North Korean cyber organizations conduct global cyber espionage activities targeting military and nuclear programs.

Key Chapter Title List

1. Reconnaissance General Bureau Third Bureau: Overview of the Andariel Cyber Organization
2. Cyber Espionage Targets and Victim Analysis
3. Ransomware as a Funding Means for Espionage Activities
4. Technical Details of Malicious Cyber Espionage Activities
5. Indicators of Compromise
6. Detection Methods: YARA Rules
7. Mitigation Measures
8. Appendix: MITRE ATT&CK Technique Mapping

Document Introduction

This report is based on a joint cybersecurity advisory report released on July 25, 2024, by the U.S. Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, National Security Agency, Department of Defense Cyber Crime Center, U.S. Cyber National Mission Force, as well as South Korea's National Intelligence Service, National Police Agency, and the United Kingdom's National Cyber Security Centre. The report systematically discloses cyber espionage activities associated with the Third Bureau of the Reconnaissance General Bureau of the Democratic People's Republic of Korea, which encompasses multiple publicly known cyber organizations such as Andariel, Onyx Sleet, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa.

The report indicates that these state-sponsored attackers primarily target entities in the defense, aerospace, nuclear energy, and engineering sectors worldwide, aiming to steal sensitive technical information, intellectual property, and confidential materials to advance the North Korean regime's military and nuclear programs. Their attack targets cover numerous critical dual-use technology areas, including heavy/light tanks, self-propelled artillery, fighter jets, drones, missile defense systems, satellite technology, uranium processing facilities, shipbuilding, robotics, and 3D printing. Analysis suggests that fulfilling the collection requirements for Pyongyang's nuclear and defense projects is one of the organization's primary responsibilities.

At the tactical level, attackers gain initial access by exploiting known vulnerabilities in public-facing web servers on a large scale (such as Log4Shell and other listed CVE vulnerabilities) to deploy web shells. Subsequently, they use system discovery and enumeration techniques, establish persistence through scheduled tasks, and employ credential theft tools like Mimikatz for privilege escalation. The attack chain also includes deploying custom malware implants, remote access tools, and open-source tools for command execution, lateral movement, and data exfiltration. Furthermore, the organization funds its espionage activities through ransomware attacks against U.S. healthcare entities.

The report provides detailed Indicators of Compromise (IOCs), including MD5 and SHA-256 hashes for hundreds of malware samples, user agent strings used by the attackers, and YARA detection rules created by the FBI and its partners to identify various malware families used by the Andariel organization, such as KaosRAT, Yamabot, LilithRAT, TigerRAT, and tools packed with VMProtect and Themida, among others.

Finally, the report offers a series of mitigation recommendations for critical infrastructure organizations, including timely vulnerability patching, protecting web servers against web shell attacks, monitoring endpoints for malicious activity, strengthening authentication and remote access protection, and being vigilant about the use of dual-purpose tools. The report encourages victims to report suspicious activity to relevant authorities and mentions that the U.S. Department of State's "Rewards for Justice" program may offer rewards of up to $10 million for information on North Korean cyber illicit activities. This report provides authoritative, in-depth technical and strategic analysis on North Korean state-level cyber threats for researchers and practitioners in the fields of defense, cybersecurity, and international relations.