The Seoul Metropolitan Police Agency has accused North Korean hacker group Andariel of stealing sensitive defense secrets from South Korean defense companies, resulting in the theft of 1.2TB of data, including information on advanced anti-aircraft weapons. Andariel, believed to be a subgroup of the Lazarus Group, utilized servers rented from a domestic server rental company to conduct cyberattacks on dozens of South Korean firms, involving both data theft and ransomware extortion.
The group, associated with the Reconnaissance General Bureau, has been involved in cybercrime to fund its operations, deploying tools like DTrack malware and Maui ransomware. The investigation, conducted jointly with the FBI, revealed that Andariel extorted a total of $357,000 in bitcoin from three domestic and foreign companies as ransom. The group has targeted foreign businesses, government agencies, defense companies, and financial services infrastructure worldwide to collect intelligence benefiting the North Korean regime. Authorities have linked Andariel to at least 83 connections to a South Korea-based rented server, employing various tactics to launder funds obtained through ransomware attacks, using cryptocurrency exchanges like Bithumb and Binance. The North Korean hackers transferred about $89,000 to China’s K Bank, ultimately withdrawing the funds near the North Korea-China border.
While some victim organizations reported hacking attacks to the police, others chose to pay ransoms without reporting, and some, including defense companies, were unaware of the breaches. The police seized domestic servers and virtual asset exchanges used by Andariel, leading to the arrest of the individual owning the account used to transfer ransomware funds. The investigation continues, emphasizing the need for organizations to enhance cybersecurity measures and investigate server rental companies to prevent future cybercrime.
Referral links :