Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service have released a joint Cybersecurity Advisory (CSA), Ransomware Attacks on Critical Infrastructure Fund Democratic People’s Republic of Korea (DPRK) Espionage Activities, to warn network defenders of malicious activity targeting U.S. and South Korean Healthcare and Public Health (HPH) Sector organizations as well as other critical infrastructure sectors.

In addition to other tactics, these malicious cyber actors have been exploiting vulnerabilities, such as Log4Shell CVE-2021-44228, SMA100 Apache CVE-2021-20038, and/or TerraMaster OS CVE-2022-24990, to gain access and escalate privileges on victim’s networks. After initial access, DPRK actors use staged payloads with customized malware to perform malicious movements, use various ransomware tools and demand ransom in cryptocurrency.

This advisory is a supplement to a July 2022 joint advisory on North Korean state-sponsored cyber actors using Maui ransomware to target HPH sector.

All organizations are encouraged to review the CSA for complete details on this threat and recommended mitigations, which also includes specific mitigations that HPH organizations should implement. This advisory is available on stopransomware.gov, the USG one-stop resource for advisories on the ransomware threat and available no-cost resources.