Reconnaissance General Bureau

Threat Actor updated 13 days ago (2024-11-08T13:22:59.629Z)

Download STIX

Preview STIX

The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency known for its clandestine operations abroad. Its cyber activities, believed to be coordinated by the secretive organization, have been linked to various threat actors since at least 2014. Notable entities include the BeagleBoyz and Jumpy Pisces, which are state-sponsored threat groups associated with the RGB. The RGB's activities have evolved over time, shifting from espionage to targeting private companies, particularly those with limited intelligence value. This shift was observed by Symantec researchers in August and has been attributed to groups linked to the RGB, such as StoneFly. Several advanced persistent threat (APT) groups associated with the RGB have been active since 2018, including financially motivated entities that weaponize fake crypto platforms for attacks. Among these groups is Citrine Sleet, also known as AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra. This group, tracked within Bureau 121 of North Korea's RGB, was revealed by Microsoft in an August 30 blog post to have used CVE-2024-7971 in a campaign targeting crypto companies for financial gain. Other significant APT groups linked to the RGB include Kimsuky and Andariel, both of which have been involved in major hacking activities. The RGB's activities extend beyond cyberattacks and into illicit arms trade and ransomware incidents. For instance, an individual named Rim, who worked for the RGB, was indicted for participating in a conspiracy to target and hack computer networks of U.S. hospitals and other healthcare providers. The aim was to encrypt their electronic files, extort a ransom payment, launder those payments, and use the laundered proceeds to hack targets of interest to the North Korean regime. Court documents reveal that Rim and his co-conspirators, known in the private sector as 'Andariel,' 'Onyx Sleet,' and 'APT45,' laundered ransom payments through China-based facilitators. These funds were then used to purchase internet infrastructure for further hacking and exfiltration of sensitive defense and technology information from global entities.

Description last updated: 2024-10-30T16:02:48.149Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Andariel is a possible alias for Reconnaissance General Bureau. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som	6
Jumpy Pisces is a possible alias for Reconnaissance General Bureau. Jumpy Pisces, a North Korean state-sponsored malware group, has been identified as a key player in an unprecedented collaboration with an underground ransomware network. This marks a significant development in the cybersecurity landscape, as it's the first recorded instance of such cooperation betwe	2
Kimsuky is a possible alias for Reconnaissance General Bureau. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group that has been active since it was first spotted by Kaspersky researchers in 2013. The group is notorious for its cyber espionage activit	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

State Sponso...

Korean

Phishing

Apt

Exploit

Reconnaissance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lazarus Group Threat Actor is associated with Reconnaissance General Bureau. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North K	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Jumpy Vulnerability is associated with Reconnaissance General Bureau. Jumpy Pisces, a North Korean state-sponsored group, has been linked to a significant cybersecurity incident involving the Play ransomware group, also known as Fiddling Scorpius. This marks the first recorded collaboration between these two entities, raising concerns about an evolving threat landscap	Unspecified	2

Source Document References

Information about the Reconnaissance General Bureau Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	21 days ago	North Korean Hackers Collaborate with Play Ransomware
DARKReading	21 days ago	North Korea's Andariel Pivots to 'Play' Ransomware
Unit42	22 days ago	Jumpy Pisces Engages in Play Ransomware
BankInfoSecurity	2 months ago	Breach Roundup: AI 'Nudify' Sites Serve Malware
InfoSecurity-magazine	2 months ago	Stonefly Group Targets US Firms With New Malware Tools
DARKReading	2 months ago	Citrine Sleet Poisons PyPI Packages With Mac & Linux Malware
DARKReading	3 months ago	North Korean APT Exploits Novel Chromium, Windows Bugs to Steal Crypto
BankInfoSecurity	3 months ago	North Korean Hackers Tied to Exploits of Chromium Zero-Day
Securityaffairs	4 months ago	North Korea-linked hackers target construction and machinery sectors with watering hole and supply chain attacks
DARKReading	4 months ago	US Offers $10M Reward for Information on North Korean Hacker
Flashpoint	4 months ago	COURT DOC: North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers
InfoSecurity-magazine	7 months ago	North Korean Group Kimsuky Exploits DMARC and Web Beacons
CSO Online	2 years ago	APT groups use ransomware TTPs as cover for intelligence gathering and sabotage
CERT-EU	a year ago	FBIs Most Wanted In CA: Suspected Spies, Hackers, Terrorists, Killers \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Cyber Security Week In Review: December 29, 2023
CERT-EU	a year ago	S. Korea Sanctions 8 N. Koreans Over Arms Trade, Cyberattacks
CERT-EU	a year ago	North Korean hackers stole anti-aircraft system data from South Korean firm \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
BankInfoSecurity	a year ago	North Korean Hackers Steal South Korean Anti-Aircraft Data
CERT-EU	a year ago	US Govt’s OFAC Sanctions North Korea-based Kimsuky Hacking Group
CERT-EU	a year ago	Election watchdog's cybersecurity system vulnerable to hacking attacks: NIS \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting