North Korean state-backed hackers have been targeting sensitive information related to nuclear materials, military drones, submarines, and shipbuilding in the UK and the US. Intelligence agencies from the US, UK, and South Korea issued a joint notice warning of this “global cyber-espionage campaign” aimed at critical industries.
The notice also highlighted that Japan and India had been victims of these cyber-attacks. The hackers are believed to be part of a group called Andariel, which is connected to North Korea’s Reconnaissance General Bureau (RGB).
The targeted information includes highly sensitive military data such as tanks, torpedoes, fighter aircraft, satellites, and nuclear facilities. The hackers have also sought secrets from the medical and energy sectors.
The National Cyber Security Centre (NCSC) emphasized the significant threat posed by Andariel’s activities to global critical infrastructure. Paul Chichester, the NCSC’s director of operations, stressed the extent to which DPRK state-sponsored actors are willing to go to further their military and nuclear ambitions.
Andariel has been funding its espionage operations through ransomware attacks, particularly against the US healthcare sector. These attacks not only target intellectual property and technical data but also exploit vulnerable systems identified using public internet scanning tools.
Chichester highlighted the importance of critical infrastructure operators protecting their sensitive information to prevent theft and misuse. The NCSC, along with US and South Korean partners, urged network defenders to implement strong security measures as outlined in the advisory.
The advisory also detailed Andariel’s evolution from destructive hacks to specialized cyber espionage and ransomware attacks. Notably, the hackers have sometimes conducted both ransomware attacks and espionage on the same day against the same target.
The US State Department has offered a reward for information on Rim Jong Hyok, associated with Andariel, who conspired to execute ransomware attacks on US healthcare providers to finance operations against defense firms and government bodies. Andariel’s targets have included US-based defense contractors, air force bases, and NASA’s office of inspector general, among others.
North Korea’s motivations in cyberwarfare are twofold: conventional military and national security goals, and financial gains. Over the past six years, North Korean hackers have conducted nearly 60 cyber-attacks on cryptocurrency-related companies, amassing an estimated $3 billion. One significant attack on the crypto exchange Poloniex seized over $110 million.
The UN report concluded that North Korean cyberthreat actors use various methods such as spearphishing, vulnerability exploits, social engineering, and watering holes to secure funds. The most notorious attack linked to North Korea was the WannaCry ransomware in 2017, which, despite causing global disruption and significantly impacting the NHS, raised just over $55,000.