Symantec’s Threat Hunter Team revealed this week that a notorious North Korean advanced persistent threat (APT) known as “Stonefly” has shifted its focus towards targeting private companies in the US with the aim of financial gain. This state-sponsored group, also identified as Andariel, APT45, Silent Chollima, and Onyx Sleet, is defying an indictment and a $10 million reward from the US Department of Justice (DoJ) as it seeks to bolster funds for the Kim Jong-Un regime.
The recent attacks orchestrated by Stonefly, which is associated with North Korea’s Reconnaissance General Bureau (RGB), targeted three organizations in the US during August, shortly after the DoJ crackdown on the group. The victims of these attacks did not possess any apparent intelligence value and were likely being primed for a ransomware assault. Fortunately, these intrusions were detected before they could fully materialize.
Symantec researchers emphasized that the group’s shift towards financial gain is a new development, as other North Korean APTs are typically engaged in securing foreign currency for the regime. In the past, Stonefly has targeted healthcare providers, including hospitals, during the pandemic, drawing attention from the DoJ. The group is also known for pursuing high-value espionage targets such as US Air Force bases, NASA’s Office of Inspector General, and government entities in China, South Korea, and Taiwan.
According to Symantec’s analysis, Stonefly’s focus has primarily shifted towards espionage operations against specific, high-value targets since at least 2019. The group specializes in targeting organizations that harbor classified or highly sensitive information and intellectual property. Previously, Stonefly had not been involved in financially motivated attacks.
With its altered focus on extracting funds from commercial entities, it is imperative for businesses to familiarize themselves with Stonefly’s indicators of compromise (IoCs) to mitigate potential ransomware attacks. Despite ransomware not being deployed in the August incidents, Stonefly managed to introduce numerous tools from its arsenal before being intercepted.
During the attacks, Stonefly deployed custom malware dubbed Backdoor.Preft (also known as Dtrack or Valefor) along with a fake Tableau certificate highlighted by Microsoft. The attackers also utilized two other certificates unique to this campaign. Additionally, the group’s toolkit included a variety of malicious tools such as Nukebot, Mimikatz, keyloggers, the Sliver penetration testing framework, the PuTTY SSH client, Plink, Megatools, and FastReverseProxy.
The evolving tactics of Stonefly underscore the ongoing threat posed by North Korean APTs to cybersecurity and national security interests. As private companies in the US increasingly become targets for financial exploitation, it is crucial for organizations to enhance their cyber defenses and remain vigilant against sophisticated threat actors like Stonefly.