Ruby Sleet

Ruby Sleet, also known as Ricochet Chollima and CERIUM, is a North Korean threat actor that has been actively targeting governmental and defense sectors across several countries. According to a Microsoft report, from November 2022 to January 2023, Ruby Sleet, in conjunction with another threat actor Diamond Sleet (also known as ZINC and Lazarus), compromised multiple defense firms. Additionally, in March 2023, Ruby Sleet infiltrated an aerospace research institute in Russia. The group has also launched successful attacks on arms manufacturers in various nations, including Germany and Israel. The activities of Ruby Sleet are not isolated; they are part of a broader North Korean cyber operation involving other threat actors like Diamond Sleet and Onyx Sleet (also known as PLUTONIUM). In early March 2023, Onyx Sleet compromised a device belonging to a university in Russia. Furthermore, since January 2023, Diamond Sleet has expanded its scope, compromising defense companies in Brazil, Czechia, Finland, Italy, Norway, and Poland. These overlapping operations suggest a coordinated effort among these threat actors. The extent of these cyberattacks underscores the significant threat posed by Ruby Sleet and its associated groups. SentinelOne highlighted this issue when it revealed that both the Lazarus Group (aka Diamond Sleet) and ScarCruft (aka Ricochet Chollima or Ruby Sleet) breached NPO Mashinostroyeniya, a Russian missile engineering firm, to facilitate intelligence gathering. This active and widespread cyber espionage campaign represents a considerable threat to international security and necessitates heightened cybersecurity measures across targeted sectors.