October 2, 2024 at 05:49PM
North Korean APT group “Stonefly” has pivoted to targeting US private companies for financial gain, evading a recent US indictment and $10 million bounty. Previously focused on espionage, the group deployed Backdoor.Preft and Nukebot in August attacks, intending ransomware deployment. Businesses should watch for Stonefly’s indicators of compromise to guard against potential attacks.
Based on the meeting notes, the key takeaways are:
1. North Korean APT group “Stonefly” (also known as Andariel, APT45, Silent Chollima, and Onyx Sleet) has shifted its focus to targeting private companies in the US for financial gain.
2. Stonefly, which is a part of North Korea’s Reconnaissance General Bureau (RGB), targeted three US organizations in August for financial gain, demonstrating a shift from its previous focus on espionage operations against high-value targets.
3. Stonefly’s toolkit includes custom malware such as Backdoor.Preft, Nukebot, Mimikatz, keyloggers, open source penetration testing framework, and other tools.
4. Despite the attacks in August, the ransomware was not deployed and the initial compromise path is not clear.
5. Organizations are advised to familiarize themselves with Stonefly’s indicators of compromise (IoCs) to protect against potential ransomware attacks.
Let me know if you need more information or if there is anything else I can assist you with!