North Korean State-Sponsored Group Partners with Ransomware Actors in Recent Cyberattack
A recent report from Palo Alto Networks’ Unit 42 highlights alarming developments in the cybersecurity landscape, revealing a collaboration between the North Korean state-sponsored threat group known as Jumpy Pisces and the financially motivated Play ransomware group. This incident marks a potentially significant shift in tactics, with implications for organizations worldwide.
Jumpy Pisces, previously recognized as Onyx Sleet and Andariel—an Advanced Persistent Threat linked to high-profile cyber incidents such as the HBO data breach—has a long-standing history of cyberespionage and financial crimes. Unit 42’s investigation indicates a worrying evolution in the group’s approach, implicating them in ransomware activities, a trend supported by their deployment of custom ransomware like Maui.
The specific incident in question involved an attack utilizing Play ransomware, first identified in mid-2022. While Fiddling Scorpius, the group behind Play, has been reported to operate under a Ransomware-as-a-Service model, they have publicly refuted this claim on their leak site. Unit 42 tracked the events leading to the ransomware deployment, beginning in May 2024. Jumpy Pisces exploited a compromised user account to establish initial access and conducted lateral movement using advanced tools, such as the open-source Sliver and their proprietary DTrack malware.
In September 2024, the compromised account was accessed once again by an unidentified actor who likely built upon the groundwork laid by Jumpy Pisces. This actor engaged in activities typical of pre-ransomware attacks, including credential harvesting and the removal of endpoint detection and response (EDR) sensors, culminating in the deployment of Play ransomware later that month.
Unit 42’s report details the sophisticated tactics used in this attack, including the deployment of a customized version of the Sliver C2 framework, enabling persistent command and control communications. Concurrently, DTrack acted as an infostealer, gathering sensitive data from compromised systems and concealing this information within disguised GIF files to evade detection. The attackers employed PowerShell scripts for command execution and file transfer, while Mimikatz facilitated credential dumping, assisting attackers in gaining further access to the network.
The indicators of collaboration between Jumpy Pisces and Fiddling Scorpius were strong, as both groups used the same compromised account, and Jumpy Pisces ceased its activities before the ransomware deployment. The use of tools like TokenPlayer and PsExec is commonly associated with Play ransomware incidents, suggesting a well-coordinated effort.
The extent of this collaboration raises questions about the nature of the relationship between the groups. It is uncertain whether Jumpy Pisces is acting as an official affiliate of Play ransomware or simply engaged as an Initial Access Broker by selling access to compromised networks. Nevertheless, this case stands as the first documented collaboration between a state-sponsored group and a ransomware actor, indicating a worrying trend of North Korean groups’ increasing involvement in ransomware operations.
Experts suggest that North Korea’s ventures into ransomware reflect a strategic alignment motivated by financial necessity. With the nation’s capabilities in network exploitation, partnering with established ransomware groups offers distinct advantages as they expand into this new territory. Organizations are strongly advised to bolster their defenses against phishing attacks, as such methods remain integral to ransomware exploitation.
In conclusion, this incident not only underscores the escalating threat posed by North Korean cyber actors but also highlights the importance of vigilance among businesses looking to protect their digital environments. The methodologies employed—ranging from initial access and persistence to privilege escalation techniques—illustrate the complexities of contemporary cyber threats.
