ZINC

Threat Actor updated 2 months ago (2024-09-10T04:17:45.731Z)

Download STIX

Preview STIX

Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been active since 2009. This group is notorious for its cyber-attacks aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries, and executing currency generation campaigns. Microsoft's Threat Intelligence team has been tracking this group's activities, which have primarily targeted media, defense, and information technology (IT) industries globally. The group has also been linked to other North Korean Advanced Persistent Threat (APT) groups including Lazarus Group, Hidden Cobra, and Andariel. In 2022, Zinc reached a peak in its malicious activities. Notably, Microsoft Threat Intelligence uncovered a supply chain attack orchestrated by Zinc involving a trojanized variant of an application developed by CyberLink Corp., a software company known for multimedia software products. This marked a significant escalation in the group's tactics, weaponizing open-source software to compromise systems and networks. In October 2023, Zinc, along with several other North Korea-backed APTs, was implicated in exploiting the TeamCity vulnerability to install persistent backdoors into systems. Despite the increase in production of nickel and zinc in 2022, predominantly from Indonesia and China, the global prices for these commodities are expected to be suppressed. Meanwhile, Zinc continues to pose a significant cybersecurity threat. Microsoft's threat intelligence team attributes this ongoing campaign to Zinc, revealing the group's persistent efforts to exploit vulnerabilities and compromise systems. As of now, organizations, particularly those in the media, defense, and IT sectors, need to remain vigilant about this threat actor and continue to prioritize robust cybersecurity measures.

Description last updated: 2024-09-10T03:19:36.429Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Diamond Sleet is a possible alias for ZINC. Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supply	4
Lazarus Group is a possible alias for ZINC. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North K	3
Andariel is a possible alias for ZINC. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som	2
CVE-2023-42793 is a possible alias for ZINC. CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurre	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Apt

Teamcity

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Onyx Sleet Threat Actor is associated with ZINC. Onyx Sleet, also known as Andariel, Silent Chollima, and Stonefly, is a North Korean state-sponsored cyber group under the RGB 3rd Bureau. This threat actor utilizes an array of malware to gather intelligence for North Korea, primarily conducting cyberespionage, but also engaging in ransomware activ	Unspecified	2
The Plutonium Threat Actor is associated with ZINC. Plutonium, also known as Jumpy Pisces and Andariel, is a notable threat actor historically involved in cyberespionage, financial crime, and ransomware attacks. Recent reports have revealed that advanced persistent threats (APTs) backed by Plutonium have been breaching the Sellafield's IT systems, wh	Unspecified	2

Source Document References

Information about the ZINC Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	2 months ago	Threat Assessment: North Korean Threat Groups
CERT-EU	8 months ago	Hackaday Podcast Episode 261: Rickroll Toothbrush, Keyboard Cat, Zombie Dialup
CERT-EU	a year ago	Ten business trends for 2024, and forecasts for 15 industries
DARKReading	a year ago	Global TeamCity Exploitation Opens Door to SolarWinds-Style Nightmare
MITRE	a year ago	Adversary: Labyrinth Chollima - Threat Actor \| Crowdstrike Adversary Universe
Securityaffairs	a year ago	Lazarus is using a MagicLine4NX zero-day in supply chain attack
CERT-EU	a year ago	Security Week In Review: November 24, 2023
CERT-EU	a year ago	New North Korean supply chain attack spreads via malicious CyberLink app
Securityaffairs	a year ago	North Korea-linked APT Diamond Sleet supply chain attack relies on CyberLink software
CERT-EU	a year ago	Diamond Sleet supply chain compromise distributes a modified CyberLink installer \| Microsoft Security Blog
CERT-EU	a year ago	Indian Hack-for-Hire Group Targeted U.S., China, and More for Over 10 Years
CERT-EU	a year ago	Cyber Security Week in Review: October 20, 2023
CERT-EU	a year ago	Russian and Chinese nation-state actors target recently patched WinRAR zero-day
CERT-EU	a year ago	North Korean Hackers Exploiting Recent TeamCity Vulnerability
CERT-EU	a year ago	North Korean hackers exploit critical TeamCity flaw to breach networks
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU	a year ago	North Korea ramps up intelligence-gathering cyberattacks
CERT-EU	a year ago	Microsoft: North Korean hackers target Russian govt, defense orgs
CERT-EU	a year ago	India-linked Patchwork APT targets Chinese research orgs with EyeShell backdoor