Citrine and Onyx Sleet: An Inside Look at North Korean Threat Actors
Description
In this episode of the Microsoft Threat Intelligence Podcast host Sherrod DeGrippo discusses North Korean threat actors with one of our Microsoft Threat Intelligence researchers and Greg Schloemer focusing on two prominent groups: Onyx Sleet and Storm 0530. Onyx Sleet is a long-standing espionage group known for targeting defense and energy sectors, particularly in the U.S. and India. However, they’ve diversified into ransomware, using tactics like malware downloaders, zero-day vulnerabilities, and a remote access Trojan called D-Track. The conversation also touches on the use of fake certificates and the group's involvement in the software supply chain space.
In this episode you’ll learn:
- The relationship between Onyx Sleet and Storm 0530
- North Korea's broader strategy of using cyber-attacks and moonlighting activities
- Surprising nature of recent attack chains involving vulnerability in the Chromium engine
Some questions we ask:
- Does Onyx Sleet engage in cryptocurrency activities as well as traditional espionage?
- How does the use of a fake Tableau software certificate fit into Onyx Sleet's attack chain?
- Where does the name "Holy Ghost" come from, and why did they choose it?
Resources:
View Greg Schloemer on LinkedIn
View Sherrod DeGrippo on LinkedIn
Related Microsoft Podcasts:
Discover and follow other Microsoft podcasts at microsoft.com/podcasts
Get the latest threat intelligence insights and guidance at Microsoft Security Insider
The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.