Play ransomware attack tied to North Korean nation-state actor

A North Korean nation-state actor known as Jumpy Pisces is collaborating with the Play ransomware gang, according to research published Wednesday by Palo Alto Networks' Unit 42.

The research reflects an emerging trend of the lines blurring between nation-state actors and financially motivated cybercriminals. Microsoft's "Digital Defense Report 2024," published this month, describes how countries like Russia, Iran and North Korea have increasingly leveraged cybercriminals and their tools. Although North Korea has historically been known to use ransomware and cryptocurrency theft to fund its military operations, collaborating with an unaffiliated criminal enterprise would be unusual for the country.

However, that seems to exactly be what's happening based on Unit 42's Wednesday research. Palo Alto researchers tracked a recent ransomware incident in which Jumpy Pisces, a state-sponsored actor group affiliated with North Korea's Reconnaissance General Bureau, apparently collaborated with Play -- a prolific cybercrime gang first observed in 2022 -- to deploy ransomware against a victim.

According to the research, Unit 42 began tracking the attack as part of incident response services for a client in September. Investigators attributed the attack to Jumpy Pisces and found the actor gained initial access in May through a compromised user account. Jumpy Pisces spent months moving laterally and maintaining persistence until early September when Play ransomware was deployed.

On the technical end, Jumpy Pisces utilized an open source command and control (C2) framework Sliver. It also used custom info-stealing malware DTrack, a custom version of Mimikatz, a tool for creating privileged accounts on computers with Remote Desktop Protocol enabled and "a trojanized binary that steals browser history, autofills and credit card details for Chrome, Edge and Brave internet browsers."

Unit 42 assessed with moderate confidence that Jumpy Pisces and Play collaborated based on three factors: the compromised account Jumpy Pisces used for initial access was also used by Play actors to deploy ransomware; Sliver C2 communications were seen until the day before ransomware was deployed; and previously observed Play tactics, techniques and procedures were also observed in this incident.

Unit 42 researchers were unsure as to the extent of the relationship between the two entities. Play has claimed it is not a ransomware-as-as-service operation with affiliate hackers.

"It remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted as an IAB [initial access broker] by selling network access to Play ransomware actor," the blog post read. "If Play ransomware does not provide a RaaS ecosystem as it claims, Jumpy Pisces might only have acted as an IAB."

Unit 42 said the attack suggests a shift in the group's tactics regardless of the dynamics.

"Either way, this incident is significant because it marks the first recorded collaboration between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware network," Unit 42 said. "This development could indicate a future trend where North Korean threat groups will increasingly participate in broader ransomware campaigns, potentially leading to more widespread and damaging attacks globally."

TechTarget Editorial contacted Unit 42 for additional comment.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.