Seashell Blizzard Ramping Up Operations and OSINT Trends of DPRK Threat Actors

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. [ Music ] But don't worry, I'm your guide to the back alleys of the threat landscape. [ Music ] Hello and welcome to the Microsoft Threat Intelligence Podcast. I am Sherrod DeGrippo, director of threat intelligence strategy here at Microsoft, and I am joined by two of my Microsoft colleagues. I've got Elise Eldridge, security researcher, and Anna Seitz, security researcher. Hi Elise, hi Anna. How are you?

Elise Eldridge: Doing great.

Anna Seitz: Hey, thanks for having us.

Sherrod DeGrippo: Thanks for joining me. I know we have some cool topics today, topics that I personally really enjoy. We are doing a classic threat intelligence episode, so we are learning about Seashell Blizzard. What's going on with the landscape for that threat actor, Anna?

Anna Seitz: So Seashell Blizzard has been prevalent - very prevalent over the last couple years, especially because of the conflict that we've seen in Ukraine, but recently they have been falling back into historical behavior of conducting highly targeted campaigns. So we see them move away from using specially crafted, destructive malware in 2023, and they started using these simplified wrapped legitimate utilities for their attacks. But now they're going back into their old habits of spear-phishing campaigns, and recently we've seen the European energy sector be targeted by these campaigns. And they're continuing to use their wrappers, which we call Walnut Wipe and Sharp Wipe against Ukrainian targets and expanding their use of Prickly Pear framework. So I find that to be really interesting, because this is the first time since 2023 that Microsoft has observed Seashell Blizzard conducting destructive attacks in Ukraine. So there's a lot of thought why this might be occurring, and although it's not really clear why the actor has returned to this attack type, it might represent a response to an escalation in the war, or also be a component of maybe some other strategic preparations like the advancing winter.

Sherrod DeGrippo: Got it. So let's talk a little bit about wipers. Something that I always think about with wipers is back in, I think it was, I want to say 2015 with Iran attacking Saudi Aramco, they did wipers and then immediately following sent in drone strikes right after that. And that was kind of the first time that we saw a large-scale cyberattack, plus a kinetic attack, combined together to create that kind of, like, full attack effect. And since then, Russia has really been able to leverage wipers, and what wipers do is, it's basically - Anna, correct me if I'm wrong - it's basically ransomware, but the data is gone completely. There's no decrypting it. There's no paying to get it back. It really is part of, you know, conflict-type events. And we saw a significant amount of wipers used against Ukraine from Russia in March 2022, at the beginning of the current conflict situation. So, since then, it sounds like wipers had kind of fallen out of favor in terms of something that Russia was doing in that theater, but Anna, you're telling me, how recently have they started doing this again?

Anna Seitz: So this has been, let me double check. This was published back in October of 2024, so extremely recent, and I think that they were using these wipers, these wrapped legitimate utilities, and everyone was starting to catch on. Security community was able to identify quickly, oh, Seashell Blizzard, like, we got it. We see it. And so they kind of stopped using that, and now we start seeing them use it again in a spear-phishing type method, so I found that to be very interesting, that they didn't completely let it go, but now they're just being more hyper-specific about who they're targeting and how they're targeting, so it continues on.

Sherrod DeGrippo: So let me ask you, from the attack chain walkthrough, basically, they're sending out crafted spear-phishing emails to their particular targets, and then what happens next after that?

Anna Seitz: Back in 2024, they sent malicious messages impersonating the Gas Infrastructure Europe Annual Conference, so super targeted, in Munich, and so when the recipient opens a malicious attachment, it directs them to an actor infrastructure that's used to execute a multilayered infection chain.

Sherrod DeGrippo: Okay, got it. So it looks like, from the email, essentially the target clicks a link and then goes to actor-controlled infrastructure to essentially download either a document or a piece of software that then they would click and install. So a pretty standard phish attack chain. And tell me, you mentioned that they're using legitimate utilities somehow for this. What legitimate utilities are they using and how does that work?

