A North Korean threat actor known for carrying out cyberespionage and extortion campaigns may have joined forces with an underground cybercrime collective for the first time to deploy ransomware, according to a U.S. cybersecurity firm.

Palo Alto Networks’ Unit 42 threat research team warned in a report on Wednesday that the collaboration between Andariel and the Play ransomware group could herald a new trend in global campaigns, representing a shift in approach for the DPRK state-backed actor that it tracks under the name “Jumpy Pisces.”

Play, which Unit 42 calls “Fiddling Scorpius,” is associated with the ransomware program of the same name, which was first observed in mid-2022 and has been used to target critical infrastructure across North America, South America and Europe.

Researchers have previously suggested the cybercrime group with suspected ties to Russia may operate a ransomware as a service (RaaS) model, in which actors sell or rent their extortion tools to third parties. However, Play has denied the RaaS claims on its dark web leak site, Unit 42 noted.

The security firm said Andariel’s apparent use of the pre-existing malware suggests it could now be operating as either a Play affiliate or an initial access broker that sold network access to the underground ransomware actors.

Based on the attackers’ use of Andariel-linked tools and digital infrastructure and commonalities with Play’s past operations, researchers assessed with “moderate confidence” that the two groups collaborated for this campaign.

Andariel has an extensive history of extortion campaigns using its own malware, including deploying the Maui ransomware to disrupt the U.S. health care system in 2022.

Unit 42 warned that the North Korean group’s adoption of third-party ransomware could represent a change in tactics to focus more on ransomware attacks.

“This incident is significant because it marks the first recorded collaboration between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware network,” the report said. 

“This development could indicate a future trend where North Korean threat groups will increasingly participate in broader ransomware campaigns, potentially leading to more widespread and damaging attacks globally.”

CARRYING OUT THE ATTACK

Andariel initially gained access to the Play ransomware through a compromised user account in May and then established control over the victim’s system by using a customized version of the open-source tool Sliver and its own Dtrack ransomware, according to Unit 42.

Sliver is a legitimate open-source framework that was originally intended for security researchers to test digital environments, but threat actors like Andariel have increasingly leveraged it in recent years to remotely take control of targets’ systems and facilitate communications with attacker-controlled servers.

The use of Sliver highlights North Korean cybercriminals’ increasing adoption of open-source tools to facilitate their illicit operations in recent years. The attackers often use such freely accessible software to supplement their own signature malware like Dtrack, Andariel’s information-stealing program.

The attackers then spread Sliver and Dtrack across multiple hosts using Server Message Block, a communication protocol used to share files, device connections and miscellaneous communications between multiple systems on a network. 

They continued using these remote access tools to maintain control over the compromised system until September, when an unidentified threat actor entered the network using the account compromised by Andariel, the report stated.

This actor harvested credentials, raised user privileges to allow themselves greater access and uninstalled endpoint security sensors before deploying Play.

Unit 42 added that the malicious tools used by Andariel in this campaign were signed using invalid security certificates previously linked to the DPRK actor, which enabled them to impersonate certificates created by legitimate entities.

The firm noted that the North Korean actor had access to the victim’s network throughout the May-September period, but after deployment the attacker-controlled server’s IP address went offline.

The report did not provide details about the attackers’ motives, but warned that security professionals should view Andariel activity as a potential precursor to ransomware attacks going forward.

Edited by Alannah Hill