A New Alliance: North Korean-Backed Hacking Group Embarks on Ransomware Campaign

In a significant development, Palo Alto Networks’ Unit 42 has uncovered evidence of a North Korean-backed hacking group engaging in a ransomware campaign for the first time. The group, known as Jumpy Pisces and linked to the Reconnaissance General Bureau of the Korean People’s Army, has been involved in a recent ransomware incident that marks a shift in the nation-state group’s tactics.

Initial Access and Lateral Movement

Unit 42’s investigation revealed that Jumpy Pisces gained initial access into the targeted network via a compromised user account at the end of May 2024. The researchers assessed this with high confidence, attributing the unauthorized activity to Jumpy Pisces. From there, the group carried out lateral movement and maintained persistence by spreading open-source tools like Sliver and their custom malware, DTrack, to other hosts via Server Message Block (SMB) protocol.

C2 Communication and Ransomware Deployment

These tools continued communicating with Jumpy Pisces’ command-and-control (C2) server until early September, ultimately leading to the deployment of Play ransomware. The researchers noted that it remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted as an initial access broker (IAB) by selling network access to Play ransomware actors.

Intrusion Tactics and Tools

Jumpy Pisces gained unauthorized initial access through a compromised user account, which accessed a particular host through a firewall. Partial registry dumps on the host indicate possible use of Impacket’s credential harvesting module, secretsdump.py. The attackers also copied files associated with the Sliver and DTrack malware family to various hosts using the compromised account over SMB.

Evidence of Sophistication

Unit 42 observed Sliver beaconing activity spanning multiple days until early September 2024, with quiet periods in July and sporadically on other days. Additionally, an unidentified threat actor entered the network in early September through the same compromised user account, carrying out pre-ransomware activities such as credential harvesting, privilege escalation, and uninstallation of endpoint detection and response (EDR) sensors.

Tools Used

The attackers used a range of tools to carry out their attack, including:

• A dedicated tool built to create a privileged user account on victim machines with Remote Desktop Protocol (RDP) enabled
• A customized version of Mimikatz, a publicly available credential dumping tool
• A trojanized binary that steals browser history, autofills, and credit card details for Chrome, Edge, and Brave internet browsers

All these tools were signed using several invalid certificates previously linked to Jumpy Pisces.

Conclusion

The incident highlights the increasing sophistication of North Korean threat groups and their willingness to collaborate with financially motivated cyber threat actors. This development could indicate a future trend where North Korean threat groups participate in broader ransomware campaigns, potentially leading to more widespread and damaging attacks globally.

Sources:

• Palo Alto Networks’ Unit 42
• [1] “Jumpy Pisces” by ThreatConnect