Onyx Sleet

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Onyx Sleet, a North Korean nation-state threat actor, has been identified as a significant cybersecurity risk by Microsoft. Operating under the Lazarus Group umbrella, Onyx Sleet primarily targets defense and IT services organizations in South Korea, the United States, and India. In October 2023, Microsoft's Threat Intelligence Center disclosed that Onyx Sleet, along with other Advanced Persistent Threat (APT) groups like Diamond Sleet, exploited a remote code execution vulnerability affecting multiple versions of the JetBrains TeamCity server, known as CVE-2023-42793. The exploitation of the TeamCity vulnerability allowed Onyx Sleet to perform a remote code execution attack and gain administrative control of servers. Notably, despite exploiting the same vulnerability, Onyx Sleet and Diamond Sleet were observed using unique sets of tools and techniques following successful exploitation. The exploitation involved creating a new user account named krtbgt, likely intended to impersonate the Kerberos Ticket Granting Ticket, demonstrating a shift in tactics. Microsoft attributed these attacks to both Onyx Sleet and Diamond Sleet, emphasizing their connection to the broader Lazarus Group. The researchers found overlaps between the malicious activities of Onyx Sleet and Operation Blacksmith, further linking the group to broader North Korean objectives in defense, politics, national security, and research and development. As such, the activities of Onyx Sleet represent a critical component of the ongoing cyber threats posed by North Korean actors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Diamond Sleet
4
Diamond Sleet, a North Korea-linked Advanced Persistent Threat (APT), has been identified as a significant threat actor in the cybersecurity landscape. This group is known for its sophisticated supply chain attacks, specifically leveraging CyberLink software to execute their malicious activities. Th
Andariel
4
Andariel, a notorious threat actor associated with the Lazarus Group and linked to North Korea, is known for its malicious cyber activities. The group has been identified using DTrack malware and Maui ransomware, notably in mid-2022, and has developed a reputation for exploiting ActiveX objects. Res
Plutonium
2
Plutonium, a threat actor with potentially global implications, has been involved in several critical incidents. The group's activities have been traced back to the 1960s when alleged Israeli scientists visited NUMEC, claiming to obtain plutonium-238 for non-nuclear projects. The lack of stringent r
Labyrinth Chollima
1
Labyrinth Chollima, a threat actor linked to North Korea, has been involved in numerous malicious activities since 2009. Tracked by CrowdStrike and other cybersecurity organizations, Labyrinth Chollima is part of the Lazarus Group, known for stealthy attacks targeting various industries such as acad
Silent Chollima
1
Silent Chollima, a North Korea-nexus threat actor, is known for its malicious cyber activities. The group, which is part of the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau, North Korea's foreign intelligence agency, has been associated with other groups such as Lazarus,
Darkseoul
1
DarkSeoul, also known as Onyx Sleet, Plutonium, and Andariel, is a threat actor group believed to be associated with the 110th Research Center. This group has been active since at least 2013, when it launched the DarkSeoul campaign, resulting in significant damage to thousands of systems in the fina
Blacksmith
1
Operation Blacksmith is a campaign that was first unveiled in 2021 by researchers who demonstrated a BlackSmith attack. This attack showed that it's possible to cause failures even with RowHammer protections in place, thereby bypassing these security measures. The campaign employed at least three ne
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Teamcity
Microsoft
Vulnerability
Korean
Remote Code ...
RCE (Remote ...
Espionage
Proxy
Ransomware
Apt
Russia
Backdoor
Blacksmith
Operation Bl...
State Sponso...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ForestUnspecified
1
Forest is a potent malware that leverages the Golden Ticket, an authentication ticket (TGT), to gain domain-wide access. It exploits the TGT to acquire service tickets (TGS) used for accessing resources across the entire domain and the Active Directory (AD) forest by leveraging SID History. The malw
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
3
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
ZINCUnspecified
2
Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been actively involved in cyberattacks on global media, defense, and IT industries. Microsoft's Threat Intelligence Center has been tracking the group's activities, which have included weaponizing open-source softw
Ruby SleetUnspecified
1
Ruby Sleet, also known as Ricochet Chollima and CERIUM, is a North Korean threat actor that has been actively targeting governmental and defense sectors across several countries. According to a Microsoft report, from November 2022 to January 2023, Ruby Sleet, in conjunction with another threat actor
CeriumUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-42793has used
5
CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurre
HazyloadUnspecified
1
HazyLoad is a software vulnerability exploited by the threat actor Andariel to establish a direct connection with infected systems, bypassing the need for continued exploitation of the Log4j flaw. This custom-made implant acts as a proxy tool, allowing attackers to maintain persistence in the system
Source Document References
Information about the Onyx Sleet Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
2 months ago
Asian Threat Actors Use New Techniques to Attack Familiar Targets
CERT-EU
5 months ago
JetBrains patches new TeamCity authentication bypass bugs
DARKReading
7 months ago
Global TeamCity Exploitation Opens Door to SolarWinds-Style Nightmare
BankInfoSecurity
7 months ago
Lazarus Exploits Log4Shell to Deploy Telegram-Based Malware
CERT-EU
7 months ago
Lazarus Group continues to exploit Log4j flaw in latest campaign
Securityaffairs
7 months ago
Operation Blacksmith: Lazarus exploits Log4j flaws to deploy DLang malware
CERT-EU
7 months ago
North Korean hacking ops continue to exploit Log4Shell
CERT-EU
7 months ago
Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans
Securityaffairs
9 months ago
North Korea-linked APT groups actively exploit JetBrains TeamCity flaw - Security Affairs
CERT-EU
9 months ago
Microsoft Warns of North Korean Attacks Exploiting JetBrains TeamCity Flaw
CERT-EU
9 months ago
North Korean Hackers Exploiting Critical Flaw in DevOps Tool
BankInfoSecurity
9 months ago
North Korean Hackers Exploiting Critical Flaw in DevOps Tool
CERT-EU
10 months ago
North Korea ramps up intelligence-gathering cyberattacks
CERT-EU
9 months ago
North Korean hackers exploit critical TeamCity flaw to breach networks
Securityaffairs
8 months ago
North Korea-linked APT Diamond Sleet supply chain attack relies on CyberLink software
CERT-EU
9 months ago
Les dernières cyberattaques (24 octobre 2023)
CERT-EU
9 months ago
Cisco finally patches IOS XE after six days of zero day hits
CERT-EU
9 months ago
Cyber Security Week in Review: October 20, 2023
CERT-EU
9 months ago
North Korean hackers targeting TeamCity vulnerability
CERT-EU
9 months ago
North Korean hackers are targeting software developers and impersonating IT workers - Help Net Security