AdvisoryAdvisoriesCISAAA24-207A

July 25, 2024

North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs

July 25, 2024

What we know so far

The RGB 3rd Bureau, a DPRK state-sponsored cyber group known as: Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa, targets defense, aerospace, nuclear, and engineering sectors to steal sensitive information for military and nuclear advancement. They fund operations through ransomware attacks on U.S. healthcare entities.

Initial access is gained through the exploitation of known vulnerabilities, such as CVE-2021-44228 (Log4Shell) in Apache's log4j to deploy a web shell, or via phishing. The group uses internet scanning tools and gathers open-source information to identify targets.

The group uses platform-native tools, such as netstat and WMIC, to reduce suspicion during post-exploitation activities. However, third-party RATs and other commodity malware is also deployed to achieve certain post-exploitation goals, such as enumeration, credential access, and data staging prior to exfiltration.

Data is then exfiltrated to cloud storage or other servers, often using PuTTY and WinSCP. C2 operations leverage HTTP disguises and tunneling tools (3Proxy, PLINK, Stunnel).

Arrow Right

Schedule a test

Subscribe to advisory alerts

Be immediately notified of new advisories and associated security tests

More advisories