North Korean state-sponsored hackers, known by various aliases such as Jumpy Pisces, Andariel, and Onyx Sleet, have recently been identified infiltrating enterprise systems and collaborating with the Play ransomware group. This discovery was made by cybersecurity experts at Palo Alto Networks’ Unit 42 during an investigation in September 2024.
The investigation revealed a sophisticated attack pattern employed by the North Korean hackers. They gained initial access to a host using a compromised user account, then spread laterally to other hosts through the SMB protocol. In order to maintain persistence, they utilized a tool called Sliver (an alternative to Cobalt Strike) and attempted to install DTrack, a custom malware that was fortunately blocked by the endpoint detection and response (EDR) system. Additionally, the hackers collected system and network configurations, established Remote Desktop Protocol (RDP) sessions on victim machines, and employed tools like Mimikatz and a trojanized binary to extract credential logs and steal sensitive information such as browser history, autofill data, and credit card details.
According to the Unit 42 researchers, the North Korean hackers seemed to be working in conjunction with the Play ransomware group. The attackers used the same compromised user account for entry, terminated Sliver C2 communication just prior to deploying the ransomware, and exhibited specific tactics, techniques, and procedures (TTPs) that indicated a level of cooperation between the two entities. However, it remains unclear whether Jumpy Pisces has officially become an affiliate of Play ransomware or simply acted as an initial access broker.
This incident is not an isolated case of state-sponsored hackers collaborating with ransomware groups. Earlier in the year, US security agencies raised concerns about Pioneer Kitten, an Iranian cyber espionage group, assisting ransomware affiliates by providing initial access and facilitation for encryption operations in exchange for a percentage of ransom payments. Furthermore, Microsoft’s recent Digital Defense Report highlighted the increasingly blurred lines between nation-state and cybercriminal threat activities, with North Korean, Russian, and Iranian hackers resorting to ransomware attacks for personal and state financial gain.
As these malicious activities continue to evolve and intertwine, cybersecurity experts emphasize the importance of heightened vigilance and proactive defense measures. The trend of state-sponsored hackers partnering with ransomware groups signifies a new level of sophistication in cyber threats, requiring organizations to remain vigilant and prepared to defend against such collaborative attacks on a global scale.