In a joint advisory issued on Thursday, the United States, Britain, and South Korea revealed that North Korean hackers have orchestrated a global cyber espionage campaign aimed at stealing classified military secrets to bolster Pyongyang’s banned nuclear weapons program. The hackers, known as Anadriel or APT45 by cybersecurity experts, are believed to be affiliated with North Korea’s intelligence agency, the Reconnaissance General Bureau, which was sanctioned by the U.S. in 2015.
The advisory detailed that this cyber unit has targeted or breached computer systems at a variety of defense and engineering firms, including manufacturers of tanks, submarines, naval vessels, fighter aircraft, and missile and radar systems. Notable victims in the U.S. include the National Aeronautics and Space Administration (NASA), Randolph Air Force Base in Texas, and Robins Air Force Base in Georgia, according to officials from the FBI and U.S. Justice Department.
In one incident from February 2022, the hackers reportedly used a malware script to gain unauthorized access to NASA’s computer system for three months, during which they extracted over 17 gigabytes of unclassified data.
The advisory highlighted that the group and its cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in the U.S., Britain, South Korea, Japan, and India.
North Korea, officially known as the Democratic People’s Republic of Korea (DPRK), has a long history of deploying covert hacking teams to steal sensitive military information. To fund their operations, the hackers have also engaged in ransomware attacks targeting U.S. hospitals and healthcare companies, U.S. officials allege.
On Thursday, the U.S. Justice Department charged Rim Jong Hyok with conspiring to access computer networks in the U.S. and money laundering. One of the ransomware incidents Rim is charged with involved a May 2021 attack on a Kansas-based hospital that paid ransom after hackers encrypted four of its computer servers. The hospital paid in bitcoin, which was then transferred to a Chinese bank and withdrawn from an ATM in Dandong, China, near the Sino-Korean Friendship Bridge connecting the city to Sinuiju, North Korea, the indictment said.
The FBI has offered a reward of up to $10 million for information leading to Rim’s arrest, who is believed to be in North Korea. FBI and Justice Department officials announced they have seized some of the hackers’ online accounts, including $600,000 in virtual currency that will be returned to the victims of the ransomware attacks.
“The global cyber espionage operation that we have exposed today shows the lengths that DPRK state-sponsored actors are willing to go to pursue their military and nuclear programs,” said Paul Chichester of Britain’s National Cyber Security Centre, part of the country’s GCHQ spy agency.
In August last year, Reuters reported that an elite group of North Korean hackers had breached systems at NPO Mashinostroyeniya, a rocket design bureau in Reutov, near Moscow. Similar to that hack, APT45 used common phishing techniques and computer exploits to trick officials at targeted firms into granting access to their internal computer systems, according to Thursday’s advisory.
