Onyx Sleet

Threat Actor updated 13 days ago (2024-11-08T12:35:08.111Z)
Download STIX
Preview STIX
Onyx Sleet, also known as Andariel, Silent Chollima, and Stonefly, is a North Korean state-sponsored cyber group under the RGB 3rd Bureau. This threat actor utilizes an array of malware to gather intelligence for North Korea, primarily conducting cyberespionage, but also engaging in ransomware activities. The group has consistently used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting their tradecraft is effective. Notably, Onyx Sleet has recently shifted from spear-phishing to exploiting vulnerabilities for initial access, highlighting their adaptability. In October 2023, researchers at Microsoft revealed that North Korean nation-state threat actors, including Onyx Sleet, were exploiting a remote code execution vulnerability affecting multiple versions of the JetBrains TeamCity server. This exploit, tracked as CVE-2023-42793, allowed the threat actors to gain administrative control of servers. This marked a significant escalation in their activities, demonstrating their ability to exploit critical infrastructure vulnerabilities. Despite facing an indictment and a $10 million bounty from the US Department of Justice, Onyx Sleet continues its operations unabated. They have been involved in ransomware attacks on US healthcare entities, ostensibly to fund their campaigns. Entities associated with various industries are advised to remain vigilant in defending their networks from these state-sponsored cyber operations. The persistent and evolving threat posed by Onyx Sleet underscores the need for robust cybersecurity measures and constant vigilance.
Description last updated: 2024-10-30T16:03:22.784Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Andariel is a possible alias for Onyx Sleet. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som
6
Diamond Sleet is a possible alias for Onyx Sleet. Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supply
4
Plutonium is a possible alias for Onyx Sleet. Plutonium, also known as Jumpy Pisces and Andariel, is a notable threat actor historically involved in cyberespionage, financial crime, and ransomware attacks. Recent reports have revealed that advanced persistent threats (APTs) backed by Plutonium have been breaching the Sellafield's IT systems, wh
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Teamcity
Microsoft
State Sponso...
Vulnerability
Ransomware
Remote Code ...
Korean
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lazarus Group Threat Actor is associated with Onyx Sleet. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North KUnspecified
3
The ZINC Threat Actor is associated with Onyx Sleet. Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been active since 2009. This group is notorious for its cyber-attacks aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries, and executing currency generation campaUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-42793 Vulnerability is associated with Onyx Sleet. CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurrehas used
5
Source Document References
Information about the Onyx Sleet Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
22 days ago
DARKReading
2 months ago
Unit42
2 months ago
DARKReading
4 months ago
CISA
4 months ago
DARKReading
6 months ago
CERT-EU
9 months ago
DARKReading
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago