North Korean state-sponsored hackers – Jumpy Pisces, aka Andariel, aka Onyx Sleet – have been spotted burrowing into enterprise systems, then seemingly handing matters over to the Play ransomware group.
The attack
The ransomware attack was investigated by Palo Alto Networks’ Unit 42 in September 2024, and they determined that North Korean hackers:
- Gained access to a host using a compromised users account
- Moved laterally to other hosts via SMB protocol
- Maintained persistence via Sliver (a Cobalt Strike alternative) and tried to install DTrack (custom malware that was ultimately blocked by the EDR)
- Gathered system and network configurations, established RDP sessions via a newly created privileged user account on victim machines, used Mimikatz and a trojanized binary to dump credential logs and steal browser info (history, autofills and credit card details)
“In early September, an unidentified threat actor entered the network through the same compromised user account used by Jumpy Pisces. They carried out pre-ransomware activities including credential harvesting, privilege escalation and the uninstallation of EDR sensors, which eventually led to the deployment of Play ransomware,” Unit 42 researchers explained.
The use of the same compromised account account, the stopping of Sliver C2 communication the day before ransomware deployment, and the use of specific tactics, techniques, and procedures (TTPs) points to “a degree of collaboration between Jumpy Pisces and Play Ransomware.”
But whether Jumpy Pisces has officially become an affiliate for Play ransomware or they simply acted as an initial access broker (IAB) is unclear.
“We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance,” the threat analysts concluded.
A trend in the making?
This is not the first time that security researchers discovered state-sponsored hackers helping ransomware groups.
Earlier this year, US security agencies warned about Pioneer Kitten – an Iranian state-contracted cyber espionage group – serving as an initial access provider for NoEscape, RansomHouse, and ALPHV ransomware affiliates, and helping them “enable encryption operations in exchange for a percentage of the ransom payments.”
Microsoft has also noted in its recently released Digital Defense Report that the lines between nation-state and cybercriminal threat activity are becoming increasingly blurred, and that North Korean, Russian and Iranian state-sponsored threat actors are increasingly deploying ransomware for their own (and their states’) financial gain.
