Moonstone Sleet: A New North Korean Threat Actor
Microsoft discovered a new North Korean threat actor, Moonstone Sleet (formerly Storm-1789), who targets companies with a combination of tried-and-true techniques used by other North Korean threat actors as well as unique attack methodologies for financial and cyber espionage purposes.
Moonstone Sleet has been detected setting up phony firms and job chances to engage with potential targets, using trojanized copies of legitimate tools, developing a fully complete malicious game, and delivering a new unique ransomware.
About Moonstone Sleet
Moonstone Sleet is a threat actor behind a series of malicious acts that Microsoft believes is North Korean state-aligned. It employs tried-and-true techniques other North Korean threat actors utilize and novel attack methodologies.
When Microsoft first discovered Moonstone Sleet activity, the actor showed strong similarities to Diamond Sleet, reusing code from known Diamond Sleet malware such as Comebacker and employing well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software.
However, Moonstone Sleet swiftly adopted its own unique infrastructure and attacks. Microsoft has since observed Moonstone Sleet and Diamond Sleet operating concurrently, with Diamond Sleet continuing to use much of its well-known, established tradecraft.
Moonstone Sleet has a diverse collection of operations that serve its financial and cyberespionage goals. These include delivering proprietary ransomware, building a malicious game, establishing bogus firms, and employing IT personnel.
Why should organizations be concerned?
Moonstone Sleet’s emergence highlights the need for organizations to remain vigilant. Here’s why:
- Financial Gain: Moonstone Sleet primarily targets financial institutions, seeking monetary gains through cybercrime. Their deceptive tactics make it challenging to detect their presence until it’s too late.
- Cyberespionage: Beyond financial motives, Moonstone Sleet engages in cyber espionage. They aim to steal sensitive data, trade secrets, and intellectual property, posing a significant risk to organizations.
- Overlapping TTPs: Moonstone Sleet’s TTPs overlap with other North Korean threat actors. Organizations must recognize these patterns and enhance their defenses accordingly.
Defending against Moonstone Sleet
- User Awareness: Educate employees about the risks of downloading files from unverified sources. Encourage skepticism when encountering job offers or software downloads.
- Network Segmentation: Implement network segmentation to limit lateral movement within the organization. Isolate critical systems from less secure areas.
- Behavioral Analytics: Leverage behavioral analytics to detect unusual activity. Monitor for signs of trojanized tools or suspicious game downloads.
- Threat Intelligence Sharing: Collaborate with industry peers and share threat intelligence. Stay informed about emerging threat actors and their TTPs.