The North Korean hacking group Andariel, a subgroup of the notorious Lazarus Group, targeted three U.S. organizations in August 2024. The attacks were likely financially motivated.
However, the hackers failed to deploy ransomware on the targeted organizations’ networks. Symantec, a cybersecurity company, detected the attacks. They found that the hackers had used malware called Dtrack and Nukebot.
Nukebot can execute commands, transfer files, and capture screenshots. In July 2024, the U.S. Department of Justice indicted a North Korean military intelligence operative connected to Andariel. The operative allegedly conducted ransomware attacks against U.S. healthcare facilities.
Andariel has been active since at least 2009. They are known for developing various hacking tools.
North Korean hackers target U.S. firms
The group operates under North Korea’s Reconnaissance General Bureau. The hackers’ initial method of access in the recent attacks is unclear. However, Andariel often exploits known security flaws in internet-facing applications to infiltrate networks.
The group used several publicly available tools in the intrusions, including Mimikatz, Sliver, Chisel, PuTTY, Plink, Snap2HTML, and FastReverseProxy. Sometimes, the attackers used an invalid certificate to impersonate Tableau software and sign their tools.
Microsoft had previously recognized and flagged this tactic. Since 2019, Andariel has primarily focused on espionage operations. However, Symantec noted their recent shift to financially motivated attacks.
This pivot continues despite U.S. government interventions. Symantec believes the group is likely continuing to attempt extortion attacks against U.S. organizations. The attacks follow reports that a North Korean state-backed actor compromised German defense systems manufacturer Diehl Defense in a sophisticated spear-phishing attack involving fake job offers.