Moonstone Sleet: Unmasking North Korea’s New Cyber Threat

A relatively new North Korean cyber group known as Moonstone Sleet has recently been identified as responsible for attacks on the software, information technology, education, and defense industries, utilizing ransomware and other types of malware.

According to a new analysis by Microsoft’s threat detection team, Moonstone Sleet creates fake companies and job openings to deceive its victims. The group uses trojanized versions of legitimate tools, develops malicious games, and actively deploys ransomware.

In its attacks, Moonstone Sleet employs both traditional methods used by other North Korean hackers and entirely unique techniques.

Initially tracked under the codename Storm-1789, the group had some tactical similarities to the Lazarus Group but later distinguished itself as a separate entity with its own infrastructure and methods.

Moonstone Sleet actively uses the code of already known malware, such as Comebacker, first spotted in January 2021. The group also frequently employs the PuTTY program, various freelance platforms, and the social network LinkedIn in its attacks.

To achieve their goals, Moonstone Sleet hackers employ a range of strategies based on social engineering methods:

• Infiltrating large companies as software developers to gain access to their internal infrastructure;
• Creating fake companies, conducting fake interviews with developers, and holding online meetings with investors;
• Entering partnership contracts to gain access to the networks of companies in critical infrastructure sectors.

In April of this year, Moonstone Sleet hackers successfully introduced a new variation of ransomware, FakePenny, into an unnamed defense technology company.

Microsoft experts emphasize the need for security measures to protect against Moonstone Sleet attacks and warn of potential supply chain attacks. Meanwhile, North Korean hackers continue to adapt their methods to achieve their cyber goals.