HQ/EMEAFind out how we can help your business
Recent research linked the North Korean hacking gang Moonstone Sleet to the FakePenny ransomware attacks, which have resulted in millions of dollars in ransom demands.
This threat group’s tactics, techniques, and procedures (TTPs) mostly resemble those of other North Korean state-sponsored groups, but it gradually employs innovative attack methods and its infrastructure.
Moonstone Sleet, formerly known as Storm-17, has been attacking both financial and cyberespionage targets with trojanised software, malicious games and npm packages, custom malware loaders, and fake software development companies set up to interact with potential victims on LinkedIn, Telegram, freelancing networks, or via email.
Based on reports, the threat actors within this group displayed similarities with the Diamond Sleet group as it extensively reused code from known Diamond Sleet malware like Comebacker. In addition, the group also leveraged well-established Diamond Sleet techniques to gain unauthorised access to organisations, such as using social media to deliver trojanized software.
However, Moonstone Sleet recently transitioned to its infrastructure and attacks. Researchers observed Moonstone Sleet and Diamond Sleet conducting parallel operations, with the latter still utilising much of its established methods.
The Moonstone Sleet group have caught the attention of researchers after allegedly commandeering the new FakePenny ransomware variant.
These threat actors were first detected spreading a new custom FakePenny ransomware variant last month, two months after breaking into the victim’s network.
Unlike past ransomware operations orchestrated by North Korean-backed threat groups, which required victims to pay $100,000, the Moonstone Sleet attackers demanded $6.6 million in Bitcoin.
Further analysis of this attack indicated that Moonstone Sleet’s primary objective is to deliver the ransomware and earn financial gain. The group’s previous engagement in cyber espionage assaults implies that their attacks are intended to generate income and gather intelligence.
Since its launch, the group has targeted individuals and organisations in various industries, including software and IT, education, and military defence. Therefore, North Korea has some of the most hostile cybercriminal organisations to date, meaning organisations globally should work together to prevent these actors from executing illicit activities.
