Onyx Sleet

Threat Actor updated 25 days ago (2024-10-03T03:00:58.799Z)

Download STIX

Preview STIX

Onyx Sleet, a threat actor also known as Andariel, Silent Chollima, and Stonefly, is a North Korean state-sponsored cyber group under the RGB 3rd Bureau. This group, based in Pyongyang and Sinuiju, has been associated with various malicious activities including cyber espionage and ransomware attacks. The U.S. Federal Bureau of Investigation (FBI), along with other authoring partners, released a cybersecurity advisory to highlight this activity, indicating that entities involved in certain industries should remain vigilant against these state-sponsored cyber operations. The group's tactics, techniques, and procedures (TTPs) have remained consistent over time, suggesting they view their tradecraft as effective. Onyx Sleet has exploited multiple well-known vulnerabilities to gain initial access to target networks. In October 2023, Microsoft's Threat Intelligence Center reported that Onyx Sleet, along with another North Korean threat actor Diamond Sleet, were exploiting a remote code execution vulnerability affecting multiple versions of the JetBrains TeamCity server (CVE-2023-42793). This allowed them to perform a remote code execution attack and gain administrative control of servers. In addition to its cyber espionage activities, Onyx Sleet has also engaged in ransomware attacks on U.S. healthcare entities to fund its operations. Despite an indictment and a $10 million bounty from the U.S. Department of Justice, researchers at Symantec's Threat Hunter Team reported that Onyx Sleet continues its activities, likely to generate funds for the Kim Jong-Un regime. Microsoft observed a recent shift in Onyx Sleet's strategy, moving from spear-phishing to using vulnerability exploits to gain initial access.

Description last updated: 2024-10-03T02:16:35.946Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Andariel is a possible alias for Onyx Sleet. Andariel, also known as Jumpy Pisces, is a threat actor group primarily associated with cyberespionage and ransomware activities. The group has been linked to North Korea's Reconnaissance General Bureau and other APT groups such as Kimsuky and Onyx Sleet. Andariel has been noted for its aggressive t	6
Diamond Sleet is a possible alias for Onyx Sleet. Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supply	4
Plutonium is a possible alias for Onyx Sleet. Plutonium, a threat actor with potentially global implications, has been involved in several critical incidents. The group's activities have been traced back to the 1960s when alleged Israeli scientists visited NUMEC, claiming to obtain plutonium-238 for non-nuclear projects. The lack of stringent r	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Teamcity

Microsoft

State Sponso...

Vulnerability

Ransomware

Remote Code ...

Korean

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lazarus Group Threat Actor is associated with Onyx Sleet. The Lazarus Group, also known as Hidden Cobra and Guardians of Peace, is a notorious threat actor attributed to North Korea. Their activities date back several years, with significant exploits including the "FASTCash" ATM cash-out scheme warned about by the US-CERT in October 2018. More recently, th	Unspecified	3
The ZINC Threat Actor is associated with Onyx Sleet. Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been active since 2009. This group is notorious for its cyber-attacks aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries, and executing currency generation campa	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-42793 Vulnerability is associated with Onyx Sleet. CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurre	has used	5

Source Document References

Information about the Onyx Sleet Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	25 days ago	North Korea Profits as 'Stonefly' APT Swarms US Co's.
Unit42	2 months ago	Threat Assessment: North Korean Threat Groups
DARKReading	3 months ago	Feds Warn of North Korean Cyberattacks on US Critical Infrastructure
CISA	3 months ago	North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs \| CISA
DARKReading	5 months ago	Asian Threat Actors Use New Techniques to Attack Familiar Targets
CERT-EU	8 months ago	JetBrains patches new TeamCity authentication bypass bugs
DARKReading	10 months ago	Global TeamCity Exploitation Opens Door to SolarWinds-Style Nightmare
BankInfoSecurity	10 months ago	Lazarus Exploits Log4Shell to Deploy Telegram-Based Malware
CERT-EU	a year ago	Lazarus Group continues to exploit Log4j flaw in latest campaign
Securityaffairs	a year ago	Operation Blacksmith: Lazarus exploits Log4j flaws to deploy DLang malware
CERT-EU	a year ago	North Korean hacking ops continue to exploit Log4Shell
CERT-EU	a year ago	Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans
Securityaffairs	a year ago	North Korea-linked APT groups actively exploit JetBrains TeamCity flaw - Security Affairs
CERT-EU	a year ago	Microsoft Warns of North Korean Attacks Exploiting JetBrains TeamCity Flaw
CERT-EU	a year ago	North Korean Hackers Exploiting Critical Flaw in DevOps Tool
BankInfoSecurity	a year ago	North Korean Hackers Exploiting Critical Flaw in DevOps Tool
CERT-EU	a year ago	North Korea ramps up intelligence-gathering cyberattacks
CERT-EU	a year ago	North Korean hackers exploit critical TeamCity flaw to breach networks
Securityaffairs	a year ago	North Korea-linked APT Diamond Sleet supply chain attack relies on CyberLink software
CERT-EU	a year ago	Les dernières cyberattaques (24 octobre 2023)