North Korean cyber hackers are seeking to steal nuclear and military secrets in a global espionage campaign, Britain and America warned on Thursday.
The two nations, together with South Korea, issued a warning about the threat from the spying activities by the reclusive, pariah state.
In the UK, the National Cyber Security Centre issued a new advisory stating that a cyber threat group known as Andariel has been compromising organisations around the world to steal sensitive and classified technical information and intellectual property data.
The NCSC assesses that Andariel is a part of North Korea’s Reconnaissance General Bureau (RGB) 3rd Bureau and that the group’s malicious cyber activities “pose an ongoing threat to critical infrastructure organisations globally”.
It said the cyber actors have primarily targeted defence, aerospace, nuclear and engineering entities, and organisations in the medical and energy sectors to a lesser extent.
Their aim is to steal information such as contract specification, design drawings and project details, according to Britain’s cyber security centre.
Paul Chichester, NCSC Director of Operations, said: “The global cyber espionage operation that we have exposed today shows the lengths that DPRK (Democratic People’s Republic of Korea) state-sponsored actors are willing to go to pursue their military and nuclear programmes.
“It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.”
He added: “The NCSC, alongside our US and Korean partners, strongly encourage network defenders to follow the guidance set out in this advisory to ensure they have strong protections in place to prevent this malicious activity.”
The advisory outlines how Andariel has evolved its operations from conducting destructive attacks targeting US and South Korea organisations to conducting specialised cyber espionage and ransomware attacks.
It warns that in some cases the actors have even been observed launching ransomware attacks and espionage operations on the same day and leveraging both activities against the same victim.
Britain, America and other allies are increasingly calling out spying and other malign activity by countries including Russia, China and North Korea indulging in hostile acts.
The NCSC, part of the UK’s GCHQ intelligence agency, issued the joint warning and advisory note about Andariel’s actions with organisations including the US Federal Bureau of Investigation and South Korea’s national intelligence service.The US, UK and South Korea believe the cyber attackers pose “an ongoing threat to various industry sectors worldwide” in their and other countries including Japan and India.
The warning note stressed: “The actors gain initial access through widespread exploitation of web servers through known vulnerabilities
in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation.
“The actors then employ standard system discovery and enumeration techniques,
establish persistence using Scheduled Tasks, and perform privilege escalation using common credential
stealing tools such as Mimikatz.”
It added: “The actors deploy and leverage custom malware implants, remote access tools (RATs), and open source tooling for execution, lateral movement, and data exfiltration.
“The actors also conduct phishing activity using malicious attachments, including Microsoft Windows Shortcut File (LNK) files or HTML Application (HTA) script files inside encrypted or unencrypted zip archives.”
Critical infrastructure organisations were encourage to apply patches for vulnerabilities “in a timely manner”, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections, to boost defences against the hackers.