North Korean Hackers Tied to Play Ransomware Operations to Evade Sanctions

North Korea's state-sponsored hacking group, Andariel, has been linked to the Play ransomware, potentially acting as an affiliate or initial access broker to circumvent international sanctions. Palo Alto Networks’ Unit 42 found evidence that Andariel had breached a network several months before the Play ransomware was deployed. Known to be associated with North Korea’s military intelligence, Andariel has previously engaged in cyber espionage and ransomware activities, including deploying Maui ransomware against targets in Asia. Unit 42's investigation of a September 2024 Play ransomware incident revealed that Andariel had gained access to the network through a compromised account, subsequently using tools like Mimikatz for credential theft and Sliver for command and control. They also deployed DTrack malware to solidify control, removed security defenses, and only months later, executed Play ransomware. The researchers believe the same actors handled both the initial breach and the ransomware deployment, as they observed overlapping accounts, lateral movements, and tool usage, though they are unsure if Andariel was directly affiliated with Play or simply sold access. By acting as initial access brokers or affiliates in Ransomware-as-a-Service models, North Korean groups avoid direct sanctions, a tactic similarly employed by Russian and Iranian threat actors under sanctions. Read more...