Microsoft has been monitoring the online activities of Korean hackers H0lyGh0st, who allegedly compromised the software systems of numerous small and medium-sized businesses, for months, since September 2021. At the heart of their work is the sending of ransomware to infect SME infrastructures and demand ransoms in the form of bitcoin. The criminal team, codenamed Dev-0530 by Microsoft, appears to be linked to another North Korean group, DarkSeoul, which has made a name for itself for successfully attacking international companies since 2013. The Microsoft Threat Intelligence Center noted H0lyGh0st e-mail accounts that communicate with addresses connected to Plutonium, another name by which DarkSeoul are known.
“Both groups operate from the same infrastructure set and with customized lines of malware code with the same names,” explains Microsoft’s specialist division. The tech giant noted that the criminal activities are attributable to the time zone in force in North Korea, with the Pyongyang government that could support the operations, to compensate for the economic setbacks caused by the Covid-19 blockade.
“Obviously there remains the trail of groups exploiting ransomware for personal gain, which could explain an often random selection of victims.” The H0lyGh0st ransomware consists of two families of malware, SiennaPurple and SiennaBlue, both of which are used in Dev-0530’s attacks against Windows systems.