North Korean Operations Highlight Espionage and Ransomware Attack Overlap

Date:

July 25, 2024

World map

A North Korea-linked threat actor, APT45, known for its cyber espionage operations, has expanded into financially motivated attacks involving ransomware, distinguishing it from other North Korean hacking groups.  

Google-owned Mandiant has identified APT45, which overlaps with groups like Andariel and Silent Chollima, as a long-running, moderately sophisticated cyber operator active since 2009 and frequently targeting critical infrastructure.

APT45 is part of North Korea's Reconnaissance General Bureau (RGB), along with APT38, APT43, and Lazarus Group. It has deployed ransomware families like SHATTEREDGLASS and Maui against entities in South Korea, Japan, and the U.S. in 2021 and 2022.  

Mandiant suggests that APT45's financially motivated cybercrime supports its operations and generates funds for North Korean state priorities.

APT45's malware arsenal includes Dtrack, used in the 2019 cyberattack on India's Kudankulam Nuclear Power Plant. The group's activities reflect North Korea's geopolitical priorities, shifting from classic cyber espionage against government and defense sectors to targeting healthcare and crop science.  

As North Korea relies increasingly on cyber operations as a national power tool, APT45's operations may indicate the country's changing leadership priorities.

Takeaway: As cyber capabilities evolved into a critical theater of military operations, conventional wisdom held that a significant attack on critical infrastructure would likely be part of a broader strategy that included traditional kinetic warfare.

However, we've observed a significant shift where criminal entities have enhanced their capabilities by adopting techniques previously exclusive to Advanced Persistent Threat (APT) operations, such as the use of zero-day vulnerabilities.  

Increasingly, there is compelling evidence of the convergence between nation-state and cybercriminal tactics, techniques, and procedures (TTPs) as well as shared attack infrastructures.

The current overlap between cybercriminal activities and nation-state-supported operations has created an environment of plausible deniability for the nation-states involved. This convergence is particularly evident in ransomware attacks, where we typically see three distinct models:

  • The Russian Model: Attackers are financially motivated and allowed to profit from their activities, but they also receive direction to target entities that align with Russian geopolitical objectives.
  • The Iranian Model: Less prolific but notable, where ransomware and destructive wipers are employed as diversionary tactics or for general disruption. In many cases, no ransom is demanded, or there is no genuine effort to collect a ransom.
  • The North Korean (DPRK) Model: Here, nation-state ransomware operators conduct attacks aimed both at causing disruption to regional adversaries and generating funds for the financially strapped DPRK.

It's no surprise that DPRK-aligned attackers continue to target critical infrastructure providers. This latest series of attacks underscores the ongoing blurring of lines between nation-state-supported operations and those conducted by cybercriminal elements.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.