The North Korean-based Stonefly hacking group recently shifted gears from espionage to focus on financially motivated attacks that security pros say will ultimately lead to ransomware extortion incidents.
In an Oct. 2 blog post, Symantec’s Threat Hunter Team said they found evidence of intrusions into three U.S. organizations in August, about one month after the U.S. Department of Justice indicted Rim Jong Hyok on charges related to the campaign.
The researchers said Rim is an alleged member of Stonefly and the group has been linked to the North Korean military intelligence agency, the Reconnaissance General Bureau (RGB). While the attackers didn’t succeed in deploying ransomware on any of these early attacks, the researchers said it’s likely these attacks were financially motivated.
Stonefly — aka Andariel, APT45, Silent Chollima, and Onyx Sleet — has been active since 2009 when it started with distributed-denial-of-service (DDoS) attacks. Group has focused on espionage since 2019. In several of the recent attacks, the researchers said Stonefly deployed its custom malware Backdoor.Preft. The researchers also said that several Stonefly indicators of compromise documented by Microsoft in July were found on the compromised networks.
“While Stonefly’s move into financially motivated attacks is a relatively recent development, the spotlight shone on the group’s activities due to the indictment naming one of its members has not yet led to a cessation of activity,” wrote the Symantec researchers. “The group is likely continuing to attempt to mount extortion attacks against organizations in the U.S.”
This shift to financially motivated attacks aligns with a broader pattern among North Korean state-sponsored cyber groups, who are increasingly leveraging ransomware and extortion to generate revenue and support their operations, explained Sarah Jones, cyber threat intelligence research analyst at Critical Start.
“While it’s possible that the group's primary focus may still be on espionage, it’s highly likely that Stonefly will continue to use ransomware in future cyber operations to fund their operations,” said Jones. “The prosecution and indictment of cyber threat actor leaders by the U.S. Justice Department can be a powerful tool in disrupting their operations and deterring future attacks. However, it’s important to note that these efforts are not always effective. In the case of Stonefly, the indictment of a group member has not deterred their continued activities.”