The FBI and its international partners have confirmed the identity of a North Korean hacking group with an appetite for naval technology, among other defense-related information.
The state-sponsored cyber group Andariel (also known to cyber experts as Onyx Sleet, DarkSeoul, Silent Chillida, Stonefly/Clasiopa and APT45) is a division of the North Korean military's Reconnaissance General Bureau, based in the cities of Pyongyang and Sinuiju. From their desks in North Korea, these hackers launch commercially-motivated attacks on U.S. health care providers, using ransomware to extort money, according to the FBI. That money is used to fund their covert spying operations, like hacking into and extracting classified technical information on weapons systems and dual-use technologies.
Andariel's hacking targets include technical data on littoral combat ships, according to the FBI's release. The group's other naval technology priorities include sensitive engineering information on submarines, torpedoes, unmanned underwater vehicles (UUVs), autonomous underwater vehicles (AUVs) and phased-array radar. The group has also tried to steal shipbuilding technology and advanced machining / industrial manufacturing techniques.
More troublingly, Andariel has tried to steal technology for refining uranium - a key priority for North Korea's nuclear-weapons program - and information about missile design and missile defense. Its activities could help explain North Korea's rapid advances in ballistic missile technology over the past several years.
The FBI and its partner agencies reminded critical infrastructure organizations to take basic security precautions to defend against groups like Andariel, like applying software patches and monitoring networked equipment for malicious activity.
"The global cyber espionage operation that we have exposed today shows the lengths that DPRK state-sponsored actors are willing to go to pursue their military and nuclear programs," said Paul Chichester, the UK National Cyber Security Centre's Director of Operations. "It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse."
According to cybersecurity firm Mandiant, which played a role in investigating Andariel, the North Korean group has been active in "moderately sophisticated" cyberespionage since at least 2009. The group uses derivatives of known North Korean malware to carry out its attacks, and it is the most active North Korean threat actor in targeting critical infrastructure, including "nuclear-related entities" like India's Kudankulam Nuclear Power Plant. Since 2017, it has had a stronger focus on the defense industry.
The FBI has put one of Andariel's leaders on its list of most-wanted criminal suspects. Rim Jong Hyok (left) stands accused of money laundering and cyber-espionage, and the FBI is offering a reward of up to $10 million for information leading to his arrest. According to the agency, Rim used ransomware to target U.S. hospitals and healthcare organizations, then "extort ransoms, launder the proceeds, and purchase additional internet servers to conduct cyber espionage hacks against government and technology victims in the United States, South Korea, and China."