On July 25, 2024, the United States Federal Bureau of Investigation (FBI), the Cyber National Mission Force (CNMF), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense Cyber Crime Center (DC3), the National Security Agency (NSA), the Republic of Korea’s National Intelligence Service (NIS), the Republic of Korea’s National Police Agency (NPA), and the United Kingdom’s National Cyber Security Centre (NCSC) released a Cybersecurity Advisory (CSA) that highlights cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju.

Andariel, also known as Onyx Sleet, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa, is a North Korean state-sponsored adversary that has been active since at least 2009. The adversary, a subgroup of the notorious Lazarus group, is suspected to be operating in support of the DPRK’s RGB 3rd Bureau.

Andariel is focused on collecting intelligence on government and military entities following a significant reorganization of the DPRK’s government structure in 2015. Its primary targets include defense, aerospace, nuclear, and engineering entities to acquire sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.

RGB 3rd Bureau actors fund their espionage activity through ransomware operations against U.S. healthcare entities as stated in the AA22-187A advisory of July 6, 2022, from the Cybersecurity and Infrastructure Security Agency (CISA). This CSA detailed that Andariel was observed utilizing the Maui Ransomware to target the healthcare and the public health sector of the United States of America.

The adversary typically gains access through widespread exploitation of web servers with known vulnerabilities in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation. It also conducts phishing activity using malicious attachments, including Microsoft Windows Shortcut Files (LNK) or HTML Application (HTA) script files inside encrypted or unencrypted zip archives.

Once in, it employs standard system discovery and enumeration techniques, establishes persistence using Scheduled Tasks, and performs privilege escalation using common credential-stealing tools such as Mimikatz. Andariel also deploys and leverages custom malware implants, remote access tools (RATs), and open-source tooling for execution, lateral movement, and data exfiltration.

AttackIQ has released a new assessment template that includes the post-compromise Tactics, Techniques and Procedures (TTPs) exhibited by Andariel during its latest activities to help customers date their security controls and their ability to defend against sophisticated threats.

Validating your security program performance against these behaviors is vital in reducing risk. By using these new assessment templates in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against the behaviors of a long-standing adversary whose techniques remain an ongoing threat to various industry sectors worldwide.
• Assess their security posture against activities focused on obtaining proprietary information.
• Continuously validate detection and prevention pipelines against a threat that sustains worldwide espionage operations.

[CISA AA24-207A] North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs

This assessment template emulates those post-compromise Tactics, Techniques, and Procedures (TTP) exhibited by Andariel during its latest activities.

The assessment template is divided into tactics, grouping the techniques and implementations used by the adversary at each stage of its activities.

1. Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario acquires persistence through the creation of a new scheduled task using the schtasks utility.

2. Credential Access

Consists of techniques for stealing credentials like account names and passwords.

OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes for Windows accounts.

3. Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

System Information Discovery (T1082): The native systeminfo command is executed to retrieve all of the Windows system information.

File and Directory Discovery (T1083): This scenario executes the dir command to discover files and directories.

Account Discovery (T1087): This scenario uses the native net user command to obtain a list of additional accounts known to the infected host.

System Network Connections Discovery (T1049): Using netstat the actors are able to get a list of remote connections established to and from the infected asset.

Account Discovery: Domain Account (T1087.002): This scenario uses the Adfind utility to discover details about the victim’s Active Directory configuration including accounts, groups, computers, and subnets.

4. Lateral Movement

Consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain.

Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP) protocol.

5. Command and Control

Consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.

6. Exfiltration

Consists of techniques that adversaries may use to steal data from your network. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

Exfiltration Over Alternative Protocol (T1048): This scenario will start an FTP connection against an AttackIQ server to emulate the exfiltration of sensitive information from the compromised system.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following existing scenarios to extend the emulation of the capabilities exhibited in this advisory.

• Dump Active Directory Database using Volume Shadow Copy via vssadmin.exe: This scenario will attempt to dump the NTDS.dit file along with the SYSTEM registry hive through the creation of a Volume Shadow Copy using vssadmin.exe.
• Input Capture: This scenario executes a keylogger that hooks API callbacks to collect keystrokes typed by a logged in user.
• Screen Capture Script: This scenario executes a PowerShell script that utilizes the Graphics.CopyFromScreen Method from the System.Drawing namespace to collect screenshots from the compromised system.
• Clipboard Data Script: This scenario will use the native PowerShell Get-Clipboard cmdlet to retrieve data stored in the clipboard.

Additional Intelligence

On the same day of the publication of this Cybersecurity Advisory (CSA), Mandiant, a subsidiary of Google, published a report detailing the adversary’s profile and attack lifecycle, as well as the tools commonly used.

Simultaneously, Microsoft published a report detailing that it had been collaborating with the Federal Bureau of Investigation (FBI) in tracking activity associated with Andariel. The same report listed the tools recently used by the adversary to gather intelligence on behalf of North Korea.

Given the intelligence presented in these reports, AttackIQ suggests the following existing scenarios for a broader emulation of the behaviors exhibited by Andariel in its most recent activities.

• Account Manipulation Script: This scenario uses a batch script to enable the guest user account on a host machine by executing the net user guest /activate:yes commmand.
• Code Injection via Load Library and Create Remote Thread: This scenario simulates code injection techniques by using the LoadLibrary and CreateRemoteThread methods.
• Process Hollowing: This scenario creates a process in a suspended state and unmap its memory, which is then replaced with the contents of a malicious executable. In this way, code execution is masked under a legitimate process.
• Access Token Manipulation: This scenario lists active access tokens that could be impersonated by another process. This method is commonly used to escalate privileges.
• Lateral Movement Through SSH: This scenario attempts to open a remote shell and execute commands on target computers using SSH.
• System Service Discovery Script: This scenario executes Microsoft’s native sc utility to query a list of all running services.
• Process Discovery Through Tasklist: This scenario uses the Window’s built-in tasklist command to discover running processes, and the results are saved to a file in a temporary location.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Scheduled Task/Job: Scheduled Task (T1053.005)

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.

2a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task.

Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Scheduled Task

3. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

3a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

• M1031 – Network Intrusion Prevention

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against a sophisticated threat. With data generated from continuous testing and the use of these two assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against sophisticated nation-state actors.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.