The UK, US and South Korea have accused a North Korea-backed cyber group of carrying out an online espionage campaign to steal military and nuclear secrets.
The “Andariel” group has been compromising organisations around the globe as it attempts to get hold of sensitive and classified technical information and intellectual property data, according to the UK’s National Cyber Security Centre (NCSC).
The centre, along with the FBI in the US and South Korea’s national intelligence service, have issued a joint warning and advisory note about Andariel’s actions.
They have urged critical infrastructure organisations to “stay vigilant” against such cyber operations.
It comes as the US government offers a reward of up to $10m (£7.7m) to anyone with information that helps it find members of malicious cyber groups targeting America on behalf of foreign governments.
The US state department’s rewards for justice programme is looking for Rim Jong Hyok, a North Korean national associated with Andariel, which has been active since around 2009.
The reward will be offered to any person who helps identify or locate Rim or any other actors who are found to be targeting the US.
Andariel focuses on targeting defence contractors, military organisations and governments for espionage.
Over time, the group has branched out into other sectors, targeting information on nuclear weapons and, particularly during the pandemic, organisations in the life sciences and pharmaceutical sector, according to research by cyber security company Secureworks.
North Korea is a secretive and authoritarian state, which is officially known as the Democratic People’s Republic of Korea (DPRK), and is headed by supreme leader Kim Jong Un.
Andariel’s campaign was carried out to “further the regime’s military and nuclear ambitions”, said the UK cyber security centre.
NCSC director of operations Paul Chichester said: “The global cyber espionage operation that we have exposed today shows the lengths that DPRK state-sponsored actors are willing to go to pursue their military and nuclear programmes.”
Andariel is part of DPRK’s Reconnaissance General Bureau (RGB) 3rd bureau, and the group’s malicious cyber activities pose an ongoing threat to critical infrastructure organisations globally, the centre believes.
What did group target?
The group primarily targeted defence, aerospace, nuclear and engineering organisations, but also acted against the medical and energy sectors, according to the NCSC, which is part of the GCHQ intelligence agency.
Andariel has tried to obtain information such as contract specification, design drawings and project details, the NCSC claimed.
Secureworks, which has been studying the group, believes the actors are government employees in North Korea who work for the country’s intelligence agency.
Andariel has been found to engage in ransomware attacks, where hackers attack a system or obtain information and charge a sum of money to its owner for it to be released.
Ransomware attacks
As part of its operations, Andariel also launched ransomware attacks against US healthcare organisations in order to extort payments and fund further espionage activity.
The US state department said Rim and others “conspired to hack into the computer systems of US hospitals and other healthcare providers, install Maui ransomware, and extort ransoms”.
In one computer intrusion operation that began in November 2022, the group hacked a US-based defence contractor from which they extracted more than 30 gigabytes of data, including technical information regarding the materials used in military aircraft and satellites.
The advisory outlines how Andariel has evolved from destructive hacks against US and South Korean organisations to carrying out specialised cyber espionage and ransomware attacks.
Read more from Sky News:
China, Russia, Iran, and North Korea get closer – how worried should we be?
Britons must ‘strengthen defences’ against AI-assisted ransomware threat
👉 Click to subscribe to the Sky News Daily wherever you get your podcasts 👈
In some cases, the hackers carried out ransomware attacks and cyber espionage operations on the same day against the same victim.
‘The importance of protecting sensitive information’
Mr Chichester added: “It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.
“The NCSC, alongside our US and Korean partners, strongly encourage network defenders to follow the guidance set out in this advisory to ensure they have strong protections in place to prevent this malicious activity.”