State-sponsored hackers aligned with the North Korean government are attacking critical infrastructure and hospitals within the United States with ransomware. The new alert issued by the Cybersecurity & Infrastructure Security Agency (CISA) outlines the observed tactics, techniques, and procedures the North Korean cyber actors are utilizing.
According to the alert, the North Korean hackers are also specifically targeting the Department of Defense Information Networks (DoDIN), and Defense Industrial Base (DIB) networks with ransomware attacks.
Once infected with ransomware, the targeted networks demand cryptocurrency payments to decrypt the data and restore network usability. The Federal Bureau of Investigation and CISA believe that these ransomware payments are helping fund the North Korean government.
The alert does not specify if the DoDIN or DIB networks have successfully been targeted with ransomware attacks. However, US healthcare operators have repeatedly been struck with successful ransomware attacks for years.
The hackers are successfully leveraging well-known vulnerabilities such as Log4Shell and Apache Log4j to execute malicious code remotely. Unpatched SonicWall SMA 100 and TerraMaster NAS appliances are also leveraged in these attacks, according to CISA.
Organizations are strongly encouraged to develop and deploy security best practices such as least privilege, zero trust network access, network segmentation, multi-factor authentication, and maintaining periodic network data backups.
The United Nations estimates that North Korean state-sponsored hackers have successfully stolen between $630 million to $1 billion in cryptocurrency assets in 2022.
It is believed that the ransomware payments are not only funding the North Korean government but also its nuclear and ballistic missile programs, according to the Associated Press.
