US and South Korean agencies have issued a joint cybersecurity advisory describing the tactics, techniques and procedures used by North Korean hackers to deploy “state-sponsored” ransomware on hospitals and other organizations that can be considered part of the countries’ critical infrastructure.
“The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks,” the advisory points out.
Simultaneously, South Korea imposed sanctions on four North Korean individuals and seven entities for their involvement in these and other state-sanctioned cybercrimes, the proceeds of which are used to fund North Korean nuclear and military programs.
The attackers’ TTPs
These North Korean threat actors generate domains, personas, and accounts and pay for them with stolen cryptocurrency or cryptocurrency received as ransom for encrypted data, the agencies say.
They “purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments,” and “use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from the Democratic People’s Republic of Korea.”
Operational mistakes occasionally give them away: In a recently documented campaign targeting public and private sector research organizations and the medical research and energy sector, for example, researchers found one of the webshells connecting to a North Korean state internet IP address.
“We suspect that this was an opsec fail at the start of their workday. There are VERY few IP addresses in North Korea, and they are directly controlled by the government,” noted Mikko Hyppönen, Chief Research Officer at WithSecure.
The North Korean hackers exploit a variety of vulnerabilities to gain initial access to targets’ systems, including Log4Shell and vulnerabilities in SonicWall appliances. They also use trojanized software, customized malware to perform reconnaissance activities, use either privately developed or publically available ransomware (and occasionally impersonate other known ransomware groups), and demand ransom in cryptocurrency.
“Actors are known to communicate with victims via Proton Mail email accounts. For private companies in the healthcare sector, actors may threaten to expose a company’s proprietary data to competitors if ransoms are not paid,” the agencies say. To help victims, the advisory contains threat mitigation advice and indicators of compromise.
Mandiant Threat Intelligence head John Hultquist noted on Thursday that several hospitals have had to weather major disruptions due to to this North Korean campaign, and that much of this activity has been obscured because “hospitals pay or quietly repair and few report.”
“The North Koreans hide their hand by pretending to be known criminal ransomware actors. Without attribution and public attention this problem won’t go away,” he added.