In a recent report published by Palo Alto Networks’ Unit 42, a North Korean nation-state actor known as Jumpy Pisces has been identified as collaborating with the Play ransomware gang, marking a concerning trend in the cybersecurity landscape.
The report sheds light on the changing dynamics between nation-state actors and financially motivated cybercriminals. While countries like Russia, Iran, and North Korea have been known to leverage cybercriminal tools for their own purposes, the collaboration between Jumpy Pisces and Play is particularly noteworthy. Historically, North Korea has used ransomware and cryptocurrency theft to fund military operations, but partnering with an independent criminal enterprise like Play is a new development.
According to Unit 42’s research, Jumpy Pisces, a state-sponsored actor affiliated with North Korea’s Reconnaissance General Bureau, worked with Play, a cybercrime gang first observed in 2022, to deploy ransomware against a victim. The incident was tracked by Palo Alto researchers as part of incident response services for a client, revealing that Jumpy Pisces gained initial access in May through a compromised user account and deployed Play ransomware in September.
The technical details of the attack show that Jumpy Pisces used the open-source command and control framework Sliver, as well as custom malware like DTrack and a modified version of Mimikatz. The collaboration between Jumpy Pisces and Play was established based on several factors, including shared compromised accounts, similar tactics, techniques, and procedures, and continuous communication leading up to the ransomware deployment.
While the exact nature of the relationship between Jumpy Pisces and Play remains unclear, the incident signifies a significant shift in tactics for the North Korean threat group. Whether Jumpy Pisces acted as an affiliate for Play or simply provided initial access, the collaboration marks a troubling development in the cybersecurity landscape. This unprecedented alliance could potentially pave the way for more widespread and damaging ransomware attacks on a global scale.
Unit 42 emphasized the importance of this incident and its implications for future cyber threats. As the first recorded collaboration between a North Korean state-sponsored group and an underground ransomware network, this event underscores the evolving nature of cyber warfare and the need for heightened security measures.
TechTarget Editorial has reached out to Unit 42 for further insights on the matter, highlighting the significance of this collaboration in the ongoing battle against cyber threats. As cybersecurity experts continue to monitor and assess these emerging trends, it is clear that collaboration between nation-state actors and cybercriminals presents a new and formidable challenge in the fight against cyber attacks.
In conclusion, the partnership between Jumpy Pisces and Play serves as a stark reminder of the evolving cybersecurity landscape and the need for vigilance in the face of increasingly sophisticated cyber threats. As technology continues to advance, it is crucial for organizations and security professionals to stay informed and prepared to defend against emerging threats in order to safeguard critical systems and data from malicious actors.