Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities | CISA

he TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations. Additionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation: Acquire Infrastructure [T1583]. DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft. Obfuscate Identity. DPRK actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments. Purchase VPNs and VPSs [T1583.003]. DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK. Gain Access [TA0001]. Actors use various exploits of common vulnerabilities and exposures (CVE) to gain access and escalate privileges on networks. Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell) and remote code execution in unpatched SonicWall SMA 100 appliances [T1190 and T1133]. Observed CVEs used include: CVE 2021-44228 CVE-2021-20038 CVE-2022-24990