A cyber group backed by North Korea has been accused by the UK, US and South Korea of carrying out an online espionage campaign to steal military and nuclear secrets.
The National Cyber Security Centre (NCSC) said that the Andariel group had been compromising organisations around the world to steal sensitive and classified technical information and intellectual property data.
The NCSC’s director of operations, Paul Chichester, said today: “The global cyber espionage operation that we have exposed today shows the lengths that DPRK [Democratic People’s Republic of Korea] state-sponsored actors are willing to go to pursue their military and nuclear programmes.”
The NCSC believes that Andariel is a part of North Korean leader Kim Jong-un’s Reconnaissance General Bureau (RGB), and that its malicious cyber activities pose an ongoing threat to critical infrastructure organisations globally.
Andariel primarily targeted defence, aerospace, nuclear and engineering organisations, but also acted against the medical and energy sectors.
The group has attempted to obtain information such as contract specifications, design drawings and project details. It also launched ransomware attacks against US healthcare organisations in order to extort payments and fund further espionage activity, the NCSC said.
The NCSC, which is part of the GCHQ intelligence agency based at Cheltenham in Gloucestershire, issued the joint warning and advisory note about Andariel’s actions with organisations including the US Federal Bureau of Investigation and South Korea’s national intelligence service.
Mr Chichester said: “It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.
“The NCSC, alongside our US and Korean partners, strongly encourage network defenders to follow the guidance in this advisory to ensure they have strong protections in place to prevent this malicious activity.”
The US State Department has offered a reward of up to $10m (£7.7m) for information on Rim Jong-hyok, a North Korean man who it said was associated with Andariel.
It added that Mr Rim and others conspired to carry out ransomware attacks on American hospitals and other health providers to fund its operations against government bodies and defence firms.
US law enforcement agencies believe that Andariel targeted five healthcare providers, four US-based defence contractors, two US air force bases and the office of Nasa’s inspector general.
In one operation that began in November 2022, the hackers reportedly accessed the computers of an American defence contractor from which they extracted more than 30 gigabytes of data, including unclassified technical information regarding material used in military aircraft and satellites.