Summary:
On July 25, 2024, Rim Jong Hyok, an alleged member of the North Korean threat group Stonefly (aka Andariel, APT45, Silent Chollima, Onyx Sleet), was indicted by the U.S. Justice Department for his involvement in extorting U.S. hospitals and other healthcare providers between 2021 and 2023, laundering the ransom proceeds, and then using these proceeds to fund additional cyberattacks against targets in the defense, technology, and government sectors worldwide.

Despite the indictment, cybersecurity firm Symantec states it uncovered Stonefly intrusions against three different organizations in the U.S. in August 2024, only a month after the disclosure by the U.S. Justice Department. While Stonefly did not succeed in deploying ransomware in these attacks, Symantec was able to attribute the attacks to Stonefly due to the deployment of a custom backdoor dubbed Preft (aka Dtrack, Valefor, etc.). For its part, Preft is capable of downloading and uploading files, executing commands, and downloading additional plugins (executable files, VBS, BAT, and shellcode). In addition to Preft, several Stonefly IOCs were observed by Symantec including the use of a fake Tableau certificate documented by Microsoft in addition to two other certificates which seem to be unique to this campaign.

Security Officer Comments:
Victims of the August intrusions were private companies and involved in businesses with no obvious intelligence value, indicating that the motive of this campaign was financial gain. Since 2019, Stonefly has mainly focused on espionage operations against high-value targets, especially organizations that hold classified or highly sensitive information or intellectual property. While we have seen other North Korean groups launch attacks including the deployment of ransomware and crypto miners to illicit funds, Stonefly’s move into financially motivated attacks is a relatively recent development, according to researchers.

Suggested Corrections:
Recommendations from Microsoft for defending against Stonefly attacks: