A North Korean-backed hacking group has engaged in a ransomware campaign for the first time, according to Palo Alto Networks.
Jumpy Pisces, a hacking group tied to the Reconnaissance General Bureau of the Korean People's Army, has been involved in a recent ransomware incident, according to a new report by Palo Alto’s threat intelligence team, Unit 42, published on October 30.
This marks a shift in the nation-state group’s tactics and the first time they have been involved with financially motivated cyber threat actors.
Jumpy Pisces and Play Collaboration
In early September 2024, Unit 42 engaged in incident response services for a client impacted by Play ransomware.
First detected in 2022, Play is now one of the most active ransomware gangs. Palo Alto tracks this group as Fiddling Scorpius.
Upon investigation, Unit 42 observed the earliest signs of unauthorized activity at the end of May 2024. The researchers assessed with high confidence that it came from Jumpy Pisces, with the group gaining initial access via a compromised user account.
The North Korean group carried out lateral movement and maintained persistence by spreading the open-source tool Sliver and their unique custom malware, DTrack, to other hosts via Server Message Block (SMB) protocol.
These tools continued communicating with Jumpy Pisces’ command-and-control (C2) server until early September. This ultimately led to the deployment of Play ransomware.
No tags.
