Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Nation-State Attack. Show all posts

Mandiant: North Korean Hackers Are Targeting Naval Tech

 

Google Cloud's Mandiant cyber researchers have upgraded Andariel, also known as Onyx Sleet, Plutonium, and Silent Chollima, to an official advanced persistent threat (APT) group, alerting that it is targeting extremely sensitive atomic secrets and technology as North Korea continues its nuclear weapons acquisition efforts.

APT45, which has been active since 2009 and may have some connection to the Lazarus hacking operation, is characterised as having a moderate level of sophistication in terms of both scope and technology. Like many North Korean groups, its main objective is to steal money to fund the failing, isolated regime. It is most likely under the control of North Korea's Reconnaissance General Bureau (RGB) 3rd Bureau and started out as a financially motivated operator. 

What sets it apart from other groups, though, is its suspected development and use of ransomware. Mandiant provided evidence of APT45 clusters using the Maui and Shatteredglass ransomware strains, while it hasn't been able to corroborate this claim with certainty. What is known with some certainty is that APT45's interest has recently shifted to other fields, such as crop science, healthcare, and pharmaceuticals, with much of its time being devoted to military affairs, according to Mandiant. 

“Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defence organisations around the world,” stated Mandiant principal analyst Michael Barnhart. “When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him.” 

APT45's actions involve a combination of publicly available hacking tools and modified and secret malware variants. Its tool library appears to be distinct from those of other North Korean APTs, although its malware shares some traits, such as code reuse, unique custom encoding, and passwords. 

FBI operation 

Over the last few weeks, Mandiant has been "actively engaged" in an organised effort, operating alongside the FBI and other US agencies, to monitor APT45's efforts to gather defence and research intelligence from the US and other nations, including the UK, France, Germany, and South Korea, as well as Brazil, India, and Nigeria.

APT45 is believed to have targeted heavy and light tanks, self-propelled howitzers, light strike and ammo supply vehicles, littoral combat ships and combatant craft, submarines, torpedoes, and unmanned and autonomous underwater vehicles; modelling and simulation technology; fighter aircraft and drones; missiles and missile defence systems; satellites, satellite communications, and related technology; surveillance and phased-array radar systems; and manufacturing, including shipbuilding, robotics, 3D printing, casting, fabrication, moulding of metal, plastics and rubber, and machining processes. More worrisomely, the group has also been tracking facilities and research, nuclear power plants, waste and storage, and uranium enrichment and processing. 

“APT45 isn’t bound by ethical considerations and have demonstrated they’re willing and agile enough to target any entity to achieve their objectives, including hospitals,” added Barnhart. “A coordinated global effort involving both public and private sectors is necessary to counter this persistent and evolving threat.”

U.S. Treasury Sanctions Eight Foreign-Based Agents and North Korean Kimsuky Attackers

 

"The Office of Foreign Assets Control (OFAC) of the US Department of Treasury recently announced that it has sanctioned the cyberespionage group Kimsuky, also known as APT43, for gathering intelligence on behalf of the Democratic People's Republic of Korea (DPRK). 

Sanctions imposed by the United States are technically in response for a North Korean military reconnaissance satellite launch on Nov. 21, but they are also intended to deprive the DPRK of revenue, materials, and intelligence needed to sustain its weapons of mass destruction development programme, according to the Treasury's sanctions announcement. 

The Lazarus Group and its subsidiaries Andariel and BlueNoroff were subject to similar sanctions by the OFAC in September 2019—more than four years ago. Kimsuky is the target of these sanctions as it gathers intelligence to support the regime's strategic goals. 

Kimsuky is a well-known cyber espionage group that primarily targets governments, nuclear organisations, and foreign relations entities in order to gather intelligence that serves North Korea's interests. It is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly known as Thallium), Nickel Kimball, and Velvet Chollima.

"The group combines moderately sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organisations, academics, and think tanks focused on Korean peninsula geopolitical issues," Mandiant, which is owned by Google, stated in October 2023. 

Similar to the Lazarus Group, it is a part of the Reconnaissance General Bureau (RGB), which is in charge of intelligence gathering operations and is North Korea's main foreign intelligence service. At least since 2012, it has been known to be active. 

"Kimsuky employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets," the Treasury stated.

The agency also named Choe Song Chol and Im Song Sun for managing front companies that made money by exporting skilled workers; Kang Kyong Il, Ri Sung Il, and Kang Phyong Guk for serving as weapons sales representatives; and So Myong, Choe Un Hyok, and Jang Myong Chol for participating in illegal financial transfers to acquire materials for North Korea's missile programmes.

