North Korean Hackers Steal South Korean Anti-Aircraft DataAndariel Group Rented Server to Steal 1.2TB of Data, Extort $357,000 in Ransoms
Seoul police have accused the North Korean hacker group Andariel of stealing sensitive defense secrets from South Korean defense companies and laundering ransomware proceeds back to North Korea. The hackers stole 1.2TB of data, including information on advanced anti-aircraft weapons.
The Seoul Metropolitan Police Agency said the North Korean hacker group had used servers rented from a domestic server rental company as a base of operations to hack dozens of South Korean firms, including defense companies. The campaign also extorted ransoms from other private sector entities.
The law enforcement agency conducted a joint investigation with the FBI earlier this year to assess the extent of Andariel's hacking operations after some South Korean companies reported suffering security incidents that they feared could cause "a decline in corporate trust."
The investigation determined that Andariel, believed to be a subgroup of Lazarus Group, stole up to 1.2 terabytes of data from South Korean organizations and also extorted a total of 470 million won, or about $357,000, in bitcoin from three domestic and foreign companies as ransom.
Mandiant reported that Andariel is run by the North Korean intelligence agency Reconnaissance General Bureau and primarily targets foreign businesses, government agencies, defense companies and financial services infrastructure to collect intelligence to benefit of the North Korean regime.
The group also engages in cybercrime to fund its operations, deploying custom-built tools such as DTrack malware and Maui ransomware to target organizations worldwide. South Korea in February sanctioned Andariel and other North Korean hacking groups for conducting illegal cyber activities to finance the totalitarian regime's nuclear and missile development programs (see: South Korea Sanctions Pyongyang Hackers).
Police said Andariel has established at least 83 connections to a South Korea-based rented server to target organizations and used a foreign woman's account to launder bitcoins obtained from ransomware victims. Investigators found that IP addresses used by hackers to connect to the "transit server" were located in Ryugyong-dong, a famous tourist attraction in downtown Pyongyang and home to the Ryugyong Hotel, the tallest building in North Korea.
Police said some of the victim organizations reported the hacking attacks to the police, some chose to pay a ransom but did not report the attacks, and some organizations, including defense companies, were not even aware that their systems were hacked.
Andariel used several domestic and offshore cryptocurrency exchanges, such as Bithumb and Binance, to launder funds obtained by extorting ransomware victims and transferred about 630,000 yuan, or $89,000, to China's K Bank in Liaoning Province, China. The hackers then transferred the money to an area close to the North Korea-China border and withdrew the funds from a K Bank branch.
Police said they had seized the domestic servers and virtual asset exchanges used by Andariel to launch attacks and launder money and arrested the person who owned the account used to transfer the ransomware funds.
"The Security Investigation Support Department of the Seoul Metropolitan Police Agency is actively conducting joint investigations with related agencies such as the U.S. FBI regarding the overseas attacks, victims and people involved in this incident, while continuing to investigate additional cases of damage and the possibility of similar hacking attempts," the agency said.
Police advised organizations to beef up cybersecurity measures, such as checking for security vulnerabilities, updating security software to the latest version, and encrypting important data to prevent hackers from victimizing them in the future. Police also plan to investigate server rental companies to verify the identities of subscribers and ensure the servers are not used to commit cybercrime.