A North Korean state-sponsored threat actor is suspected of collaborating with the Play ransomware gang in a September cyberattack, Palo Alto Networks Unit 42 reported Wednesday.
The group tracked by Unit 42 as Jumpy Pisces, also known as Andariel, Onyx Sleet and Stonefly, made initial access via a compromised account in May 2024 and then deployed open-source and custom tools for lateral movement and persistence.
By September, the initial access established by Jumpy Pisces was leveraged to conduct pre-ransomware activity and ultimately deploy the Play ransomware payload. Unit 42 believes with “moderate confidence” that this points to a collaboration between Jumpy Pisces and Play.
“This change marks the first observed instance of the group using existing ransomware infrastructure, potentially acting as an initial access broker (IAB) or an affiliate of the Play ransomware group,” the Unit 42 researchers wrote. “This shift in their tactics, techniques and procedures (TTPs) signals deeper involvement in the broader ransomware threat landscape.”
Jumpy Pisces, which has ties to the Reconnaissance General Bureau of the Korean People’s Army of North Korea, has used its own custom ransomware in the past; in July, the U.S. Department of Justice indicted a member of the group for his alleged role in using the custom Maui ransomware to target U.S. healthcare organizations.
While it has traditionally been associated with cyberespionage, Jumpy Pisces has recently been shifting to apparent financially motivated attacks, potentially used to fund further cyberattacks or other North Korean government and military activities.
“These North Korean actors are good at gaining access to networks. However, they are late to joining the ransomware game, so collaboration with a group that already has the infrastructure, processes, and procedures in place is a wise move,” Erich Kron, a security awareness advocate at KnowBe4, told SC Media. “Only time will tell if this collaboration continues or if the North Korean group moves on to creating their own ransom infrastructure.”
Unit 42 noted that this apparent shift in tactics means organizations should consider the activity and indicators of nation-state actors like Jumpy Pisces to be a potential precursor to ransomware and use heightened vigilance when defending against these types of threats.
How North Korean attacker paved the way for Play ransomware
Unit 42 responded to the attack on one of its customers in early September and traced the threat actor’s activity back to the initial access via a compromised account in late May.
The threat actor first began spreading a customized version of the open-source red teaming tool Sliver, as well as its own custom-developed tool called Dtrack across multiple hosts at the victim organization over the Server Message Block (SMB) protocol. They also used a customized version of the open-source credential dumping tool Mimikatz during this early stage of the attack.
Throughout June, the threat actor continued to spread Sliver and used Sliver beacons to communicate with a command-and-control (C2) server at an IP address that has previously been linked to Jumpy Pisces. In August, the attacker began to create malicious services, gather network configuration information and launch Remote Desktop Protocol (RDP) sessions using a dedicated tool to create privileged user accounts.
Days before the ransomware deployment, Jumpy Pisces began to extract Windows Security Account Manager (SAM), Security and System registry hives, continued its use of Mimikatz and continued to communicate with the C2 server via Sliver beaconing. Communications with Jumpy Pisces C2 server continued up until the day of the ransomware deployment, Sept. 5, and the C2 server has been offline ever since, Unit 42 noted.
On Sept. 5, the compromised account that was initially used for the intrusion was accessed again, and this access was leveraged to conduct pre-ransomware activities, including dumping of Local Security Authority Subsystem Service (LSASS) credentials using the task Manager, abuse of Windows access tokens, escalation to system privileges via PsExec and additional lateral movement. Mass uninstallation of endpoint detection and response (EDR) sensors was also conducted just prior to the ransomware deployment.
The attack culminated in the Play ransomware encryption of multiple hosts on the victim’s network on Sept. 5. Based on the use of the same account for initial access and timeline of Sliver C2 communications, Unit 42 concluded that Jumpy Pisces likely coordinated with Play to conduct the attack, either as an affiliate or IAB, although Play currently claims to not run a ransomware-as-a-service (RaaS) program.
The researchers noted that in addition to Sliver, Mimikatz and its own DTrack infostealer, Jumpy Pisces also used a trojanized binary designed to steal browser history, autofill information and credit card details from Chrome, Edge and Brave browsers during the attack. The pre-ransomware activity conducted on Sept. 5, including use of TokenPlayer for Windows access token abuse and PsExec – both stored in the public “Music” folder – was also noted to be consistent with previous Play attacks.
Nation-state threat actors have been increasingly been observed deploying ransomware or working with ransomware groups, shifting from cyberespionage and sabotage to potentially financially motivated crimes. In June, suspected China-sponsored threat groups APT41 and ChamelGang were linked, along with Andariel, by SentinelOne and Recorded Future researchers to a wave of ransomware attacks between 2021 and 2023.
Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) warned in August that the Iran-backed threat actor Pioneer Kitten had worked with affiliates of NoEscape, Ransomhouse and ALPHV/BlackCat to provide initial access to victims’ networks in exchange for a cut of the ransomware payouts.