Cybersecurity Crisis Deepens in Phillipines as Hackers Leak State Secrets

 

The security of millions of people is at risk due to the Philippines' lax cybersecurity regulations, which have allowed government websites to be compromised in a recent string of cyberattacks.

According to the South China Morning Post, hackers attacked the Philippine Health Insurance Corporation (PhilHealth), compromising the data of millions of people, including Filipino employees working overseas. 

The state insurer's reluctance to go with $300,000 triggered the breach. Furthermore, the homepage of the House of Representatives was defaced, highlighting the government's weaknesses in the digital world. 

A hacker going by the moniker DiabloX Phantom claimed that he had gained access to five critical government agencies and downloaded a substantial amount of data. His intention was to expose the vulnerabilities in the government's cybersecurity. 

The hacker gained access to the forensics database held by the Philippine National Police, which contained sensitive case files, and the servers of the Philippine Statistics Authority, which is in charge of issuing national identification cards. 

He also attacked the websites of the Technical Education and Skills Development Authority (Tesda), Clark International Airport, and the Department of Science and Technology. 

Among his techniques were using open subdomains, propagating malware via email, making use of weak passwords, and taking advantage of vulnerabilities left by earlier hackers. 

As stated by DiabloX Phantom, he focused on highlighting the government's cybersecurity flaws rather than sell the information he had acquired, reported to the South China Morning Post.

He waited for a government reaction to deal with these problems. Cybersecurity specialists in the Philippines independently confirmed his assertions. Some hackers want to reveal system weaknesses, get fame for their expertise, or just have fun with cyber activities, but there isn't a single person or organisation behind all of the breaches. 

Past violations of cybersecurity

Cybersecurity incidents are not unusual, as evidenced by the recent breaches in the Philippines. 

The personal information of up to 55 million Filipino voters was made public in 2016 by the "Comelec leak". No one was prosecuted or held accountable for this breach, despite its magnitude. 

Vulnerabilities must be fixed immediately, such as weak passwords, poor personnel training, and inadequate monitoring. Taking care of these problems is essential to preserving private information and millions of people's privacy.

Russians Hackers May Have Breached NHS Trust With 2.5 Million Patients

 

Intelligence authorities are currently engaged in an investigation into a suspected cyber attack targeting a prominent NHS trust, which serves a vast patient population of 2.5 million individuals. This incident involves a notorious group specializing in ransomware attacks, who have asserted that they possess significant volumes of sensitive data extracted from Barts Health NHS Trust. 

The attackers have issued a deadline of Monday, after which they intend to publicly disclose the pilfered information. On Friday, a group known as BlackCat or ALPHV made a statement asserting that they have successfully breached the security of the targeted organization, gaining unauthorized access to sensitive employee information such as CVs and financial data, including credit card details. 

Additionally, they claimed to have obtained confidential documents pertaining to individuals' identities. The exact nature of the information involved in the incident remains uncertain, including whether it includes patient data or if the hacking group has effectively infiltrated the trust's systems. 

Nevertheless, the situation introduces the possibility that private data belonging to the extensive patient population of approximately 2.5 million individuals served by Barts Health NHS Trust may be exposed on the dark web. In response to these developments, the trust, which encompasses six hospitals and ten clinics in East London, expressed its immediate commitment to conducting a thorough investigation into the claims. 

BlackCat emerged onto the radar in 2021 and has gained a reputation as one of the most advanced malware operations to date. According to reports, the group responsible for BlackCat managed to infiltrate approximately 200 organizations during the period spanning November 2021 to September 2022. 

The gang's modus operandi involves employing various extortion techniques against their victims. These tactics include issuing individualized ransom demands, which encompass requests for decryption keys to unlock infected files, threats of publishing stolen data, and warnings of launching denial of service attacks. 

According to sources at The Telegraph, The National Cyber Security Centre (NCSC), which operates under the purview of GCHQ, is actively involved in the ongoing investigation. Ransomware attacks employ specialized software to either extract sensitive data from the victim or restrict their access to it. 

In certain instances, the attackers employ encryption techniques to lock the targeted files, subsequently demanding a ransom in exchange for providing the decryption key. In 2017, the NHS experienced a significant and widespread impact from the global "Wannacry" ransomware attack, resulting in a temporary halt of operations within the healthcare system. 

The severity of the situation necessitated the urgent transfer of critical patients from affected hospitals to alternative facilities. Notably, the hacking group did not make any mention of an encryption key in their communication. 

Experts in the field have put forward a hypothesis that this omission could potentially indicate that the gang has not encrypted the pilfered information. Instead, they might be employing a strategy commonly seen in such cases, aiming for a swift payment from the targeted organization. This tactic has become increasingly prevalent in recent times.