Anna Seitz: One of the unique wrappers that they used was SDelete, and that's a pretty common thread that we've seen with Seashell Blizzard. This wrapper, it uses the DLL host naming convention, similar to those observed in prior destructive attacks, and all of these attacks might be enabled by group policy object, through N-packets. And all of those techniques seem to be consistent with Walnut Wipe. And then we can go into Prickly Pear. So in September of 2024, Seashell Blizzard compromised multiple targets in Ukraine using Prickly Pear. And this is possibly as part of a ramp-up in pre-winter operations. So after deploying Prickly Pear to an unknown Ukrainian target, the actor used a generic extension utility to write and execute base 64-encoded payloads.

Sherrod DeGrippo: Okay, got it. And I'm just looking quickly. I want to understand Seashell Blizzard. As many of our listeners know and are aware, we have threat actor naming, and so I want to just quickly give the AKAs for Seashell Blizzard. It is the former Iridium, also known in the industry as BE2, UAC-0113, Blue Echdeeta, Akinda, I don't know.

Anna Seitz: Is it Kidna? I don't know.

Sherrod DeGrippo: [Laughter], I don't know. Blue Akinda? That's not a threat actor name that Microsoft uses. That is another one in industry. Phantom, BlackEnergy, Light, and APT44, as well as Sandworm. So Seashell Blizzard, for those of you who are threat intelligence researchers and analysts, the names you're going to probably want to know are Iridium, Sandworm, and APT44. And that's where we are seeing Seashell Blizzard. I just want to clarify for people listening, I will not take on the naming convention situation within threat intelligence industry at this time. We'll save that for a later podcast episode, but those are the AKAs for Seashell Blizzard, which we're talking about now.

Anna Seitz: Seashell Blizzard has actually been around for a really long time. They've been active since at least 2013, and some of their other high-profile incidents include things like KillDisk in 2015, Fox Plate in 2022, M.E.Doc in 2017, and then, of course, NotPetya in 2017. I think we all very much remember that, and Prestige in 2022. So they're part of some really high-profile, very active campaigns. It's really interesting to see them coming back to target the European energy sector, as well as ramping up their cyber operations in Ukraine.

Sherrod DeGrippo: So that's interesting that you mention that, because you said a minute ago that there may be some element of, you know, the - kind of getting into the depths of winter, in terms of it being part of the energy sector. As we know, Russia provides a significant amount of energy to the European region, and often uses that in some of its geopolitical statements, and movements, and things like that. So that does make sense in terms of things that would potentially be on the - on the horizon for things coming out of Russia and Seashell Blizzard. Any other points that we need to know around Seashell Blizzard and how this campaign looks? Is the campaign seeming like it's done? Is it ongoing? Are we continuing to see this threat actor active in general? With this campaign?

Anna Seitz: It's a really good question. So as far as Microsoft threat intelligence is concerned, the targeting campaign that we've reported on back in October seems to be stabilized, I would say, but I do not think this is a threat actor that's going to be going away anytime soon, especially because of, you know, our new president in the U.S., and I still think this is going to be a very, very high-impact threat actor for 2025.

Sherrod DeGrippo: Okay, that's great information. Thanks for sharing that, Anna. I think we're going to see continued movement on the threat landscape, especially from, you know, those actors, China, Russia, North Korea, Iran, as the changes happen globally, because remember, in 2024, over 2 billion people went to the polls and cast votes, globally. It was the largest democratic vote casting event in human history, so that means that there are a significant amount of governments that are turning over in one way or another. Many of them, a large, large majority, did not vote to keep incumbents. So we are going to see changes in just about every democratic government that voted in 2024, including obviously the United States, but we're not the only ones. We'll see that across the globe.

Anna Seitz: Yeah. And Seashell Blizzard has conducted operations back in 2016 affecting the United States election environment as well.

Sherrod DeGrippo: So this is a significant threat actor, for those of you who are not familiar with Seashell Blizzard, Iridium, Sandstorm, APT44. This is a good one to check out if you want to do some reading up on it. Anna, thank you so much for that update. Let's talk now with Elise about some things that are happening on the DPRK landscape from an OSINT perspective. Elise, what you got?

