Threat actors linked to North Korea have been implicated in a recent incident that deployed a known ransomware family called Play, underscoring their financial motivations.
The activity, observed between May and September 2024, has been attributed to a threat actor tracked as Jumpy Pisces, which is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly.
"We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group," Palo Alto Networks Unit 42 said in a new report published today.
"This incident is significant because it marks the first recorded collaboration between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware network."
Andariel, active since at least 2009, is affiliated with North Korea's Reconnaissance General Bureau (RGB). It has been previously observed deploying two other ransomware strains known as SHATTEREDGLASS and Maui.
Earlier this month, Symantec, part of Broadcom, noted that three different organizations in the U.S. were targeted by the state-sponsored hacking crew in August 2024 as part of a likely financially motivated attack, even though no ransomware was deployed on their networks.
Play, on the other hand, is a ransomware operation that's believed to have impacted approximately 300 organizations as of October 2023. It is also known as Balloonfly, Fiddling Scorpius, and PlayCrypt.
While cybersecurity firm Adlumin revealed late last year that the operation may have transitioned to a ransomware-as-a-service (RaaS) model, the threat actors behind Play have since announced on their dark web data leak site that it's not the case.
In the incident investigated by Unit 42, Andariel is believed to have gained initial access via a compromised user account in May 2024, followed by undertaking lateral movement and persistence activities using the Sliver command-and-control (C2) framework and a bespoke backdoor called Dtrack (aka Valefor and Preft).
"These remote tools continued to communicate with their command-and-control (C2) server until early September," Unit 42 said. "This ultimately led to the deployment of Play ransomware."
The Play ransomware deployment was preceded by an unidentified threat actor infiltrating the network using the same compromised user account, after which they were observed carrying out credential harvesting, privilege escalation, and uninstallation of endpoint detection and response (EDR) sensors, all hallmarks of pre-ransomware activities.
Also utilized as part of the attack was a trojanized binary that's capable of harvesting web browser history, auto-fill information, and credit card details for Google Chrome, Microsoft Edge, and Brave.
The use of the compromised user account by both Andariel and Play aside, the connection between the two intrusion sets stems from the fact that communication with the Sliver C2 server (172.96.137[.]224) remained ongoing until the day before ransomware deployment. The C2 IP address has been offline since the day the deployment took place.
Unit 42 told The Hacker News that the ransomware incident shares multiple overlaps in the tools, infrastructure, target selection, and timeline with the attacks disclosed by Symantec. Of interest is the Sliver C2 IP address, which Symantec flagged as used in conjunction with the Plink command-line connection utility.
"We observed that the threat actor used IP address 172.96.137[.]224 primarily for Sliver C2 activity," Navin Thomas, threat researcher at Unit 42, said.
"Having said that, this IP address was used for various purposes, with multiple open ports serving different functions, including Sliver, a web service for tool distribution, and SSH services. However, we were unable to verify the usage of Plink from this IP in our investigation."
Irrespective of the exact nature of the collaboration between the two threat groups, the development is a sign that North Korean threat actors could stage more widespread ransomware attacks in the future to evade sanctions and generate revenue for the cash-strapped nation.
"It remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted as an IAB [initial access broker] by selling network access to Play ransomware actors," Unit 42 concluded. "If Play ransomware does not provide a RaaS ecosystem as it claims, Jumpy Pisces might only have acted as an IAB."