North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack

pThreat actors linked to North Korea have been implicated in a recent incident that deployed a known ransomware family called Play underscoring their financial motivationsppThe activity observed between May and September 2024 has been attributed to a threat actor tracked as Jumpy Pisces which is also known as Andariel APT45 DarkSeoul Nickel Hyatt Onyx Sleet formerly Plutonium Operation Troy Silent Chollima and StoneflyppWe believe with moderate confidence that Jumpy Pisces or a faction of the group is now collaborating with the Play ransomware group Palo Alto Networks Unit 42 said in a new report published todayppThis incident is significant because it marks the first recorded collaboration between the Jumpy Pisces North Korean statesponsored group and an underground ransomware networkppAndariel active since at least 2009 is affiliated with North Koreas Reconnaissance General Bureau RGB It has been previously observed deploying two other ransomware strains known as SHATTEREDGLASS and MauippEarlier this month Symantec part of Broadcom noted that three different organizations in the US were targeted by the statesponsored hacking crew in August 2024 as part of a likely financially motivated attack even though no ransomware was deployed on their networksppPlay on the other hand is a ransomware operation thats believed to have impacted approximately 300 organizations as of October 2023 It is also known as Balloonfly Fiddling Scorpius and PlayCryptppWhile cybersecurity firm Adlumin revealed late last year that the operation may have transitioned to a ransomwareasaservice RaaS model the threat actors behind Play have since announced on their dark web data leak site that its not the caseppIn the incident investigated by Unit 42 Andariel is believed to have gained initial access via a compromised user account in May 2024 followed by undertaking lateral movement and persistence activities using the Sliver commandandcontrol C2 framework and a bespoke backdoor called Dtrack aka Valefor and PreftppThese remote tools continued to communicate with their commandandcontrol C2 server until early September Unit 42 said This ultimately led to the deployment of Play ransomwareppThe Play ransomware deployment was preceded by an unidentified threat actor infiltrating the network using the same compromised user account after which they were observed carrying out credential harvesting privilege escalation and uninstallation of endpoint detection and response EDR sensors all hallmarks of preransomware activitiesppAlso utilized as part of the attack was a trojanized binary thats capable of harvesting web browser history autofill information and credit card details for Google Chrome Microsoft Edge and BraveppThe use of the compromised user account by both Andariel and Play aside the connection between the two intrusion sets stems from the fact that communication with the Sliver C2 server 17296137224 remained ongoing until the day before ransomware deployment The C2 IP address has been offline since the day the deployment took placeppUnit 42 told The Hacker News that the ransomware incident shares multiple overlaps in the tools infrastructure target selection and timeline with the attacks disclosed by Symantec Of interest is the Sliver C2 IP address which Symantec flagged as used in conjunction with the Plink commandline connection utilityppWe observed that the threat actor used IP address 17296137224 primarily for Sliver C2 activity Navin Thomas threat researcher at Unit 42 saidppHaving said that this IP address was used for various purposes with multiple open ports serving different functions including Sliver a web service for tool distribution and SSH services However we were unable to verify the usage of Plink from this IP in our investigationppIrrespective of the exact nature of the collaboration between the two threat groups the development is a sign that North Korean threat actors could stage more widespread ransomware attacks in the future to evade sanctions and generate revenue for the cashstrapped nationppIt remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted as an IAB initial access broker by selling network access to Play ransomware actors Unit 42 concluded If Play ransomware does not provide a RaaS ecosystem as it claims Jumpy Pisces might only have acted as an IABppProtect your organization from AI risks with expert insights on security and innovation in app developmentppDiscover effective PAS strategies to secure privileged accounts reduce attack surfaces and outpace cyber threatsppGet the latest news expert insights exclusive resources and strategies from industry leaders all for freep