Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets

2022-04-27 Symantec

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage

Thumbnail for Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets

Symantec reported that the North Korea-linked Stonefly group continued espionage operations against high-value engineering targets, especially organizations holding intellectual property with civilian and military applications. In a February 2022 intrusion against an engineering firm in the energy and military sectors, the attackers likely exploited Log4j on a public-facing VMware View server, then moved through 18 additional systems. The activity used updated Backdoor.Preft/Dtrack tooling, PuTTY PSCP and WinSCP for likely file transfer, Mimikatz, 3proxy, Invoke-TheHash, and Impacket wmiexec.py for credential theft, proxying, and lateral movement. The report matters because it shows Stonefly maintaining a selective North Korean espionage focus on sensitive technology while combining custom malware with public administration and post-exploitation tools.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 7ab3f076e70350f06ad19863fdd9e79… 2022-04-27 2024-10-02
HASH 586f30907c3849c363145bfdcdabe3e… 2022-04-27 2023-02-09
HASH 414ed95d14964477bebf86dced03067… 2022-04-27 2023-02-09
HASH 5a73fdd0c4d0deea80fa13121503b47… 2022-04-27 2022-09-08
DOMAIN semiconductboard.com 2022-04-27 2022-09-08
DOMAIN cyancow.com 2022-04-27 2022-09-08
DOMAIN tecnojournals.com 2022-04-27 2022-09-08
URL https://bluedragon.com/login 2022-04-27 2022-07-05
URL https://semiconductboard.com/xc… 2022-04-27 2022-07-05
URL https://tecnojournals.com/gener… 2022-04-27 2022-07-05
DOMAIN bluedragon.com 2022-04-27 2022-07-05
HASH b3458b3d0bb80029de30f41ffc8e318… 2022-04-27 2022-04-27
HASH bfa7adeda4597b70bf74a9f2032df2f… 2022-04-27 2022-04-27
HASH 8637a4286d87a4fa3b6a102446f4370… 2022-04-27 2022-04-27
HASH 5e62d4851596e3fb939525fa4437c55… 2022-04-27 2022-04-27
HASH 07b1b9d46a926084019c9e1a22ef724… 2022-04-27 2022-04-27
HASH 1a0e33a0e434e22e25a17b5d40fbef4… 2022-04-27 2022-04-27
HASH 453014da94a1382f9f11535b3d90a44… 2022-04-27 2022-04-27
HASH 28d0e945f0648bed7b7b2a2139f2b9b… 2022-04-27 2022-04-27
HASH 147187d4ca823187724205a7dbd6502… 2022-04-27 2022-04-27
HASH 68d8f895135aab32f0b0f2520f1dd3e… 2022-04-27 2022-04-27
HASH b4a85ef01b5d8058cf94f3e96c48d86… 2022-04-27 2022-04-27
HASH 551653deddb8d9a78c1a239cc2da99e… 2022-04-27 2022-04-27
HASH 3b779a84c17a3a2b588241676ec372c… 2022-04-27 2022-04-27
HASH 9ca9f414b689fc903afb31401615581… 2022-04-27 2022-04-27
HASH 537dee22d8bc4867f45deddfa26c6d0… 2022-04-27 2022-04-27
HASH b7de7187f0f0281c17ae349b692f708… 2022-04-27 2022-04-27
HASH 30cd61f13d64562a41eb5e8a3d30cd4… 2022-04-27 2022-04-27
HASH 14f0c4ce32821a7d25ea5e016ea2606… 2022-04-27 2022-04-27
HASH 0e20819e5584a31f00d242782c20717… 2022-04-27 2022-04-27
HASH 7399605f47be3d8ed021c9189b6b102… 2022-04-27 2022-04-27
HASH cb6769bd80d5a234387bdaa907857ae… 2022-04-27 2022-04-27
HASH de00c0111a561e88d62fd84f425a6fe… 2022-04-27 2022-04-27
HASH dda85ee1e0b4916ebd2eb7cbaeaa969… 2022-04-27 2022-04-27
HASH d824eb45247f9b8e0266dc739425d80… 2022-04-27 2022-04-27
URL https://semiconductboard.com/xml 2022-04-27 2022-04-27
URL https://tecnojournals.com/review 2022-04-27 2022-04-27
URL http://cyancow.com/find 2022-04-27 2022-04-27

Related Actors

Related Reports

« Back