The UK, US, and South Korea have collectively pointed fingers at a cyber group backed by North Korea, named “Andariel,” for conducting a sophisticated online espionage operation aimed at stealing sensitive military and nuclear information. This accusation comes from a joint warning issued by the UK’s National Cyber Security Centre (NCSC), the FBI, and South Korea’s national intelligence service, advising organizations within critical infrastructures to remain alert to such threats.
As part of the US government’s countermeasures, it is offering a reward of up to $10 million for information that leads to the identification or location of members of these hostile cyber groups, including North Korean national Rim Jong Hyok, who is linked to Andariel. This group has been active since around 2009 and specializes in espionage against defense contractors, military setups, and government bodies.
Andariel’s activities have not only focused on traditional espionage targets but have also extended into areas like life sciences and pharmaceuticals, particularly highlighted during the COVID-19 pandemic. This diversification was noted by cyber security firm Secureworks, which has been closely monitoring the group’s activities.
The NCSC, a part of the GCHQ intelligence agency, revealed that Andariel aims to support North Korea’s military and nuclear objectives. The group’s extensive cyber espionage operations underline the ongoing global threat posed by state-sponsored actors from the Democratic People’s Republic of Korea (DPRK), led by Kim Jong Un.
In detailing the threat, the NCSC reported that Andariel targets primarily include sectors like defense, aerospace, nuclear, and engineering, but also extend to medical and energy sectors. They are known to seek out critical information such as contract specifications, design drawings, and project details.
Adding to their arsenal of cyber threats, Andariel has also conducted ransomware attacks. Notably, they have targeted US healthcare organizations to extort money that funds their espionage activities. The US State Department highlighted incidents where Andariel hackers installed ransomware in US hospitals and healthcare providers to demand ransoms.
One significant breach occurred in November 2022 when Andariel infiltrated a US-based defense contractor, extracting over 30 gigabytes of data crucial for military aircraft and satellites. This progression from destructive hacks to focused cyber espionage and ransomware attacks marks a significant evolution in Andariel’s operational tactics.
Paul Chichester, NCSC’s director of operations, emphasized the critical need for infrastructure operators to safeguard sensitive information and intellectual property against such malicious intrusions. The advisory issued jointly by the UK, US, and South Korean authorities provides detailed guidance on strengthening defenses to thwart these cyber threats effectively.
