Ricochet Chollima

Last updated

Ricochet Chollima (also known as APT 37, Reaper, and ScarCruft) is a North Korean state backed hacker group that is believed to have been created sometime before 2016 and is typically involved in operations against financial institutions to generate assets for North Korea, but also conducts attacks on the industrial sector in other countries. CrowdStrike has stated that the group mainly attacks a variety of South Korean organizations and individuals, including academics, journalists, and North Korean defectors. But also stated the group has also engaged in attacks against Japan, Vietnam, Hong Kong, the Middle East, Russia, and the United States. [1] [2] [3] FireEye has called the group "the overlooked North Korean threat actor." [4]

Contents

History

The group is believed to have been founded sometime around 2012, according to FireEye. [4]

In January 2021 the group was found to be using a Trojan horse for a spear-phishing campaign that targeted the South Korean government. [5] [6]

NPO Mashinostroyeniya, a Russian ballistic missile manufacturer was allegedly hacked by the group in 2023, as discovered by SentinelOne. [7] [8]

See also

Related Research Articles

<span class="mw-page-title-main">Republic of Korea Armed Forces</span> Combined military forces of South Korea

The Republic of Korea Armed Forces, also known as the ROK Armed Forces, are the armed forces of South Korea. The ROK Armed Forces is one of the largest and most powerful standing armed forces in the world with a reported personnel strength of 3,600,000 in 2022.

<span class="mw-page-title-main">Missile Defense Agency</span> Agency of the US Defense Department

The Missile Defense Agency (MDA) is a component of the United States government's Department of Defense responsible for developing a comprehensive defense against ballistic missiles. It had its origins in the Strategic Defense Initiative (SDI) which was established in 1983 by Ronald Reagan and which was headed by Lt. General James Alan Abrahamson. Under the Strategic Defense Initiative's Innovative Sciences and Technology Office headed by physicist and engineer Dr. James Ionson, the investment was predominantly made in basic research at national laboratories, universities, and in industry. These programs have continued to be key sources of funding for top research scientists in the fields of high-energy physics, advanced materials, nuclear research, supercomputing/computation, and many other critical science and engineering disciplines—funding which indirectly supports other research work by top scientists, and which was most politically viable to fund from appropriations for national defense. It was renamed the Ballistic Missile Defense Organization in 1993, and then renamed the Missile Defense Agency in 2002. The current director is U.S. Navy Vice Admiral Jon A. Hill.

<span class="mw-page-title-main">Republic of Korea Air Force</span> Air warfare branch of South Koreas military

The Republic of Korea Air Force, also known as the ROK Air Force or South Korean air force, is the aerial warfare service branch of South Korea, operating under the South Korean Ministry of National Defense.

Moonlight Maze was a data breach of classified U.S. government information lasting from 1996 to 1998. It represents one of the first widely known cyber espionage campaigns in world history. It was even classified as an Advanced Persistent Threat after two years of constant assault.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat (APT) groups, against other countries.

<span class="mw-page-title-main">Palo Alto Networks</span> American technology company

Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100. It is home to the Unit 42 threat research team and hosts the Ignite cybersecurity conference. It is a partner organization of the World Economic Forum.

DarkHotel is a targeted spear-phishing spyware and malware-spreading campaign that appears to be selectively attacking business hotel visitors through the hotel's in-house WiFi network. It is characterized by Kaspersky Lab as an advanced persistent threat.

Carbanak is an APT-style campaign targeting financial institutions, that was discovered in 2014 by the Russian cyber security company Kaspersky Lab. It utilizes malware that is introduced into systems running Microsoft Windows using phishing emails, which is then used to steal money from banks via macros in documents. The hacker group is said to have stolen over 900 million dollars, from the banks as well as from over a thousand private customers.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Fancy Bear, also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM or Forest Blizzard, is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on an adjacent building collapsed as a result of the explosion.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

Rocket Kitten or the Rocket Kitten Group is a hacker group thought to be linked to the Iranian government. The threat actor group has targeted organizations and individuals in the Middle East, particularly Israel, Saudi Arabia, Iran as well as the United States and Europe.

<span class="mw-page-title-main">Anomali</span> American cybersecurity company

Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing security analytics powered by artificial intelligence (AI).

Red Apollo is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security.

Double Dragon is a hacking organization with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

Kimsuky is a North Korean state-backed hacker group and advanced persistent threat that targets South Korean think tanks, industry, nuclear power operators, and the South Korean Ministry of Unification for espionage purposes. In recent years Kimsuky has expanded their operations to target states such as Russia, the United States, and European nations.

References

  1. Meyers, Adam (6 April 2018). "STARDUST CHOLLIMA | Threat Actor Profile | CrowdStrike" . Retrieved 15 March 2021.
  2. Osborne, Charlie. "North Korean Reaper APT uses zero-day vulnerabilities to spy on governments". ZDNet. Retrieved 15 March 2021.
  3. "Adversary: Ricochet Chollima - Threat Actor". Crowdstrike Adversary Universe. Retrieved 4 February 2022.
  4. 1 2 "APT37 (Reaper) The Overlooked North Korean Actor" (PDF). FireEye. Archived from the original (PDF) on 17 April 2021. Retrieved 15 March 2021.
  5. "ALERT: North Korean hackers targeting South Korea with RokRat Trojan". The Hacker News. Retrieved 15 March 2021.
  6. Team, Threat Intelligence (6 January 2021). "Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat". Malwarebytes Labs. Retrieved 15 March 2021.
  7. Reuters. (7 August 2023). "North Korean cyber group hacked top Russian missile makers". Jerusalem Post website Retrieved 7 August 2023.
  8. SentinelOne. (7 August 2023). "Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company". Retrieved 7 August 2023.