WASHINGTON — A group of North Korean hackers is at the center of a global cyber espionage effort to steal classified military information, the FBI announced in a lengthy advisory today alongside other US government agencies and international counterparts.
According to the US-UK-South Korean advisory, Andariel, a purported North Korean state-sponsored cyber group, has targeted defense, aerospace, nuclear and engineering organizations to gain classified technical and intellectual information to “advance the regime’s military and nuclear programs and ambitions.”
“North Korea will continue to actively leverage cyber operations to further the strategic goals of the regime, whether that includes stealing and laundering cryptocurrency or conducting defense industrial espionage to advance their nuclear and conventional military capabilities,” Jenny Jun, a research fellow on the CyberAI Project at the Center for Security and Emerging Technology who specializes in North Korean cyber capabilities, told Breaking Defense in an email.
According to the advisory, the group targeted defense and engineering firms’ computer systems in attempts to gain access to contracts, design drawings, bills of materials and other engineering documents that would divulge information on a variety of systems. These included:
Missile and missile defense systems
Submarines, torpedoes, unmanned underwater vehicles and autonomous underwater vehicles
Self-propelled howitzers
Ammunition supply vehicles
Combat ships and combatant craft
Fighter aircraft and unnamed aerial vehicles
Satellite and satellite communications
Shipbuilding and marine engineering
The advisory did not state which specific firms in which countries have been targeted, though previous media reports have alleged that networks of South Korean defense companies have been breached. The US government separately alleged several US defense firms and military bases had been targeted, including a “US-based defense contractor” whose network was successfully breached in November 2022.
In partnership with @FBI and other U.S and international partners, we released a joint advisory on North Korea state-sponsored cyber group #Andariel with details on their global cyber espionage campaign. Read our advisory for mitigations: https://t.co/UeiowysYcZ pic.twitter.com/p2gEKi33gL
— Cybersecurity and Infrastructure Security Agency (@CISAgov) July 25, 2024
According to Michael Barnhart, a senior researcher at Google cybersecurity subsidiary Mandiant, the cyber thefts appear to have paid off for Pyongyang.
“The missile launches that [North Korea] did in years past, those missile launches, they blew up on the launch pad. They were not good. They were exploding,” Barnhart, Mandiant’s Principal Analyst and North Korea threat-hunting team, told Breaking Defense. “Look at what we’re dealing with now. We have missile launches all the time. We’re seeing them every day. We’re seeing so much that we’ve seen even in open source, that they’re actually, you know, exporting some of their missile technologies to Russia in some of the conflicts there.”
“This is the group that if Kim Jong Un wants something done, something done in-house, ‘Hey, we need a missile program, we need to do this,’ Andariel’s the one to go out and find the blueprints,” he added.
In concert with the FBI advisory, Mandiant released a report today detailing some of Andariel’s purported exploits and upgrading the group, in Mandiant’s eyes, to Advanced Persistent Threat (APT) 45.
Hospital Hacks And An ‘Ongoing Threat’
Today’s tri-government advisory said the US, UK and South Korea “believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide” beyond their own borders, including but not limited to Japan and India.
The advisory says Andariel was behind a series of ransomware attacks on healthcare providers, energy companies and financial institutions globally often using the software Maui. According to the advisory, Andariel funds its espionage operations by targeting this critical infrastructure.
“The benefits of these activities are symbiotic. So without the ability to conduct these ransomware operations and receive payments, other cyber operations conducted by the DPRK would be difficult to continue. So North Korean cyber actors deploying ransomware, it feeds the cyber espionage on behalf of the military and nuclear programs and vice versa,” an FBI official told reporters today.
Alongside the advisory, the US Department of State announced a new, $10 million reward for information leading to the identification of a North Korean national, Rim Jong Hyok, who was indicted by the Justice Department today for alleged links to Andariel and ransomware attacks.
The Rewards for Justice notice said that on one occasion in 2022, Andariel “hacked a U.S.-based defense contractor from which they extracted more than 30 gigabytes of data, including unclassified technical information regarding material used in military aircraft and satellites, much of which was from 2010 or earlier.”
The State Department advisory said investigators “have documented that Andariel actors victimized five healthcare providers, four U.S.-based defense contractors, two U.S. Air Force bases, and the National Aeronautics and Space Administration’s Office of Inspector General.”