Rgb

Threat Actor updated 4 days ago (2024-09-10T04:18:33.424Z)
Download STIX
Preview STIX
RGB is a threat actor group, part of North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency under the General Staff Bureau of the Korean People's Army. Over the years, the RGB has revealed at least six threat groups, including Andariel, also known as Onyx Sleet, formerly PLUTONIUM, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. These groups are reportedly responsible for various malicious activities, including ransomware operations against U.S. healthcare entities to fund their espionage activity. A significant example includes the use of custom malware known as 'Maui', used to encrypt victim’s computer networks and extort organizations for ransom payments in cryptocurrency. The RGB 3rd Bureau actors have been accused of targeting and hacking computer networks of U.S. hospitals and other healthcare providers. Their method involves encrypting electronic files, extorting a ransom payment, laundering those payments, and using the laundered proceeds to hack targets of interest to the North Korean regime. These threat actors have shown a poor grasp of the English language, with common errors such as “Microsoft Cooperation” instead of “Microsoft Corporation” found across numerous RGB 3rd Bureau malware samples. Despite RGB-D systems' expected robustness against adversarial examples, they have proven to be highly vulnerable. This vulnerability extends to RGB-Infrared (IR) cross-modality person re-identification (re-ID), which searches an IR image in an RGB gallery or vice versa. To protect against malicious activity by RGB 3rd Bureau’s Andariel group and other cyber threat actors, it is recommended that entities monitor suspicious command-line activity, implement multi-factor authentication for remote access services, and properly segment and use allow-listing tools for critical assets. Particularly, entities involved in or associated with industries and fields targeted by North Korea state-sponsored cyber operations should remain vigilant in defending their networks.
Description last updated: 2024-09-10T03:17:42.949Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Andariel
5
Andariel, also known as Jumpy Pisces and Onyx Sleet, is a threat actor primarily involved in cyberespionage and ransomware activities. Originating from North Korea, this group has been linked to several malicious cyber activities alongside other groups like Lazarus Group and Bluenoroff. The group's
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Reconnaissance
Korean
State Sponso...
Malware
Ransomware
Jumpcloud
Espionage
Mandiant
Exploits
Dprk
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
KimsukyUnspecified
2
Kimsuky, a threat actor linked to North Korea, has been increasingly active in conducting cyber espionage and malicious attacks. This group, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, was first identified by Kaspersky researchers in 2013. In recent de
APT38Unspecified
2
APT38, a threat actor suspected to be backed by the North Korean regime, has been responsible for some of the largest cyber heists observed to date. The group has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions worldwide. Despite
BluenoroffUnspecified
2
BlueNoroff, a threat actor closely associated with the Lazarus hacking group, has been identified as a significant cybersecurity risk. Known for their financially motivated attacks, BlueNoroff targets banks, casinos, fintech companies, POST software and cryptocurrency businesses, and ATMs. They have
temp.hermitUnspecified
2
Temp.Hermit, also known as Selective Pisces or Diamond Sleet, is a cyber threat actor linked to North Korea. This group has been active since 2013 and targets governments, defense, telecommunications, and financial services sectors with cyberespionage operations. Temp.Hermit's activities often overl
Lazarus GroupUnspecified
2
The Lazarus Group, also known as APT38, is a notorious threat actor believed to be backed by the North Korean regime. This group has been associated with several high-profile cyber attacks and thefts, including the infamous $600 million Ronin sidechain exploit in 2022. Known for their sophisticated
Apt43Unspecified
2
APT43, also known as Kimsuky, Sparkling Pisces, Emerald Sleet, and Velvet Chollima among other names, is a North Korean state-sponsored advanced persistent threat (APT) group involved in cybercrime and espionage. This threat actor conducts intelligence collection and uses cybercrime to fund its espi
Source Document References
Information about the Rgb Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
4 days ago
Threat Assessment: North Korean Threat Groups
Flashpoint
a month ago
COURT DOC: North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers
CISA
a month ago
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs | CISA
ESET
5 months ago
Malware hiding in pictures? More likely than you think
Checkpoint
5 months ago
8th April – Threat Intelligence Report - Check Point Research
CERT-EU
6 months ago
Hackaday Podcast Episode 261: Rickroll Toothbrush, Keyboard Cat, Zombie Dialup
CERT-EU
6 months ago
Search | arXiv e-print repository
CERT-EU
7 months ago
Chinese PC-maker Acemagic's machines infected with malware
CERT-EU
7 months ago
Search | arXiv e-print repository
DARKReading
7 months ago
Critical ConnectWise RMM Bug Poised for Exploitation Avalanche
CERT-EU
8 months ago
Search | arXiv e-print repository
CERT-EU
a year ago
Search | arXiv e-print repository
CERT-EU
a year ago
Search | arXiv e-print repository
CERT-EU
a year ago
Search | arXiv e-print repository
CERT-EU
9 months ago
Search | arXiv e-print repository
CERT-EU
9 months ago
Content Protection Market to grow by USD 1.03 billion from 2023 to 2028 | Market is fragmented due to the presence of prominent companies like Adobe Inc., Alphabet Inc. and Cisco Systems Inc., and many more - Technavio
CERT-EU
9 months ago
Search | arXiv e-print repository
CERT-EU
9 months ago
Search | arXiv e-print repository
CERT-EU
9 months ago
Search | arXiv e-print repository
CERT-EU
9 months ago
Mini Meters Monitor Microprocessor Maximization