Microsoft has identified Moonstone Sleet, a North Korean hacking group, as the entity behind the FakePenny ransomware, which has led to ransom demands totaling millions of dollars. This group, previously known as Storm-17, has been targeting a wide range of sectors, including finance, cyber espionage, software, information technology, education, and defense.
Unique Attack Methods and Custom Tools
Moonstone Sleet has developed its own infrastructure and tools, diverging from the tactics of other North Korean groups. Initially, their methods mirrored those of Diamond Sleet, another North Korean group, with extensive code reuse from Diamond Sleet’s malware, such as Comebacker. Moonstone Sleet’s techniques included using social media to distribute trojanized software. Over time, they have shifted to their own custom infrastructure and attack methods, although both groups continue to operate concurrently.
In April, Moonstone Sleet deployed a custom variant of the FakePenny ransomware, demanding $6.6 million in Bitcoin, a significant increase from previous North Korean ransomware demands of $100,000. Microsoft’s analysis suggests that while financial gain is a primary motivation, the group’s history of cyber espionage indicates a dual focus on revenue generation and intelligence collection.
Methods of Infiltration
The group has employed various methods to interact with potential victims. These include trojanized software like PuTTY, malicious games such as DeTankWar, npm packages, and fake software development companies like StarGlow Ventures and C.C. Waterfall. These fake entities have been used to engage with targets on platforms like LinkedIn, Telegram, freelancing networks, and email.
Moonstone Sleet is part of a broader pattern of North Korean cyber activities. The Lazarus Group was previously blamed for the WannaCry ransomware outbreak in May 2017, which affected hundreds of thousands of computers globally. More recently, in July 2022, Microsoft and the FBI linked North Korean hackers to the Holy Ghost ransomware operation and the Maui ransomware attacks on healthcare organizations.
Targeting Software Developers and Aerospace Sector
Moonstone Sleet has also targeted software developers using malicious npm packages and pursued employment in software development positions at legitimate companies to gain access to organizations. The group has compromised companies in the aerospace sector, including those involved in drone technology and aircraft parts. Their tactics have evolved from those of other North Korean threat actors, indicating a possible sharing of expertise and techniques.
Moonstone Sleet and Diamond Sleet have conducted operations concurrently, using similar techniques and code. This suggests a coordinated effort within North Korean cyber operations, with different groups sharing resources and methods to achieve their objectives.
Last Updated on November 7, 2024 8:03 pm CET