This post is also available in:
עברית (Hebrew)
A cybersecurity advisory was issued by the FBI, South Korea, and the UK to alert of cyber espionage activities linked to the RGB 3rd Bureau of the Democratic People’s Republic of Korea (DPRK).
The RGB 3rd Bureau includes a state-sponsored cyber group known as Andariel, Onyx Sleet, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. The FBI reports that the group mainly targets defense, aerospace, nuclear, and engineering entities worldwide to obtain sensitive and classified technical information to advance the DPRK’s military and nuclear programs and ambitions. The group and its cyber techniques reportedly pose a continuous threat to various industry sectors worldwide.
According to Interesting Engineering, the malicious actors finance their spying activities by performing ransomware operations against US healthcare organizations. They first gain access by exploiting web servers using known vulnerabilities in software to deploy a web shell and access sensitive information and applications. The actors then establish persistence using Scheduled Tasks and perform privilege escalation using common credential-stealing tools such as Mimikatz. They then use custom malware implants and remote access tools (RATs) for execution, lateral movement, and data exfiltration, as well as conducting phishing activity using malicious attachments.
In its statement, the FBI encouraged critical infrastructure organizations to apply vulnerability patches, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections as quickly as possible.
It seems the malicious actors are currently focusing on sensitive military information and intellectual property of defense, aerospace, nuclear, and engineering organizations. areas of interest are heavy and light tanks, self-propelled howitzers, light strike vehicles, ammunition supply vehicles, littoral combat ships, combatant craft, submarines, torpedoes, unmanned underwater vehicles, and autonomous underwater vehicles.
The hackers also tried getting nuclear information like details on uranium processing and enrichment, waste and storage of materials, nuclear power plants, government nuclear facilities, and research institutes. These activities could also risk shipbuilding, marine engineering, robot machinery, additive manufacturing, 3D printing, casting, fabrication, high-heat metal molding, rubber and plastic molding, machining processes, and technology.
