11a3d2604196551d90b4f846513
  • def2f01fbd4be85f48101e5ab7ddd82efb720e67daa6838f30fd8dcda1977563
  • ce779e30502ecee991260fd342cc0d7d5f73d1a070395b4120b8d300ad11d694
  • c419f17b54d5b1dd356af3703e1c31064720521337abed3ffecfed0884d1e235
  • c1a09024504a5ec422cbea68e17dffc46472d3c2d73f83aa0741a89528a45cd1
  • b7435d23769e79fcbe69b28df4aef062685d1a631892c2354f96d833eae467be
  • b2cec2d6992bf41d2bab643968691e06722f830fc38f7776238fe88a1f892404
  • 8c7d20b705d0a96c115f10dbd53268defdefeee207ea9c235eae1b23bb2b0c84
  • 8cd16feb7318c0de3027894323a0ccaacb527e071aa4c4b691feb411b6bd0937
  • 7f904d16371b40e24495d9cc91019a54a3f257129896db1698282a187dfd8808
  • 7e9b7ebf36cfbd4b59b77fba3bba1bac0b8d2ac657530d945fd41c15937f0bb3
  • 799d44f51e6ea84998d96570e8b597af82601260fada14bd7f08391e403bc02a
  • 74529dd15d1953a47f0d7ecc2916b2b92865274a106e453a24943ca9ee434643
  • 66415464a0795d0569efa5cb5664785f74ed0b92a593280d689f3a2ac68dca66
  • 658c25c5c9ed34cd7835b7efc5f75b0cbb9a7f6b96a6922fce077e78aa5b08b4
  • 5f71d7511bdd0b236d05b35396eddc20eae57ab2561f09ff62f212f32ef310cc
  • 4e5e42b1acb0c683963caf321167f6985e553af2c70f5b87ec07cc4a8c09b4d8
  • 4aadf767491077ab83c6436cf108b014fc0bf8c3bd01cc6087a0f2b80564bc08
  • 452ca47230afd4bb85c45af54fcacbfa544208ef8b4604c3c5caefe3a64dcc19
  • 3dffb684333ea8f036e0d2142d1f49ebeccb28806cf6407308a88e846f8f30ec
  • 3d4ee28dd88e4f9a6647789edbfac38dd99821ca1bdcb6fe1d3df6dc80287462
  • 323cbe7a3d050230cfaa822c2a22160b4f8c5fe65481dd329841ee2754b522d9
  • 2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbc
  • 2a1b556770982acd711188821bfd90bb7a3eb2a977232303d7e64ba0b8682934
  • 1e4de822695570421eb2f12fdfe1d32ab8639655e12180a7ab3cf429e7811b8f
  • 199ba618efc6af9280c5abd86c09cdf2d475c09c8c7ffc393a35c3d70277aed1
  • 1962ebb7bf8d2b306c6f3b55c3dcd69a755eeff1a17577b7606894b781841c3a
  • 17085ef59c256aabae656311399575ceb2cf7e2e904255ac4c920fab9d5215e1
  • 16db0063e4aa666d94752414549fa09fb33142481d894b01a0fae45b339a09fb
  • 02135f60f3edff0b9baa4c20715ee6a80c94f282079bf879265f5e020d37cf88
  • 6db57bbc2d07343dd6ceba0f53c73756af78f09fe1cb5ce8e8008e5e7242eae1
  • 664f8d19af3400a325998b332343a9304f03bab9738ddab1530869eff13dae54
  • 40da2329b2b81f237fc30d2274529e6fda4364516b78b4b88659c572fbc4bc02
  • 0996a8e5ec1a41645309e2ca395d3a6b766a7c52784c974c776f258c1b25a76c
  • 0995f1f2e4bb43ef7e3dcd57c06154fc812394ac214861c5e30084a215018dbe
  • 3ec2292dc5be0161d25f258f716d92e96c591ab084548679dd7b169f80b2e967
  • 9f90670d2197496f7d9d20152fe822238d9806716baf55c0078eef937dc8dfdb
  • 9033a46f756fa5225ed30692317d92b31fa5b23fa4587caa87172031efa25e12
  • 4a87fc2f9da25152bf26fff375dd9a18e81eeb78c2b5c5babcc04dc93371d0aa
  • 3bb8445c95142da1bda0e3440b53cc70e05a3fe996a77e6dcfb2919fd8878ca9
  • 048698159bbb051af779d22eb5b1282ce895e8311d641d50cc23cbfd36cc020a
  • e830c677d51668133fbea5d900b7a8e0d8cdfed0a396f50be314c0591bf71f74
  • d14447f41d11e0ed192d9161a60cee139fe8b01d921bbdff56abc01a5a653161
  • c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c
  • 9ac31ce26749874b8f9e080cbe10e6d9c4d0fa9c8edb17685291e031d7f82949
  • 8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f
  • 7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b
  • 5758765a59abfdf5e255df4d0447f92132891d1b325faaa2fb155ebb41cba818
  • 3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061
  • f67ee77d6129bd1bcd5d856c0fc5314169b946d32b8abaa4e680bb98130b38e7
  • d68036a30b99e8beba1c3aa52b6c5986eee823c21699a24d9af7022eaa9190ac
  • c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f
  • 90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4
  • 8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5
  • f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb
  • 8aa6612c95c7cef49709596da43a0f8354f14d8c08128c4cb9b1f37e548f083b
  • 38f0f2d658e09c57fc78698482f2f638843eb53412d860fb3a99bb6f51025b07
  • 45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78
  • dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469
  • 18b75949e03f8dcad513426f1f9f3ca209d779c24cd4e941d935633b1bec00cb

Attack Patterns

  • DLang
  • NineRAT
  • BottomLoader
  • Andariel Scheduled Task Malware
  • Preft
  • KaosRAT
  • Trifaux
  • Black RAT
  • Goat RAT
  • YamaBot
  • ValidAlpha
  • Valefor/VSingle
  • No Pineapple
  • MagicRAT
  • Jupiter
  • ELF Backdoor
  • Atharvan
  • DurianBeacon
  • Nestdoor
  • AndarLoader
  • TigerRAT
  • NukeSped
  • Andariel

Additional Informations

  • Engineering
  • Nuclear
  • Aerospace
  • Healthcare
  • Energy
  • Defense
  • Government
  • Manufacturing