An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | July 25, 2024

NSA Joins FBI and Others to Warn of North Korea Cyber Espionage Campaign

FORT MEADE, Md. – The National Security Agency (NSA) joins the Federal Bureau of Investigation (FBI) and others in releasing the joint Cybersecurity Advisory (CSA), “North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs.” The CSA includes detection methods and mitigation measures to help counter the malicious activity.

This CSA details cyber espionage activity of the Democratic People’s Republic of Korea (DPRK) Reconnaissance General Bureau (RGB) 3rd Bureau. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions. The authoring agencies assess this group poses an ongoing threat to various industry sectors worldwide, including, but not limited to, entities in the United States, South Korea, Japan, and India. The group funds their espionage activity through ransomware operations against U.S. healthcare entities. 

“As North Korean state-sponsored cyber actors evolve their operations to attempt to infiltrate vital systems, we will pivot to counteract these actions,” said NSA Cybersecurity Director Dave Luber. “This joint advisory includes detailed techniques this group employs and various detection and mitigation methods to empower the international cybersecurity community to continue improving how we prevent and respond to compromises.”

The cybersecurity industry provides overlapping cyber threat intelligence related to this 3rd Bureau group using the names of Andariel, Onyx Sleet, and DarkSeoul, among others. Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. Government’s understanding for all activity related to these groupings.

This CSA follows the May 2 release of a CSA on another DPRK RGB cyber group entitled “North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts.” That CSA was released to protect against DPRK techniques that make emails appear to be from legitimate journalists, academics, or other experts in East Asian affairs.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.


NSA Media Relations
MediaRelations@nsa.gov
443-634-0721