North Korean state-backed hackers have mounted a campaign to obtain secrets relating to nuclear materials, military drones, submarines and shipbuilding in the UK and US, as intelligence agencies warned of a “global cyber espionage campaign” targeting sensitive industries.
A joint statement from the United States, the United Kingdom and South Korea warned that the Democratic People’s Republic of Korea (DPRK) was using state-backed attackers to advance the regime’s military and nuclear ambitions. It added that Japan and India had also been targeted.
Hackers have targeted sensitive military information and intellectual property in four main areas: nuclear, defense, aerospace and engineering. The attackers, working for a group called Andariel, have also attempted to obtain secrets from the medical and energy industries.
Paul Chichester, director of operations at the National Cyber Security Centre (NCSC), said: “The global cyber espionage operation we have exposed today shows the lengths to which DPRK-sponsored state actors are prepared to go to advance their military and nuclear programmes.”
The NCSC said Andariel had been “compromising organisations around the world to steal sensitive and classified technical information and intellectual property data”.
The NCSC believes that Andariel is part of the DPRK’s Reconnaissance General Bureau (RGB) and that the group’s malicious cyber activities pose an ongoing threat to critical infrastructure organizations globally.
The information targeted by the hackers includes data related to tanks, torpedoes, fighter jets, satellites, government nuclear facilities, nuclear power plants, robots and 3D printing, according to the NCSC. The countries targeted include the United States, the United Kingdom, South Korea, India and Japan.
Intelligence agencies said Andariel was funding its espionage campaign by launching ransomware attacks against the U.S. healthcare sector. They said the attackers were likely identifying vulnerable systems using publicly available internet scanning tools.
Chichester said: “This should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.
“The NCSC, along with our US and Korean partners, strongly encourages cyber defenders to follow the guidelines set out in this advisory to ensure they have robust protections in place to prevent this malicious activity.”
The advisory describes how Andariel has evolved from destructive attacks against US and South Korean organizations to carrying out specialized cyber espionage and ransomware attacks.
In some cases, hackers carried out ransomware attacks and cyber espionage operations on the same day against the same victim.
The US State Department has offered a reward of up to $10m (£7.8m) for information on Rim Jong Hyok, who it said was associated with Andariel. The department said Rim and others conspired to carry out ransomware attacks against US hospitals and other healthcare providers to fund their operations against government agencies and defence companies.
U.S. law enforcement believes Andariel targeted five healthcare providers, four U.S.-based defense contractors, two U.S. Air Force bases and NASA’s inspector general’s office. In an operation that began in November 2022, the hackers accessed a U.S. defense contractor from which they extracted more than 30 gigabytes of data, including unclassified technical information about equipment used in military aircraft and satellites.
Unlike most other state actors, North Korea’s motivations in cyber warfare appear divided between conventional military and national security objectives and financial advantage.
In the last six years, According to a UN reportKorean hackers have been involved in nearly 60 cyberattacks on cryptocurrency-related companies alone, stealing an estimated $3 billion. One attack alone, against cryptocurrency exchange platform Poloniex, seized more than $110 million. “The key tasks of these cyber threat actors are to obtain information of value to the Democratic People’s Republic of Korea and generate illicit revenue for the country,” the report concluded. The hackers used every method they could to obtain cash funds, including “spearphishing, vulnerability exploitation, social engineering, and watering holes.”
The most damaging single attack linked to North Korea’s cyber military was the WannaCry “ransomworm” in 2017. The US and UK formally accused North Korea of developing the virus, something the country denied. Although it appeared to be ransomware, WannaCry’s payment infrastructure was not linked to anything, and the virus, which disabled machines around the world and significantly hampered the NHS, raised just over $55,000.
