Reconnaissance General Bureau

Threat Actor updated 15 hours ago (2024-10-17T12:04:37.674Z)

Download STIX

Preview STIX

The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency responsible for clandestine operations abroad and is considered a significant threat actor in the cybersecurity landscape. The RGB has been linked to various Advanced Persistent Threat (APT) groups, including the BeagleBoyz, who have likely been active since at least 2014, and others such as Kimsuky and Andariel. These groups are involved in a wide range of malicious activities, from espionage to crypto theft, often targeting private companies with limited intelligence value. North Korea's cyber activities, coordinated by the RGB, have shifted focus over time, moving from traditional espionage towards more financially motivated attacks. Several incidents attributed to the RGB highlight their evolving strategies. In March, the RGB exploited MagicLine4NX, an authentication software widely used in South Korea, for espionage purposes. Later, in August, Microsoft reported that an entity within Bureau 121 of the RGB, known as Citrine Sleet, exploited a vulnerability (CVE-2024-7971) in a campaign targeting crypto companies for financial gain. Furthermore, the RGB-linked group has been known to weaponize fake crypto platforms, demonstrating their increasing sophistication in cyberattacks. The RGB's activities also extend to illicit arms trade and ransomware attacks. An indictment alleged that a member of the RGB participated in a conspiracy to target U.S. hospitals and other healthcare providers, encrypting their electronic files and extorting them for ransom payments. These funds were then laundered through China-based facilitators and used to purchase internet infrastructure for further cyberattacks. Additionally, the RGB has been observed engaging in email phishing campaigns targeting experts for insights into US and South Korean foreign policies, indicating their continued interest in geopolitical intelligence.

Description last updated: 2024-10-17T11:43:28.650Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Andariel is a possible alias for Reconnaissance General Bureau. Andariel, also known as Jumpy Pisces, is a threat actor group primarily associated with cyberespionage and ransomware activities. The group has been linked to North Korea's Reconnaissance General Bureau and other APT groups such as Kimsuky and Onyx Sleet. Andariel has been noted for its aggressive t	6
Kimsuky is a possible alias for Reconnaissance General Bureau. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group first identified by Kaspersky researchers in 2013. The group has been involved in various cyber espionage activities against global targ	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Korean

Reconnaissance

State Sponso...

Phishing

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lazarus Group Threat Actor is associated with Reconnaissance General Bureau. The Lazarus Group, a notorious threat actor attributed to North Korea, has been implicated in a series of high-profile cyberattacks and illicit activities. The group is known for its sophisticated operations, including Operation DreamJob, which targeted Spain with a high level of confidence. Over th	Unspecified	2

Source Document References

Information about the Reconnaissance General Bureau Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	14 days ago	Breach Roundup: AI 'Nudify' Sites Serve Malware
InfoSecurity-magazine	15 days ago	Stonefly Group Targets US Firms With New Malware Tools
DARKReading	a month ago	Citrine Sleet Poisons PyPI Packages With Mac & Linux Malware
DARKReading	a month ago	North Korean APT Exploits Novel Chromium, Windows Bugs to Steal Crypto
BankInfoSecurity	a month ago	North Korean Hackers Tied to Exploits of Chromium Zero-Day
Securityaffairs	2 months ago	North Korea-linked hackers target construction and machinery sectors with watering hole and supply chain attacks
DARKReading	3 months ago	US Offers $10M Reward for Information on North Korean Hacker
Flashpoint	3 months ago	COURT DOC: North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers
InfoSecurity-magazine	6 months ago	North Korean Group Kimsuky Exploits DMARC and Web Beacons
CSO Online	2 years ago	APT groups use ransomware TTPs as cover for intelligence gathering and sabotage
CERT-EU	10 months ago	FBIs Most Wanted In CA: Suspected Spies, Hackers, Terrorists, Killers \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	Cyber Security Week In Review: December 29, 2023
CERT-EU	10 months ago	S. Korea Sanctions 8 N. Koreans Over Arms Trade, Cyberattacks
CERT-EU	10 months ago	North Korean hackers stole anti-aircraft system data from South Korean firm \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
BankInfoSecurity	10 months ago	North Korean Hackers Steal South Korean Anti-Aircraft Data
CERT-EU	10 months ago	US Govt’s OFAC Sanctions North Korea-based Kimsuky Hacking Group
CERT-EU	a year ago	Election watchdog's cybersecurity system vulnerable to hacking attacks: NIS \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	2 years ago	Seoul Sanctions North Korea Over Crypto Theft – Bitcoin News
BankInfoSecurity	a year ago	US Sanctions N. Korean Entities for Sending Funds to Regime
CSO Online	2 years ago	Lazarus group infiltrated South Korean finance firm twice last year