2023-02-14

North Korean Actors Seeks Funds from Critical Infrastructure Organizations

Level: 
Strategic
  |  Source: 
CISA
Critical Infrastructure
Healthcare
Public Health
Share:

North Korean Actors Seeks Funds from Critical Infrastructure Organizations

The latest #StopRansomware advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) recaps ransomware operations initiated by the Democratic People’s Republic of Korea (DPRK) against entities in healthcare, public health (HPH) and other critical infrastructure organizations. Revenue generation is the main goal of DPRK cyber operations to fund North Korean state objectives. Government agencies from the United States and South Korea, attest “an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks.”

Network resources and infrastructure acquired by DPRK operators attempt to conceal their activity by providing fake personas, channels used to siphon funds through private networks (VPNs), and virtual private servers (VPSs) to obfuscate their network trail. Personas often taken by DPRK actors are government and foreign political entities. Security vulnerabilities exploited to obtain initial access include Log4Shell (CVE-2021-44228), remote code execution vulnerabilities with SonicWall applications, and flaws in TerraMaster NAS systems. Once the targeted system has been exploited the hackers run shell commands, initiate system discovery to move laterally, and collect data of interest with malicious payloads. Ransomware variants deployed have involved Maui and H0lyGh0st along with other public encryption tools including BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. Following data encryption, DPRK actors provide victims a ransom note specifying Bitcoin payment and a Proton Mail account for communication.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now