Reconnaissance General Bureau Rgb

Threat Actor updated 23 days ago (2024-11-29T14:40:21.331Z)

Download STIX

Preview STIX

The Reconnaissance General Bureau (RGB) of the Korean People's Army is a significant threat actor in global cybersecurity, housing various hacking groups under its control. These groups include well-known entities such as "Lazarus Group," "Bluenoroff," and "Andariel," identified by Executive Order 13722 as agencies or controlled entities of the Government of North Korea due to their relationship with RGB. Another notable group, known publicly as Andariel, along with Onyx Sleet, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa, are part of the RGB 3rd Bureau based in Pyongyang and Sinuiju, associated with cyber espionage activity. The Pyongyang University of Automation, sanctioned by the US, is a key institution for training these malicious cybersecurity actors who often work in units subordinate to the RGB. Multiple incidents involving RGB have been reported. In one case, an indictment filed in the U.S. District Court in Los Angeles alleges that Jon Chang Hyok, Kim Il, and Park Jin Hyok, members of RGB, engaged in criminal hacking. Stonefly, another RGB group, launched attacks on three US organizations shortly after the Department of Justice took action against them. Furthermore, an advisory from the FBI, NSA, and the US State Department stated that Kimsuky, operating under RGB, sent spoofed emails to high-profile individuals across various sectors, aligning with the objectives of RGB, North Korea's primary foreign intelligence agency. Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Nickel Kimball, and Velvet Chollima, is a significant element operating under RGB, which also houses the Lazarus Group. Active since 2012, Kimsuky is recognized as a malicious entity conducting cyber activities associated with advanced persistent threats. The group was implicated in a conspiracy to target and hack U.S. hospitals and healthcare providers, encrypt their files, extort ransoms, launder those payments, and use the laundered proceeds to hack targets of interest to the North Korean regime.

Description last updated: 2024-10-03T02:16:43.448Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Andariel is a possible alias for Reconnaissance General Bureau Rgb. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som	3
Apt43 is a possible alias for Reconnaissance General Bureau Rgb. APT43, also known as Kimsuky, is a North Korean Advanced Persistent Threat (APT) group that has been active since at least 2013. The group is known for its intelligence collection activities and using cybercrime to fund espionage. It has been linked to several aliases including Springtail, ARCHIPELA	2
Kimsuky is a possible alias for Reconnaissance General Bureau Rgb. Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, which	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Reconnaissance

State Sponso...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Reconnaissance General Bureau Rgb Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	3 months ago	North Korea Profits as 'Stonefly' APT Swarms US Co's.
DARKReading	3 months ago	North Korean APT Bypasses DMARC for Cyber Espionage
Unit42	3 months ago	Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
Unit42	3 months ago	Threat Assessment: North Korean Threat Groups
InfoSecurity-magazine	4 months ago	North Korea Kimsuky Launch Phishing Attacks on Universities
Flashpoint	5 months ago	COURT DOC: North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers
CISA	5 months ago	North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs \| CISA
CISA	5 months ago	FBI, CISA, and Partners Release Advisory Highlighting North Korean Cyber Espionage Activity \| CISA
CERT-EU	a year ago	Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans
CERT-EU	a year ago	US Govt’s OFAC Sanctions North Korea-based Kimsuky Hacking Group
Securityaffairs	a year ago	US govt sanctioned North Korea-linked APT Kimsuky
CERT-EU	a year ago	U.S. government sanctions prolific North Korean cyber espionage unit
CSO Online	2 years ago	North Korean threat actor APT43 pivots back to strategic cyberespionage
CSO Online	2 years ago	US sanctions four North Korean entities for global cyberattacks
CERT-EU	a year ago	North Korea hackers breached US IT company
MITRE	2 years ago	Three North Korean Military Hackers Indicted in Wide-Ranging Scheme
CERT-EU	a year ago	Beware: New 'Rustbucket' Malware Variant Targeting macOS Users
BankInfoSecurity	a year ago	JumpCloud Blames North Korean Hackers on Breach
CERT-EU	2 years ago	North Korean UNC2970 Hackers Expands Operations with New Malware Families
CERT-EU	a year ago	JumpCloud Cyberattack Linked to North Korean Hackers