Introduction
In recent developments, North Korean threat actors [2] [3] [5] [8], specifically the group known as Jumpy Pisces [1] [7], have been implicated in a significant cyber incident involving the Play ransomware [1]. This collaboration marks a strategic shift from traditional cyberespionage to financially motivated attacks, likely aimed at supporting further cyber operations for the North Korean government [4].
Description
Threat actors in North Korea [3] [6] [7], specifically a group tracked as Jumpy Pisces (also known as Andariel, APT45 [3] [6] [7], DarkSeoul [3] [7], Nickel Hyatt [3] [7], Onyx Sleet [3] [4] [7], Operation Troy [3] [7], and Stonefly) [4] [7], have been implicated in a significant incident involving the Play ransomware between May and September 2024 [1]. This collaboration with the financially motivated Play ransomware gang marks a notable evolution in Jumpy Pisces’s operational strategies, underscoring their shift from traditional cyberespionage to financially driven attacks, likely aimed at funding further cyber operations for the North Korean government [4]. Historically affiliated with North Korea’s Reconnaissance General Bureau (RGB) [1] [2] [8], Jumpy Pisces has previously deployed various ransomware strains, including the Maui variant and SHATTEREDGLASS, and has engaged in cryptocurrency theft. Their involvement with ransomware gangs allows them to evade international sanctions while targeting a diverse range of organizations.
The recent activity attributed to Jumpy Pisces began with initial access gained through a compromised user account in May 2024, which facilitated lateral movement within the victim’s network. This access enabled the deployment of the open-source command and control (C2) framework Sliver, along with their custom malware [8], DTrack [1] [2] [5] [8]. This malware, previously associated with North Korean threat groups [2], was utilized to steal sensitive data, which was then compressed and concealed as a GIF file [2]. Communication with the Sliver C2 server continued until just before the deployment of the Play ransomware [1].
On September 5 [4], the compromised account was accessed again [4], leading to pre-ransomware activities such as credential dumping [4], privilege escalation [1] [2] [5], and the uninstallation of endpoint detection and response (EDR) sensors [1] [5]. The attackers spent several months moving laterally before executing the Play ransomware in early September 2024, which is believed to have affected approximately 300 organizations as of October 2023 [1]. The FBI has reported that Play ransomware has been implicated in numerous attacks on governments and organizations across the US and Europe since its emergence in 2022 [2].
Unit 42’s assessment of this collaboration is based on three key factors: the compromised account was utilized by both Jumpy Pisces and Play actors, Sliver C2 communications were active until just before the ransomware deployment [8], and tactics previously associated with Play were observed during the incident [8]. There is moderate confidence that Jumpy Pisces [5], or a faction of it [5], is either acting as an initial access broker (IAB) or has officially become an affiliate of the Play ransomware group. This incident suggests a potential trend of North Korean threat groups increasingly engaging in broader ransomware campaigns [5] [8], which could lead to more extensive and damaging global attacks [5].
Conclusion
The collaboration between Jumpy Pisces and the Play ransomware group highlights a concerning trend of North Korean threat actors expanding their cybercriminal activities. This shift poses significant risks to global cybersecurity, as it may lead to more widespread and damaging attacks. Organizations are urged to enhance their cybersecurity measures, including robust access controls and continuous monitoring, to mitigate potential threats. The international community must remain vigilant and collaborate to address these evolving cyber threats effectively.
References
[1] https://aiandtechs.com/north-korean-group-collaborates-with-play-ransomware-in-vital-cyber-assault/
[2] https://thecyberpost.com/news/north-korean-hackers-seen-collaborating-with-play-ransomware-group-researchers-say/
[3] https://cyber.vumetric.com/security-news/2024/10/30/north-korean-group-collaborates-with-play-ransomware-in-significant-cyber-attack/
[4] https://www.scworld.com/news/north-korean-nation-state-threat-actor-using-play-ransomware
[5] https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/
[6] https://www.techepages.com/north-korean-group-collaborates-with-play-ransomware-in-significant-cyber-attack/
[7] https://thehackernews.com/2024/10/north-korean-group-collaborates-with.html
[8] https://www.techtarget.com/searchSecurity/news/366614876/Play-ransomware-attack-tied-to-North-Korean-nation-state-actor