North Korean hackers
Image: Midjourney

​Microsoft has linked a North Korean hacking group it tracks as Moonstone Sleet to FakePenny ransomware attacks, which have led to millions of dollars in ransom demands.

While this threat group’s tactics, techniques, and procedures (TTPs) largely overlapped with those of other North Korean attackers, it has also slowly adopted novel attack methods, as well as its own custom infrastructure and tooling.

Previously tracked as Storm-17, Moonstone Sleet has been observed attacking both financial and cyberespionage targets using trojanized software (e.g., PuTTY), malicious games and npm packages, custom malware loaders, and fake software development companies (e.g., StarGlow Ventures, C.C. Waterfall) set up to interact with potential victims on LinkedIn, Telegram, freelancing networks, or via email.

“When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet, extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software,” Microsoft said.

“However, Moonstone Sleet quickly shifted to its own bespoke infrastructure and attacks. Subsequently, Microsoft has observed Moonstone Sleet and Diamond Sleet conducting concurrent operations, with Diamond Sleet still utilizing much of its known, established tradecraft.”

Moonstone Sleet PuTTY attack flow
Moonstone Sleet PuTTY attack flow (Microsoft)

​North Korean links to ransomware

The threat actors were first seen deploying a new custom FakePenny ransomware variant in April, two months after breaching the victim’s network.

However, unlike previous ransomware attacks coordinated by North Korean state hackers, in which victims were asked to pay $100,000, the ransom demanded by the Moonstone Sleet attackers was $6.6 million in BTC.

Microsoft’s assessment of this attack concluded that Moonstone Sleet’s primary motivation for deploying the ransomware was financial gain. The group’s previous involvement in cyber espionage attacks suggests that their attacks are focused on generating revenue and collecting intelligence.

Since it was first observed, the group has targeted multiple industry verticals, including individuals and organizations in the software and information technology, education, and defense industrial base sectors.

FakePenny ransom note
FakePenny ransom note (Microsoft)

Moonstone Sleet is not the first North Korean hacking group to be linked to ransomware attacks in recent years. For instance, the U.S. and U.K. governments officially blamed the Lazarus Group for the WannaCry ransomware outbreak that devasted hundreds of thousands of computers worldwide in May 2017.

Years later, in July 2022, Microsoft and the FBI also linked North Korean hackers to the Holy Ghost ransomware operation and Maui ransomware attacks against healthcare orgs, respectively.

“Moonstone Sleet’s diverse set of tactics is notable not only because of their effectiveness, but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives,” Microsoft added.

“Additionally, Moonstone Sleet’s addition of ransomware to its playbook, like another North Korean threat actor, Onyx Sleet, may suggest it is expanding its set of capabilities to enable disruptive operations.”