North Korea-backed cyber group prying into critical US infrastructure!

A cyber-espionage group backed by North Korea has been sneaking into the vital intellectual property and technical information of the US. The group is a part of North Korea’s foreign intelligence service. From aerospace to defense, engineering companies to nuclear science, the group has been prying into critical infrastructures. Their core purpose is to amplify their North Korean military and nuclear programs. As per the US government, the group targets US healthcare centers and leverages ransomware to financially compensate the campaign.

The CISA (US Cybersecurity and Infrastructure Security Agency), the FBI, and the NSA (National Security Agency) are working together to combat this situation. As per their information, the North Korea-backed group is targeting the USA as well as other countries such as Japan, India, and South Korea.

The key player in this malicious campaign is Rim Jong Hyok. The US government has announced a $10 million reward to anyone who can bring valid information regarding Rim Jong Hyok’s arrest. Rim Jong Hyok is indicted with charges of cyberattacks on US air force bases and NASA.

The North Korean cyber campaign that goes by the name Andariel is eyeing broad and varied information this time. They have been accessing information related to defense departments such as combat ships, self-propelled howitzers, heavy and light tanks, autonomous underwater vehicles, and so on. 

From aerospace companies, Andariel is stealing information pertaining to missiles, fighter aircraft, radars, missile defense systems, nano-satellite, and so on. They are also prying into the nuclear sector for vital information related to material waste, uranium processing, storage, etc. Lastly, from engineering firms, the North Korean cyber group is stealing information such as robotics, shipbuilding, 3D printing, additive printing, etc.

Proper cybersecurity measures are being taken, such as strengthening email authentication, protection against web shells, and remote access protection. 

From Google’s Mandiant to Microsoft, everyone is tracking Andariel. The former believes that the cyber group has been active since 2009. As per the Microsoft team, Andariel has been active since 2014. 

Google Mandiant tracks Andariel as APT45 and has emphasized the group’s increasing ransomware attacks in recent times. Microsoft tracks Andariel as Onyx Sleet and has recently shared an update which focuses on the threat actor’s shift from spear-phishing to leveraging vulnerability exploits in order to gain illegitimate access to critical information of national importance.

As per the US government advisory__, Andariel is actively exploiting vulnerabilities to break into US defense and other critical sectors. As soon as they access a specific network, Andariel threat actors utilize different types of custom tools as well as malware in order to gain remote access, facilitate lateral movement, and eventually steal vital data. The advisory also mentions other tactics and strategies deployed by Andariel in detail. The core idea of releasing the advisory is to enable relevant authorities to take significant precautionary measures and protect critical information. The detailed advisory also contains signs that organizations can look up to in order to ensure that the threat actor is actually lurking on their systems and networks.