UK and allies expose North Korean cyber campaign

The UK’s National Cyber Security Centre (NCSC), alongside international partners, has revealed a North Korean state-sponsored cyber espionage campaign aimed at stealing military and nuclear secrets, according to a press release.

The advisory, issued today, highlights the activities of a cyber threat group known as Andariel, which is believed to be part of the Democratic People’s Republic of Korea’s (DPRK) Reconnaissance General Bureau (RGB) 3rd Bureau.

The NCSC warns that Andariel has been targeting critical infrastructure organisations worldwide to pilfer sensitive technical information and intellectual property.

Paul Chichester, NCSC Director of Operations, stated, “The global cyber espionage operation that we have exposed today shows the lengths that DPRK state-sponsored actors are willing to go to pursue their military and nuclear programmes. It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.”

The NCSC, in collaboration with partners from the United States and the Republic of Korea, has outlined that Andariel has primarily focused its efforts on sectors such as defence, aerospace, nuclear, and engineering. The group has also targeted organisations in the medical and energy sectors to a lesser extent. Their objective has been to acquire sensitive information, including contract specifications, design drawings, and project details.

In addition to cyber espionage, Andariel has launched ransomware attacks against US healthcare organisations to extort payments, which in turn fund further espionage activities. The advisory includes technical details and mitigation advice to help organisations defend against these cyber threats. Andariel has been seen exploiting known vulnerabilities to access victims’ systems, deploying malware and other tools to maintain persistence, evade detection, and exfiltrate data.

Chichester said, “The NCSC, alongside our US and Korean partners, strongly encourage network defenders to follow the guidance set out in this advisory to ensure they have strong protections in place to prevent this malicious activity.”

The advisory details how Andariel has evolved its operations from conducting destructive attacks against US and South Korean organisations to specialised cyber espionage and ransomware attacks. In some instances, the group has been observed launching ransomware and espionage operations on the same day, leveraging both activities against the same victim.

This advisory has been co-sealed by several agencies, including the NCSC, the US Federal Bureau of Investigation (FBI), the US Cyber National Mission Force (CNMF), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Department of Defense Cyber Crime Center (DC3), the US National Security Agency (NSA), the Republic of Korea’s National Intelligence Service (NIS), and the Republic of Korea’s National Police Agency (NPA). The full advisory can be accessed on the FBI website: FBI Cyber Advisory.