Ricochet Chollima

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Ricochet Chollima, also known as Ruby Sleet or ScarCruft among other aliases, is a threat actor associated with the Democratic Peoples’ Republic of Korea (DPRK). Active in espionage operations since at least 2016, Ricochet Chollima has primarily targeted South Korean individuals and entities, focusing particularly on government officials, non-governmental organizations (NGOs), academics, journalists, and defectors from DPRK. The group utilizes spear-phishing attacks to deliver an array of custom tools, demonstrating their advanced capabilities in cyber warfare. In March 2023, Ricochet Chollima escalated its activities by compromising an aerospace research institute in Russia, marking a shift in its usual focus on South Korean targets. This incident was part of a broader pattern of North Korean threat actors targeting Russian governmental and defense industry entities. In addition to Ricochet Chollima, the Lazarus Group, another North Korean hacking team, also breached NPO Mashinostroyeniya, a Russian missile engineering firm, to facilitate intelligence gathering. These actions indicate a strategic expansion of North Korean cyber-espionage operations. Microsoft and SentinelOne have provided substantial evidence linking these cyberattacks to North Korean threat actors. The simultaneous support provided by North Korea to Russia in its war in Ukraine further complicates the geopolitical implications of these cyber-espionage activities. As such, it is crucial for nations and cybersecurity firms to remain vigilant and proactive in their defensive measures against these evolving and sophisticated threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Labyrinth Chollima
1
Labyrinth Chollima, a threat actor linked to North Korea, has been involved in numerous malicious activities since 2009. Tracked by CrowdStrike and other cybersecurity organizations, Labyrinth Chollima is part of the Lazarus Group, known for stealthy attacks targeting various industries such as acad
ScarCruft
1
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
Ruby Sleet
1
Ruby Sleet, also known as Ricochet Chollima and CERIUM, is a North Korean threat actor that has been actively targeting governmental and defense sectors across several countries. According to a Microsoft report, from November 2022 to January 2023, Ruby Sleet, in conjunction with another threat actor
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Korean
Dprk
Espionage
Phishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
1
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
Diamond SleetUnspecified
1
Diamond Sleet, a North Korea-linked Advanced Persistent Threat (APT), has been identified as a significant threat actor in the cybersecurity landscape. This group is known for its sophisticated supply chain attacks, specifically leveraging CyberLink software to execute their malicious activities. Th
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ricochet Chollima Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
7 months ago
Ricochet Chollima - crowdstrike.com
CERT-EU
10 months ago
Cyber Security Week in Review: September 8, 2023
CERT-EU
10 months ago
North Korean Hackers Exploit Zero-Day Bug to Target Cybersecurity Researchers
CERT-EU
a year ago
North Korea's ScarCruft Deploys RokRAT Malware via LNK File Infection Chains
CERT-EU
a year ago
Elite North Korean Hackers Breach Russian Missile Developer