Friday, February 14, 2025
HomeCyber AttackNorth Korean Hackers Targeting Healthcare to Fund for Malicious Activities

North Korean Hackers Targeting Healthcare to Fund for Malicious Activities

Published on

SIEM as a Service

Follow Us on Google News

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued a new advisory regarding cybersecurity. This advisory details recent observations of TTPs used in North Korean ransomware operations. 

These operations have targeted public health and other critical infrastructure sectors, highlighting the ongoing threat posed by the malicious actors.

Several agencies have compiled this report on the matter, and the agencies involved can be found here:-

  • NSA
  • FBI
  • CISA
  • U.S
  • HHS
  • The Republic of Korea National Intelligence Service and Defense Security Agency

It is believed that the funds extorted in this manner have been used to support the National Objectives and Priorities of the North Korean Government.

According to the United States Cybersecurity & Infrastructure Security Agency (CISA), North Korean hackers have not only relied on privately-developed ransomware to attack healthcare systems in South Korea and the United States but also utilized about a dozen different strains of file-encrypting malware. 

This information serves as a wake-up call for organizations in the healthcare sector to step up their cybersecurity measures and be aware of the evolving tactics used by these malicious actors.

Hackers Targeting Healthcare

North Korean threat actors have developed a methodology for acquiring the necessary infrastructure for conducting cyber attacks. This is achieved by creating fake personas and accounts, which they then use to obtain cryptocurrency through illegal means.

They often rely on foreign intermediaries who can help them conceal the trail of money they have made.

Cybercriminals have found ways to conceal their true origin and location when carrying out hacking activities. They do this by using virtual private networks (VPNs) and virtual private servers (VPSs) or by routing their activities through third-party IP addresses. 

This makes it difficult for investigators and security personnel to trace the source of the attack and identify the individuals or groups behind it.

The process of compromising a target system or network involves taking advantage of various vulnerabilities in order to gain access and increase the level of privileges. By exploiting these vulnerabilities, attackers can gain entry into a target network and carry out their malicious activities. 

Flaws exploited:-

Once they have successfully gained initial access to a target network, North Korean hackers conduct extensive reconnaissance and lateral movement to gather information and expand their presence within the network. This is accomplished by executing shell commands and deploying additional payloads.

Observable TTPs

Here below we have mentioned all the TTPs that are observed by the security analysts:-

  • Acquire Infrastructure
  • Obfuscate Identity
  • Purchase VPNs
  • Purchase VPSs
  • Gain Access
  • Move Laterally and Discovery
  • Employ Various Ransomware Tools
  • Demand Ransom in Cryptocurrency

Mitigations

Here below we have mentioned all the mitigations recommended by the security experts:-

  • It is important to authenticate and encrypt connections in order to limit access to data.
  • On internal systems, use standard user accounts instead of administrative accounts in accordance with the principle of least privilege.
  • Disable network device management interfaces that are weak or unnecessary.
  • Through the use of cryptography, protect the stored data by masking and rendering unreadable the PAN value when displayed.
  • Personally identifiable information should be collected, stored, and processed in a manner that is secure.
  • A multilayer network segmentation strategy should be implemented and enforced.
  • Monitor IoT devices to determine whether there is a compromise that is causing them to behave erratically as a result.
  • Backups should be maintained on a regular basis, and the ability to restore the data should be tested regularly.
  • An incident response and communications plan for cyber incidents should be developed, maintained, and executed.
  • The first thing you should do is make sure the operating system, software, and firmware are updated as soon as they are available.
  • Secure and monitor RDP, or any other potentially risky service that you use.
  • Educate your users on the risks of phishing and implement phishing exercises for them.
  • Make sure that as many services as possible require phishing-resistant MFA
  • Always use strong and unique passwords.
  • For software to be installed, administrator credentials must be provided.
  • Make sure that any user account with elevated or administrative privileges is being audited.
  • All hosts should be equipped with antivirus and antimalware software that is regularly updated.
  • Ensure that you are using a secure network at all times.
  • If you receive emails from outside the organization, consider adding a banner to the email.
  • Take advantage of CISA’s Automated Indicator Sharing (AIS) program, which is being offered at no cost to all participants.

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

New Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly...

Burp Suite Professional / Community 2025.2 Released With New Built-in AI Integration

PortSwigger has announced the release of Burp Suite Professional and Community Edition 2025.2, introducing...

Arbitrary File Upload Vulnerability in WordPress Plugin Let Attackers Hack 30,000 Website

A subgroup of the Russian state-sponsored hacking group Seashell Blizzard, also known as Sandworm,...

BadPilot Attacking Network Devices to Expand Russian Seashell Blizzard’s Attacks

A newly uncovered cyber campaign, dubbed "BadPilot," has been linked to a subgroup of...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

New Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly...

Burp Suite Professional / Community 2025.2 Released With New Built-in AI Integration

PortSwigger has announced the release of Burp Suite Professional and Community Edition 2025.2, introducing...

Arbitrary File Upload Vulnerability in WordPress Plugin Let Attackers Hack 30,000 Website

A subgroup of the Russian state-sponsored hacking group Seashell Blizzard, also known as Sandworm,...