North Korean hackers have conducted a global cyber espionage campaign in efforts to steal classified military secrets to support Pyongyang’s banned nuclear weapons programme, the United States, Britain and South Korea said in a joint advisory.
The hackers, dubbed Anadriel or APT45 by cybersecurity researchers, are believed to be part of North Korea’s intelligence agency known as the Reconnaissance General Bureau, an entity sanctioned by the US in 2015.
The cyber unit has targeted or breached computer systems at a broad variety of defence or engineering firms, including manufacturers of tanks, submarines, naval vessels, fighter aircraft, and missile and radar systems, the advisory said.
Victims in the US have also included the National Aeronautics and Space Administration (NASA), Randolph Air Force Base in Texas and Robins Air Force Base in Georgia, FBI and US Justice Department officials said.
In the February 2022 targeting of NASA, the hackers used a malware script to gain unauthorised access to its computer system for three months, US prosecutors allege. Over 17 gigabytes of unclassified data were extracted.
“The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India,” the advisory said.
Internationally isolated North Korea, known formally as the Democratic People’s Republic of Korea (DPRK), has a long history of using covert hacking teams to steal sensitive military information.
To fund their operations, the hackers used ransomware to target US hospitals and healthcare companies, US officials allege.
The US Justice Department said it had charged one suspect, Rim Jong Hyok, for conspiring to access computer networks in the United States and money laundering.
One of the ransomware incidents that Rim is charged with involved a May 2021 hack against a Kansas-based hospital that paid ransom after the hackers encrypted four of its computer servers.
The hospital paid in bitcoin, which was transferred to a Chinese bank and then withdrawn from an ATM in Dandong, China, next to the Sino-Korean Friendship Bridge which connects the city to Sinuiju, North Korea, the indictment said.
The FBI said it is offering a reward of up to US$10 million ($15.3 million) for information that would lead to Rim’s arrest. He is believed to be in North Korea.
FBI and Justice Department officials told reporters they have seized some of the online accounts belonging to the hackers, including US$600,000 in virtual currency that will be returned to victims of the ransomware attacks.
“The global cyber espionage operation that we have exposed today shows the lengths that DPRK state-sponsored actors are willing to go to pursue their military and nuclear programmes,” said Paul Chichester at Britain’s National Cyber Security Centre, part of the country’s GCHQ spy agency.
In August last year, Reuters exclusively reported that an elite group of North Korean hackers had successfully breached systems at NPO Mashinostroyeniya, a rocket design bureau based in Reutov, a small town on the outskirts of Moscow.
As was the case with that hack, APT45 – part of North Korea’s Reconnaissance General Bureau intelligence agency – used common phishing techniques and computer exploits to trick officials at the firms they were targeting into giving away access to their internal computer systems, this week’s advisory said.