10/30/2024 | News release | Distributed by Public on 10/30/2024 22:52
Executive Summary
Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. Our investigation indicates a likely shift in the group's tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius).
This change marks the first observed instance of the group using existing ransomware infrastructure, potentially acting as an initial access broker (IAB) or an affiliate of the Play ransomware group. This shift in their tactics, techniques and procedures (TTPs) signals deeper involvement in the broader ransomware threat landscape.
Jumpy Pisces, also known as Andariel and Onyx Sleet, was historically involved in cyberespionage, financial crime and ransomware attacks. The group was indicted by the U.S Justice Department for deploying custom-developed ransomware, Maui.
We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance.
Palo Alto Networks customers are better protected from the threats discussed in this article through the following products:
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
Jumpy Pisces' Intrusion Leads to Play Ransomware
In early September 2024, Unit 42 engaged in incident response services for a client impacted by Play ransomware. Play ransomware was first reported in mid-2022. A closed group we track as Fiddling Scorpius is believed to be operating this threat, for both developing and executing the attacks.
Some suggest that Fiddling Scorpius has transitioned to a ransomware-as-a-service (RaaS) model. However, the group has announced on its Play ransomware leak site that it does not provide a RaaS ecosystem.
During our investigation, we discovered with high confidence that the North Korean state-sponsored threat group Jumpy Pisces gained initial access via a compromised user account in May 2024. Jumpy Pisces carried out lateral movement and maintained persistence by spreading the open-source tool Sliver and their unique custom malware, DTrack, to other hosts via Server Message Block (SMB) protocol.
These remote tools continued to communicate with their command-and-control (C2) server until early September. This ultimately led to the deployment of Play ransomware.
Threat actors had access to the network between May-September 2024. Figure 1 shows an overview of the events from this time frame.
Attack Lifecycle - Timeline of Events
We observed the earliest signs of unauthorized activity at the end of May 2024. A compromised user account accessed a particular host through a firewall device. Partial registry dumps on the host indicate possible use of Impacket's credential harvesting module, secretsdump.py.
Attackers copied files associated with the Sliver and DTrack malware family to various hosts using the compromised account over SMB, with the following commands:
cmd /c net use \\<Internal IP>\C$ <Account Password> /user:<Network Domain>\<Account Username> cmd /c copy <Path to malware> \\<Internal IP>\C$\<Path to malware> |
DTrack execution was blocked by the endpoint detection and response (EDR) solution. However, we did observe Sliver beaconing activity spanning multiple days until early September 2024, with quiet periods in July and sporadically on other days.
In early September, an unidentified threat actor entered the network through the same compromised user account used by Jumpy Pisces. They carried out pre-ransomware activities including credential harvesting, privilege escalation and the uninstallation of EDR sensors, which eventually led to the deployment of Play ransomware.
Threat Actor Tooling
We observed the following tools and malware during the attack timeline up to the day before the attackers deployed the ransomware. Note that some of the suspicious files observed did not successfully execute, or were not recoverable at the time of investigation.
All the above-mentioned files were signed using a couple of invalid certificates that we note in the Indicators of Compromise section of this article. These certificates, previously linked to Jumpy Pisces, enabled the files to impersonate ones created by legitimate entities.
Assessment of Jumpy Pisces - Play Ransomware Collaboration
We assess with moderate confidence a degree of collaboration between Jumpy Pisces and Play Ransomware in this incident, based on the following factors:
Conclusion
It remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted as an IAB by selling network access to Play ransomware actors. If Play ransomware does not provide a RaaS ecosystem as it claims, Jumpy Pisces might only have acted as an IAB.
Either way, this incident is significant because it marks the first recorded collaboration between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware network. This development could indicate a future trend where North Korean threat groups will increasingly participate in broader ransomware campaigns, potentially leading to more widespread and damaging attacks globally.
Palo Alto Networks Protection and Mitigation
Palo Alto Networks customers are better protected from the threats discussed above through the following products:
If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
Indicators of Compromise
SHA256 Hashes
Sliver C2 Server Information
Code Signing Certificate Details
Additional Resources