North Korean state-sponsored ransomware groups are targeting hospitals and other critical infrastructure organizations, U.S. and South Korean law enforcement and intelligence agencies are warning.
“The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK (Democratic People’s Republic of Korea) national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments,” the alert issued Thursday says.
“Specific targets include Department of Defense Information Networks and Defense Industrial Base member networks. The IOCs [indicators of compromise] in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.”
The report includes the latest tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) used by North Korean-based attackers. Among the more recent weapons are attempts to exploit unpatched applications with the Apache Log4J2 vulnerability and unpatched SonicWall appliances.
North Korean attackers are known for hiding where they are coming from, the report adds, including sometimes pretending to be other ransomware groups, such as the REvil gang.
The alert is an update to a July 6, 2022 warning by American intelligence and law enforcement agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA.
That report noted the use by North Korean groups of the Maui strain of ransomware. The new report adds that these groups are also using a strain called H0lyGhost, described by Microsoft in a July 14, 2022 report.
The latest report comes the same week as the Associated Press reported that a United Nations panel concluded North Korean hackers working for the government stole virtual assets, including cryptocurrency and intellectual property, estimated to be worth between US$630 million and more than US$1 billion.
“2022 was a record-breaking year for DPRK virtual asset theft,” the AP quoted the report saying. In April, 2022, the U.S. linked North Korean-backed hackers to the US$615 million crypto heist on the popular online game Axie Infinity.
Between February and July 2022, AP quoted the panel as saying the Lazarus Group “reportedly targeted energy providers in multiple member states using a vulnerability” to install malware and gain long-term access. It said this “aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies … to siphon off proprietary intellectual property.”
The U.S./South Korea alert urges IT and security departments to
- limit access to data by authenticating and encrypting connections with network services (e.g., using public key infrastructure certificates in virtual private network (VPN) and transport layer security (TLS) connections), Internet of Things (IoT) medical devices, and the electronic health record system;
- implement the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts, which grant excessive system administration privileges.
- turn off weak or unnecessary network device management interfaces, such as Telnet, SSH, Winbox, and HTTP, for wide area networks (WANs), and secure with strong passwords and encryption when enabled;
- protect stored data by masking the permanent account number (PAN) when displayed and rendering it unreadable when stored — through cryptography, for example;
- secure the collection, storage, and processing practices for personally identifiable information (PII) and protected health information (PHI) at rest and in transit using technologies such as TLS. Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available;
- implement and enforce multi-layer network segmentation, with the most critical communications and data resting on the most secure and reliable layer;
- and use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.