Citrine and Onyx Sleet: An Inside Look at North Korean Threat Actors

In this episode of the Microsoft Threat Intelligence Podcast host Sherrod DeGrippo discusses North Korean threat actors with one of our Microsoft Threat Intelligence researchers and Greg Schloemer focusing on two prominent groups: Onyx Sleet and Storm 0530. Onyx Sleet is a long-standing espionage group known for targeting defense and energy sectors, particularly in the U.S. and India. However, they’ve diversified into ransomware, using tactics like malware downloaders, zero-day vulnerabilities, and a remote access Trojan called D-Track. The conversation also touches on the use of fake certificates and the group's involvement in the software supply chain space. 

In this episode you’ll learn:      

• The relationship between Onyx Sleet and Storm 0530 
• North Korea's broader strategy of using cyber-attacks and moonlighting activities 
• Surprising nature of recent attack chains involving vulnerability in the Chromium engine 

Some questions we ask:     

• Does Onyx Sleet engage in cryptocurrency activities as well as traditional espionage? 
• How does the use of a fake Tableau software certificate fit into Onyx Sleet's attack chain? 
• Where does the name "Holy Ghost" come from, and why did they choose it? 

Resources:  

View Greg Schloemer on LinkedIn  

View Sherrod DeGrippo on LinkedIn  

Related Microsoft Podcasts:                   

• Afternoon Cyber Tea with Ann Johnson 
• The BlueHat Podcast 
• Uncovering Hidden Risks     

Discover and follow other Microsoft podcasts at microsoft.com/podcasts  

Get the latest threat intelligence insights and guidance at Microsoft Security Insider 

The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.