The UK’s National Cyber Security Centre (NCSC), which is a part of Government Communications Headquarters (GCHQ), has issued a new advisory along with partners in the United States and the Republic of Korea which reveals that a cyber threat group called Andariel has been compromising organizations globally to steal sensitive and classified technical information as well as intellectual property data.
The NCSC has assessed that Andariel is a part of DPRK’s Reconnaissance General Bureau (RGB) 3rd Bureau, and their malicious cyber activities pose an ongoing threat to critical infrastructure organizations globally.
The cyber actors have primarily targeted defence, aerospace, nuclear, and engineering entities. They have also targeted organizations in the medical and energy sectors to a lesser extent, in order to obtain information such as contract specifications, design drawings, and project details.
Additionally, Andariel has launched ransomware attacks against US healthcare organizations to extort payments and fund further espionage activity.
This advisory shares technical details and mitigation advice to help defend against the actors who have been seen exploiting known vulnerabilities to access victims’ systems before deploying malware and other tools to maintain persistence, evade detection, and exfiltrate data.
Paul Chichester, NCSC Director of Operations, said: “The global cyber espionage operation that we have exposed today shows the lengths that DPRK state-sponsored actors are willing to go to pursue their military and nuclear programmes.”
“It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.”
“The NCSC, alongside our US and Korean partners, strongly encourage network defenders to follow the guidance set out in this advisory to ensure they have strong protections in place to prevent this malicious activity.”
The advisory describes how Andariel has changed its operations from carrying out destructive attacks on US and South Korean organizations to conducting specialized cyber espionage and ransomware attacks. It warns that in some instances, the actors have been seen launching ransomware attacks and espionage operations on the same day and using both activities against the same victim.
The advisory has been co-sealed by the NCSC, the US Federal Bureau of Investigation (FBI), the US Cyber National Mission Force (CNMF), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Department of Defense Cyber Crime Center (DC3), the US National Security Agency (NSA), the Republic of Korea’s National Intelligence Service (NIS), and the Republic of Korea’s National Police Agency (NPA).
