NCSC issues warning over North Korean state-sponsored cyber campaign

As a result, the National Cyber Security Centre has issued a new advisory alongside partners in the United States which reveals how a cyber threat group known as Andariel has been compromising organisations around the world in a determined bid to steal sensitive and classified technical information and intellectual property data.

The National Cyber Security Centre assesses that Andariel is a part of the Democratic People’s Republic of Korea’s Reconnaissance General Bureau 3^rd Bureau and that the group’s malicious cyber activities pose an ongoing threat to critical infrastructure organisations globally.  

The cyber actors have primarily targeted defence, aerospace, nuclear and engineering entities, while focusing on organisations in the medical and energy sectors to a lesser extent, in order to obtain information such as contract specification, design drawings and project details.

As part of its operations, Andariel has also launched ransomware attacks against US healthcare organisations in order to extort payments and fund further espionage activity.

The National Cyber Security Centre’s advisory shares technical details and mitigation advice to help defend against the actors who’ve been seen exploiting known vulnerabilities to access victims’ systems before deploying malware and other tools to maintain persistence, evade detection and exfiltrate data.

Protecting sensitive information  

Paul Chichester, director of operations at the National Cyber Security Centre, explained: “The global cyber espionage operation that we’ve exposed shows the lengths that the Democratic People’s Republic of Korea state-sponsored actors are willing to go to in pursuit of their military and nuclear programmes.”

Chichester added: “It should also remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.”

“Alongside our US and Korean partners, the National Cyber Security Centre strongly encourages network defenders to follow the guidance set out in this advisory to ensure they have strong protections in place that will prevent this malicious activity.”

The advisory outlines how Andariel has evolved its operations from conducting destructive attacks targeting organisations in the US and South Korea to carry out specialised cyber espionage and ransomware attacks.

Further, the advisory warns that, in some cases, the actors have even been observed launching ransomware attacks and espionage operations on the same day and leveraging both activities against the same victim.

The advisory has been co-sealed by the National Cyber Security Centre, the US Federal Bureau of Investigation (FBI), the US Cyber National Mission Force, the US Cyber Security and Infrastructure Security Agency, the US Department of Defence Cyber Crime Centre, the US National Security Agency, the Republic of Korea’s National Intelligence Service and the Republic of Korea’s National Police Agency.

*Copies of the advisory can be read on the FBI’s website at https://www.ic3.gov/Media/News/2024/240725.pdf