Elise Eldridge: Hey. So we were reviewing recent OSINT trends of the North Korean threat actors, which was published around the same time as Microsoft's North Korean threat overview. And the main trends from OSINT reports consist of persistent and tailored social engineering, user execution, adapted techniques across platforms, and then continued targeting of critical industries like the energy and aerospace sectors, with main objectives including financial gain to fund up operations and to generate revenue for the North Korean regime. So across the security community, we're seeing continued reporting on the Contagious Interview campaign, which Microsoft attributes to Storm-1877, as well as reports on their Remote IT Workers Program, which Microsoft tracks as in-general activity as Storm-0287. Microsoft also observed members of Moonstone Sleet applying to software development jobs, though that's unclear if it's a part of the North Koreans' Remote Worker Program or another approach to gain access to organization for that threat actor.

Sherrod DeGrippo: Let's talk really quickly, for those who aren't necessarily familiar with the North Korea IT Workers Programs. I'll give a quick overview, and Elise, feel free to chime in here. For those of you who aren't aware, North Korea really stands out among the well-developed cyberespionage programs from a state-sponsored perspective, because they have to self-finance, essentially. They try to do things like ransomware, steal cryptocurrency, in order to finance the regime and to finance the cyberoperations that they have going on in their program. In this instance they found that sending out resumes and getting hired to contracts within Western IT jobs essentially gave them a double-win. It was the ability to be within those organizations and have access that data, as well as collect some paychecks. And so we have seen this North Korean IT worker, these operations going on for, I think it's been about a year or so that this has really come on the scene, where we have discovered these, and it doesn't really follow the typical patterns that we see from Russia, China, and Iran. It really is an attempt, from what we can tell, to create revenue for the regime, and for these threat actors to essentially self-finance whatever operations they've been assigned for their objectives by their respective government employer. So Elise, anything else that we should know? Is there any new developments on the North Korean IT worker side of the house?

Elise Eldridge: Right, so just yesterday, there's a report on the latest U.S. Department of State joint statement, so that was by the United States, Japan, and South Korea, and it reiterated the warnings to blockchain technology and freelance industries about the remote IT worker threats. So there's continued.

Sherrod DeGrippo: Yeah.

Elise Eldridge: Yeah. Continued statements put out from the U.S. Department of State.

Sherrod DeGrippo: Yeah, it's interesting. They're going after freelancer jobs, and particularly interested, of course, as we have known for years now about North Korea, they're particularly interested in cryptocurrency and finance. They've had a history for years of attempting to steal wallet credentials, attempting to steal credentials on various trading platforms, and we've even seen, in the past, them go after things like forum users on popular message boards that talk about cryptocurrency, hoping that the passwords that they're using within their social media and message forums are being reused within their wallets, and they find these big cryptocurrency holders, and cryptocurrency influencers, and they target them specifically. So, North Korea is really interesting in that way. What else is happening outside of the IT worker side? Any other things we should know from perspective on their activity?

Elise Eldridge: So we see continued reporting of Contagious Interview campaign, which was first put out by Palo Alto Networks Unit-42 back in November 2023. And again, Microsoft attributes this to Storm-1877. Recently we've seen them adapting attacks across platforms. Some examples include a report in October, where they took BeaverTail variants with the QT framework to target Mac users through meeting applications. Also in November, JM Threat Labs reported a campaign targeting MacOS with applications using the Flutter framework. So both the QT framework and the Flutter frameworks allow builds across platforms using a single base code. Then also in November, Group IB reported a new trojan named Rusty-ATTR that leveraged extended attributes in MacOS BIOS to conceal malicious codes.

Sherrod DeGrippo: So you just mentioned three Mac-targeting attempts from North Korea. That's really interesting. We don't see a lot of Mac activity generally, even though Microsoft does have really good visibility. We have Defender for Mac, so we do see quite a bit there. But it's interesting, I've noticed that North Korea kind of is doing some interesting things that almost seem outside of the norm from what we would typically expect of any threat actor, but certainly outside of what North Korea typically does.

Elise Eldridge: Right, so yeah, JM Threat Lab and Group IB researchers are suggesting that this activity could be the threat actors testing new ways to deliver malware.

Sherrod DeGrippo: Cool. That's really interesting. They're very creative, we've learned. If you listen to the podcast regularly, you've heard, we had Between Two Gregs, that's the name of the episode where we're focused.

Elise Eldridge: Yeah.

Sherrod DeGrippo: On North Korea. Greg Slomer and Greg Lesnowich really broke it down. That was a fun one. But the point I think that if you're new to threat intelligence, and you're learning about these countries, I think, you know, I would say North Korea really does stand out as just kind of different from everybody else.

