North Korea-backed cyber group sought to steal nuclear secrets, NCSC says

A North Korea-backed cyber group has been accused by the UK, US and South Korea of carrying out an online espionage campaign to steal military and nuclear secrets.

The National Cyber Security Centre (NCSC) said the Andariel group has been compromising organisations around the world to steal sensitive and classified technical information and intellectual property data.

NCSC director of operations Paul Chichester said: “The global cyber espionage operation that we have exposed today shows the lengths that DPRK (Democratic People’s Republic of Korea) state-sponsored actors are willing to go to pursue their military and nuclear programmes.”

The NCSC believes that Andariel is a part of DPRK’s reconnaissance general bureau (RGB) 3rd bureau, and the group’s malicious cyber activities pose an ongoing threat to critical infrastructure organisations globally.

Andariel primarily targeted defence, aerospace, nuclear and engineering organisations, but also acted against the medical and energy sectors.

The group has attempted to obtain information such as contract specification, design drawings and project details.

It also launched ransomware attacks against US healthcare organisations in order to extort payments and fund further espionage activity, the NCSC said.

The NCSC, part of the GCHQ intelligence agency, issued the joint warning and advisory note about Andariel’s actions with organisations including the US Federal Bureau of Investigation and South Korea’s national intelligence service.

Mr Chichester said: “It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.

“The NCSC, alongside our US and Korean partners, strongly encourage network defenders to follow the guidance set out in this advisory to ensure they have strong protections in place to prevent this malicious activity.”

The advisory outlines how Andariel has evolved from destructive hacks against US and South Korea organisations to carrying out specialised cyber espionage and ransomware attacks.

In some cases, the hackers carried out both ransomware attacks and cyber espionage operations on the same day against the same victim.