Ricochet Chollima

Ricochet Chollima, also known as Ruby Sleet or ScarCruft among other aliases, is a threat actor associated with the Democratic Peoples’ Republic of Korea (DPRK). Active in espionage operations since at least 2016, Ricochet Chollima has primarily targeted South Korean individuals and entities, focusing particularly on government officials, non-governmental organizations (NGOs), academics, journalists, and defectors from DPRK. The group utilizes spear-phishing attacks to deliver an array of custom tools, demonstrating their advanced capabilities in cyber warfare. In March 2023, Ricochet Chollima escalated its activities by compromising an aerospace research institute in Russia, marking a shift in its usual focus on South Korean targets. This incident was part of a broader pattern of North Korean threat actors targeting Russian governmental and defense industry entities. In addition to Ricochet Chollima, the Lazarus Group, another North Korean hacking team, also breached NPO Mashinostroyeniya, a Russian missile engineering firm, to facilitate intelligence gathering. These actions indicate a strategic expansion of North Korean cyber-espionage operations. Microsoft and SentinelOne have provided substantial evidence linking these cyberattacks to North Korean threat actors. The simultaneous support provided by North Korea to Russia in its war in Ukraine further complicates the geopolitical implications of these cyber-espionage activities. As such, it is crucial for nations and cybersecurity firms to remain vigilant and proactive in their defensive measures against these evolving and sophisticated threats.