North Korean state-backed hackers have mounted a campaign to obtain secrets related to nuclear materials, military drones, submarines and shipbuilding in the UK and US, as intelligence agencies warned of a “global cyber-espionage campaign” targeting sensitive industries.
A joint notice from the US, UK and South Korea warned that the Democratic People’s Republic of Korea (DPRK) was using state-backed attackers to further the regime’s military and nuclear ambitions. It added that Japan and India had also been targeted.
Hackers have targeted sensitive military information and intellectual property in four main areas: nuclear, defence, aerospace and engineering. The assailants, working for a group called Andariel, have also sought to obtain secrets from the medical and energy industries.
Paul Chichester, the National Cyber Security Centre’s (NCSC) director of operations, said: “The global cyber espionage operation that we have exposed today shows the lengths that DPRK state-sponsored actors are willing to go to pursue their military and nuclear programmes.”
The NCSC said Andariel had been “compromising organisations around the world to steal sensitive and classified technical information and intellectual property data”.
The NCSC believes that Andariel is a part of DPRK’s reconnaissance general bureau (RGB) and that the group’s malicious cyber activities pose a continued threat to critical infrastructure organisations globally.
The information targeted by the hackers includes data related to tanks, torpedoes, fighter aircraft, satellites, government nuclear facilities, nuclear power plants, robots and 3D printing, the NCSC said. The targeted countries include the US, UK, South Korea, India and Japan.
The intelligence agencies said Andariel was funding its espionage campaign by launching ransomware attacks against the US healthcare sector. They said the attackers were likely identifying vulnerable systems using publicly available internet scanning tools.
Chichester said: “It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.
“The NCSC, alongside our US and Korean partners, strongly encourage network defenders to follow the guidance set out in this advisory to ensure they have strong protections in place to prevent this malicious activity.”
The advisory outlines how Andariel has evolved from destructive hacks against US and South Korea organisations to carrying out specialised cyber espionage and ransomware attacks.
In some cases, the hackers carried out ransomware attacks and cyber espionage operations on the same day against the same victim.
The US state department offered a reward of up to $10m (£7.8m) for information on Rim Jong Hyok, who it said was associated with Andariel. The department said Rim and others conspired to carry out ransomware attacks on US hospitals and other healthcare providers to fund its operations against government bodies and defence firms.
US law enforcement agencies believe Andariel targeted five healthcare providers, four US-based defence contractors, two US air force bases and Nasa’s office of inspector general. In one operation that began in November 2022, the hackers accessed a US defence contractor from which they extracted more than 30 gigabytes of data, including unclassified technical information regarding material used in military aircraft and satellites.
Unlike most other state actors, North Korea’s motivations in cyberwarfare appear split between conventional military and national security goals and financial advantages.
Over the past six years, according to a UN report, Korean hackers have been involved in almost 60 cyber-attacks on cryptocurrency-related companies alone, stealing an estimated $3bn. One single attack, against the crypto exchange Poloniex, seized more than $110m. “The key tasks of these cyberthreat actors are to obtain information of value to the Democratic People’s Republic of Korea and to illicitly generate revenue for the country,” the report concluded. The hackers used any method they could to secure hard funds, including “spearphishing, vulnerability exploits, social engineering and watering holes”.
The most damaging individual attack linked to the North Korean cyber-army was the WannaCry “ransomworm” in 2017. The US and UK formally accused North Korea of building the virus, which the country denied. Although it appeared to be a piece of ransomware, WannaCry’s payments infrastructure wasn’t linked to anything, and the virus, which took down machines around the world and significantly hampered the NHS, raised just over $55,000.
