A North Korea-backed cyber group has been accused by the UK, US and South Korea of carrying out an online espionage campaign to steal military and nuclear secrets.
The National Cyber Security Centre (NCSC) said the Andariel group has been compromising organisations around the world to steal sensitive and classified technical information and intellectual property data.
NCSC director of operations Paul Chichester said: “The global cyber espionage operation that we have exposed today shows the lengths that DPRK (Democratic People’s Republic of Korea) state-sponsored actors are willing to go to pursue their military and nuclear programmes.”
DPRK state-sponsored threat group Andariel has been compromising organisations to steal sensitive information and IP in order to further the regime’s military and nuclear ambitions.
— NCSC UK (@NCSC) July 25, 2024
The NCSC believes that Andariel is a part of DPRK’s reconnaissance general bureau (RGB) 3rd bureau, and the group’s malicious cyber activities pose an ongoing threat to critical infrastructure organisations globally.
Andariel primarily targeted defence, aerospace, nuclear and engineering organisations, but also acted against the medical and energy sectors.
The group has attempted to obtain information such as contract specification, design drawings and project details.
It also launched ransomware attacks against US healthcare organisations in order to extort payments and fund further espionage activity, the NCSC said.
The NCSC, part of the GCHQ intelligence agency, issued the joint warning and advisory note about Andariel’s actions with organisations including the US Federal Bureau of Investigation and South Korea’s national intelligence service.
Mr Chichester said: “It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.
“The NCSC, alongside our US and Korean partners, strongly encourage network defenders to follow the guidance set out in this advisory to ensure they have strong protections in place to prevent this malicious activity.”
The advisory outlines how Andariel has evolved from destructive hacks against US and South Korea organisations to carrying out specialised cyber espionage and ransomware attacks.
Here’s what our Director of Operations @0xChich has to say on today’s announcement ⬇️ pic.twitter.com/z0blqzRB83
— NCSC UK (@NCSC) July 25, 2024
In some cases, the hackers carried out both ransomware attacks and cyber espionage operations on the same day against the same victim.
The US State Department offered a reward of up to 10 million US dollars (£7.76 million) for information on Rim Jong Hyok, who it said was associated with Andariel.
The department said Rim and others conspired to carry out ransomware attacks on US hospitals and other healthcare providers to fund its operations against government bodies and defence firms.
US law enforcement agencies believe Andariel targeted five healthcare providers, four US-based defence contractors, two US Air Force bases and Nasa’s office of inspector general.
In one operation that began in November 2022, the hackers accessed a US defence contractor from which they extracted more than 30 gigabytes of data, including unclassified technical information regarding material used in military aircraft and satellites.
