In July 2024, a North Korean military intelligence operative part of the Andariel group was indicted by the U.S. Department of Justice (DoJ) for allegedly carrying out ransomware attacks against healthcare facilities in the country and using the ill-gotten funds to conduct additional intrusions into defense, technology, and government entities across the world. Three different organizations in the U.S. were targeted in August 2024 by a North Korean state-sponsored threat actor called Andariel as part of a likely financially motivated attack. "While the attackers didn't succeed in deploying ransomware on the networks of any of the organizations affected, it is likely that the attacks were financially motivated," Symantec, part of Broadcom, said in a report shared with The Hacker News. The development comes as Der Spiegel reported that German defense systems manufacturer Diehl Defense was compromised by a North Korean state-backed actor referred to as Kimsuky in a sophisticated spear-phishing attack that involved sending fake job offers from American defense contractors. An element within North Korea's Reconnaissance General Bureau (RGB), the hacking crew has a track record of deploying ransomware strains such as SHATTEREDGLASS and Maui, while also developing an arsenal of custom backdoors like Dtrack (aka Valefor and Preft), TigerRAT, Black RAT (aka ValidAlpha), Dora RAT, and LightHand. While Andariel has seen its focus shift to espionage operations since 2019, Symantec said its pivot to financially motivated attacks is a relatively recent development, one that has continued despite actions by the U.S. government. Some of the other lesser-known tools used by the threat actor include a data wiper codenamed Jokra and an advanced implant called Prioxer that allows for exchanging commands and data with a command-and-control (C2) server.
This Cyber News was published on thehackernews.com. Publication date: Wed, 02 Oct 2024 11:13:06 +0000