Ruby Sleet

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Ruby Sleet, also known as Ricochet Chollima and CERIUM, is a North Korean threat actor that has been actively targeting governmental and defense sectors across several countries. According to a Microsoft report, from November 2022 to January 2023, Ruby Sleet, in conjunction with another threat actor Diamond Sleet (also known as ZINC and Lazarus), compromised multiple defense firms. Additionally, in March 2023, Ruby Sleet infiltrated an aerospace research institute in Russia. The group has also launched successful attacks on arms manufacturers in various nations, including Germany and Israel. The activities of Ruby Sleet are not isolated; they are part of a broader North Korean cyber operation involving other threat actors like Diamond Sleet and Onyx Sleet (also known as PLUTONIUM). In early March 2023, Onyx Sleet compromised a device belonging to a university in Russia. Furthermore, since January 2023, Diamond Sleet has expanded its scope, compromising defense companies in Brazil, Czechia, Finland, Italy, Norway, and Poland. These overlapping operations suggest a coordinated effort among these threat actors. The extent of these cyberattacks underscores the significant threat posed by Ruby Sleet and its associated groups. SentinelOne highlighted this issue when it revealed that both the Lazarus Group (aka Diamond Sleet) and ScarCruft (aka Ricochet Chollima or Ruby Sleet) breached NPO Mashinostroyeniya, a Russian missile engineering firm, to facilitate intelligence gathering. This active and widespread cyber espionage campaign represents a considerable threat to international security and necessitates heightened cybersecurity measures across targeted sectors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Cerium
1
None
ZINC
1
Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been actively involved in cyberattacks on global media, defense, and IT industries. Microsoft's Threat Intelligence Center has been tracking the group's activities, which have included weaponizing open-source softw
Ricochet Chollima
1
Ricochet Chollima, also known as Ruby Sleet or ScarCruft among other aliases, is a threat actor associated with the Democratic Peoples’ Republic of Korea (DPRK). Active in espionage operations since at least 2016, Ricochet Chollima has primarily targeted South Korean individuals and entities, focusi
Labyrinth Chollima
1
Labyrinth Chollima, a threat actor linked to North Korea, has been involved in numerous malicious activities since 2009. Tracked by CrowdStrike and other cybersecurity organizations, Labyrinth Chollima is part of the Lazarus Group, known for stealthy attacks targeting various industries such as acad
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Korean
Microsoft
Russia
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GhostUnspecified
1
Ghost is a sophisticated malware that has been linked to various cyber threats and attacks. In 2020, there was a significant bilateral CDU/MDANG Ex Cyber Ghost operation in the works, hinting at its growing prominence. It uses techniques such as ghost spoofing, where the sender's name contains an au
Granite TyphoonUnspecified
1
Granite Typhoon is a notable malware that has been implicated in several cyber-attacks on various organizations and entities. The malware, which operates by infiltrating systems through suspicious downloads, emails, or websites, has been linked to attacks on telecommunications firms in 2023, an oper
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
1
The Lazarus Group, a threat actor attributed to North Korea, is renowned for its notorious cyber-exploitation activities. The group has been linked to various high-profile cyber-attacks, including the largest decentralized finance exploit in history, the Ronin exploit of March 2022. This attack led
ScarCruftUnspecified
1
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
Diamond SleetUnspecified
1
Diamond Sleet is a threat actor group associated with North Korea that has been implicated in a series of advanced persistent threat (APT) supply chain attacks. These attacks have notably relied on the exploitation of CyberLink software, a popular multimedia application suite. The cybersecurity indu
PlutoniumUnspecified
1
Plutonium, a threat actor with potentially global implications, has been involved in several critical incidents. The group's activities have been traced back to the 1960s when alleged Israeli scientists visited NUMEC, claiming to obtain plutonium-238 for non-nuclear projects. The lack of stringent r
Onyx SleetUnspecified
1
Onyx Sleet, a North Korean nation-state threat actor, has been identified as a significant cybersecurity risk by Microsoft. Operating under the Lazarus Group umbrella, Onyx Sleet primarily targets defense and IT services organizations in South Korea, the United States, and India. In October 2023, Mi
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ruby Sleet Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
This Week In Security: Spandex Tempest, Supply Chain Chain, And NTP
CERT-EU
10 months ago
Microsoft: North Korean hackers target Russian govt, defense orgs
CERT-EU
10 months ago
North Korea ramps up intelligence-gathering cyberattacks
CERT-EU
10 months ago
Cyber Security Week in Review: September 8, 2023
CERT-EU
10 months ago
North Korean Hackers Exploit Zero-Day Bug to Target Cybersecurity Researchers