North Korean Cyber Group Andariel Targets US Critical Infrastructure

July 25, 2024

The Andariel group, also known by other names such as Silent Chollima, Onyx Sleet, and Stonefly, is a North Korean cyber-espionage group that is systematically stealing data from organizations in the US and other countries. The group's activities are aimed at advancing North Korea's nuclear and military programs. In addition to stealing data, Andariel is also funding its operations through ransomware attacks on US healthcare entities.

The FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and other agencies have issued a joint advisory identifying the Andariel group as a significant threat. The group is primarily targeting defense, aerospace, nuclear, and engineering organizations in the US, Japan, South Korea, and India. The advisory stated, "The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide."

The US government has offered a $10 million reward for information leading to the arrest of Rim Jong Hyok, who is believed to be a key player in Andariel's malicious cyber activities. The US Justice Department has also indicted Hyok on charges related to his involvement in Andariel's attacks on various US entities, including NASA and two US Air Force bases.

Andariel is seeking a wide range of information in its current campaign. From defense organizations, it has been stealing information related to tanks, combat ships, autonomous underwater vehicles, and other equipment. Aerospace companies are being targeted for information on fighter aircraft, missiles, missile defense systems, radars, and nano-satellite technology. The group's attacks on nuclear sector organizations aim to gather data on uranium processing and enrichment, material waste, and storage. Engineering firms are being targeted for information on shipbuilding, robotics, additive manufacturing, 3D printing, and other technologies.

The advisory encouraged critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections. The advisory also listed 41 CVEs that Andariel actors have exploited to break into target networks as part of its cyberespionage campaign, including CVE-2017-4946, CVE-2021-44228, CVE-2023-0669, CVE-2023-34362, and CVE-2023-46604.

Once they gain access to a network, Andariel actors typically use a variety of custom tools and malware to establish remote access, enable lateral movement, and steal data. The tools "include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control," the advisory said.

Related News

• Critical SQL Injection Vulnerability in Fortra FileCatalyst Workflow Exposed
• ExCobalt Cybercrime Group Launches Advanced Attacks on Russian Entities
• Sharp Panda Expands Cyber Espionage Reach to African and Caribbean Governments
• GHOSTENGINE Uses Vulnerable Drivers to Disable EDRs in Sophisticated Cryptojacking Attack
• Crypto Mining Malware Campaign Targets Misconfigured Servers

Latest News

• Massive 'PKFail' Secure Boot Bypass Threatens Millions of Devices
• Acronis Alerts Users on Cyber Infrastructure Default Password Exploitation
• High-Severity DoS Vulnerabilities in BIND Software Suite Addressed by ISC
• Exploitation of Critical ServiceNow Flaws for Data Theft: A Rising Concern
• Critical Remote Code Execution Vulnerability in Telerik Report Server: Urgent Patch Required