North Korean hackers seen collaborating with Play ransomware group, researchers say
Hackers affiliated with North Korea’s Reconnaissance General Bureau were involved in a Play ransomware attack identified by incident responders in September.
Palo Alto Networks’ Unit42 published a report on Wednesday highlighting an investigation into a recent ransomware attack where North Korean actors appeared to be collaborating with the financially-minded Play ransomware gang.
The researchers did not identify the victim or where it is located but attributed the attack to a threat actor it calls Jumpy Pisces — a group that has been previously linked to North Korean state-sponsored activity.
“Our investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group,” they said.
“This change marks the first observed instance of the group using existing ransomware infrastructure, potentially acting as an initial access broker (IAB) or an affiliate of the Play ransomware group.”
Unit42 warned that the incident signaled North Korea’s deeper involvement in the ransomware landscape after Jumpy Pisces actors were previously implicated by the Justice Department in attacks involving the Maui ransomware.
The researchers added that they “expect their attacks will increasingly target a wide range of victims globally.” Defenders should view the North Korean group’s activity “as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance.”
‘DTrack’
Unit42 says it discovered the new development when it was brought in for an incident response engagement in early September involving Play ransomware.
Their investigation revealed the North Korean actors had done the initial work of gaining access to the organization’s systems through a compromised user account in May.
The North Korean hackers moved laterally throughout the system and maintained their access through custom-made malware called DTrack. DTrack is an infostealer “previously used in reported incidents attributed to North Korean threat groups,” the researchers said. The data stolen is collected, compressed and hidden as a GIF file.
Ultimately the Play ransomware was deployed in September after an “unidentified threat actor entered the network through the same compromised user account used by Jumpy Pisces,” according to the report.
“They carried out pre-ransomware activities including credential harvesting, privilege escalation and the uninstallation of EDR sensors, which eventually led to the deployment of Play ransomware,” Unit42 said.
The attackers also used another tool to steal browser history, autofils and credit card details for Chrome, Edge and Brave internet browsers.
Unit42 based their assessment of collaboration between North Korean hackers and Play ransomware operators based on the use of the same compromised account, the use of the same malware and other technical factors.
“It remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted as an [initial access broker] by selling network access to Play ransomware actors,” they explained.
“If Play ransomware does not provide a ransomware-as-a-service ecosystem as it claims, Jumpy Pisces might only have acted as an [initial access broker]. Either way, this incident is significant because it marks the first recorded collaboration between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware network.”
Play ransomware has been used in dozens of attacks on governments in Europe and across U.S. municipalities in California, Texas, Virginia, Massachusetts and Indiana. The FBI said the ransomware gang has attacked more than 300 organizations since emerging in 2022.
Unit42 expressed concern of a “future trend where North Korean threat groups will increasingly participate in broader ransomware campaigns, potentially leading to more widespread and damaging attacks globally.”
Nation-state ransomware
Two weeks ago, Microsoft warned that nation-states and cybercriminals have been coordinating their activity to a greater degree than ever before.
Their researchers found that Russia, North Korea and Iran are now deploying ransomware as a way to gain financially from their offensive cyber operations.
“This marks a change from previous behavior, whereby ransomware attacks that were designed to appear financially motivated were actually destructive attacks,” the researchers said.
Multiple ransomware gangs openly backed Russia at the onset of the Ukraine invasion and Google found former members of the notorious Conti ransomware group repurposed many of their tools for attacks on Ukrainian organizations.
In several cases, ransomware has been used as a cover for Chinese espionage activity. Law enforcement agencies have also seen instances of Iranian government hackers using their official access to later launch financially-motivated attacks as part of an effort to double-dip and moonlight as cybercriminals, monetizing their hacking skills.
The FBI said in August that it witnessed Iranian actors partnering with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations — eventually taking a percentage of ransom payments.
The Iranian group didn’t simply sell access to victim networks, according to the FBI. In some cases the hackers worked with ransomware gangs to “lock victim networks and strategize on approaches to extort victims.”
North Korean actors have long been accused of using ransomware themselves in attacks. The U.S. indicted North Korean national Rim Jong Hyok in July for his alleged role in ransomware attacks on U.S. hospitals and healthcare companies.
As a member of the Reconnaissance General Bureau (RGB), Rim allegedly used the Maui ransomware in 2021 and 2022 to target a hospital in Kansas, five healthcare providers, four U.S.-based defense contractors, two U.S. Air Force bases, and the National Aeronautics and Space Administration’s Office of Inspector General.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.