Anna Seitz: I find it really interesting how Moonstone Sleet was using the fake videogame, the DeTank Zone.

Sherrod DeGrippo: Yes, yeah.

Anna Seitz: Like, that's very creative. And so there's a lot of these social engineering campaigns that are very, very creative, as you say, and North Korea is kind of standing out as being just very slightly different in their own little funky way, but also they're pre-ransomware access methods, and all that social engineering that they're pumping into this stuff is still very consistent. And so it's still offering these early warning signs. So I would say as far as recommendations and remediations, we're still able to, you know, see typical behavior, but golly, some of those payloads and some of those campaigns are not typical whatsoever, [laughter].

Sherrod DeGrippo: It is really interesting, and back in September of last year, we saw Citrine Sleet have two zero-day vulns, exploits with zero days, and they leveraged those in Chromium, chained them together, and were attacking, essentially, browsers. It's incredible that they put together two specific vulnerabilities, CBE-2024-7971 and CBE-2024-3810, they chained them together to exploit multiple vulnerabilities and get, essentially, access within Chromium via zero day. That's unique, and a lot of times people say to me, you know, what's really new on the threat landscape? Has anything really, really changed? And the reality is, I think yeah, we don't see browser vulns that much. We really don't. Browser vulns are just not something that is a staple of the landscape like it used to be, nor are exploit kits, nor are root kits. We used to see that stuff day in and day out from threat actors. Now it's rare and novel to see a browser vuln, much less chained together with an additional vuln to exploit a zero-day. That's - that's a new one that we don't see very often. That was a fun one, I think. Everyone was really kind of taken aback that actually happened, and that they're burning zero-days out of North Korea, which is not something you'd expect. Elise, anything else we need to know about the North Korea side of the house?

Elise Eldridge: So earlier this month, NCT Security Japan reported a new malware named Otter Cookie used in Contagious Interview.

Sherrod DeGrippo: The name of the malware is Otter Cookie? Like the little creatures, like the little sea creatures?

Elise Eldridge: Like an otter?

Sherrod DeGrippo: Yeah, is that how it's spelled?

Elise Eldridge: Yeah, O-T-T-E-R. Cookie. I'm not sure where it comes from, but yeah

Sherrod DeGrippo: Okay, so tell me about Otter Cookie.

Elise Eldridge: Otter Cookie's delivered through the loader that executes JavaScript code, fetched on JSON data. And it's been observed executed alongside BeaverTail and also by itself. So just like BeaverTail, the file is built as a QT framework, or it also is in electron applications. And then once the target device - once on the target device, Otter Cookie establishes a secure connection with its C2 infrastructure, using Socket IO Web Socket tool, and it can steal sensitive data like cryptocurrency wallet keys using the check for sensitive data function. And then in November, Variant used a library called clipboardy to remotely send clipboard data.

Sherrod DeGrippo: Cool. That's an interesting tactic that I've seen with other threat actors, but North Korea specifically, they love to copy clipboard data. So essentially that, I think, is a remnant or an offshoot of the interest in cryptocurrency, because a lot of times they will find that people have copied and pasted their wallet addresses and the keys for their cryptocurrency wallets, and they're in the clipboard still. And so North Korea has realized this and has been able to steal out of the clipboard, which I think is, again, North Korea being pretty creative and interesting.

Anna Seitz: I just had a thought as I was sitting here. You were talking about the sophistication and the uniqueness of the North Korean attacks over the past year, and when we're looking at, you know, someone like Seashell Blizzard, where they're literally just throwing a wrapper on some legitimate tools and hoping for the best, and then you have North Korea using all these really specific, targeted, you know, highly, highly targeted campaigns. It's just fun - interesting to see that juxtaposition in those two separate nations, and I, you know, I think it could be a lot of things, but maybe even, like, war fatigue with the Russian side of the house, right? Like you're saying, we just don't have enough resources anymore, we're running out of money. This war's been going on and on and on. And then you have North Korea, where they're sitting on, you know, $3 billion in stolen cryptocurrency, funding all kinds of interesting things. So it's just an interesting juxtaposition, just to see these two, you know, separate stories play out over the past year.

Sherrod DeGrippo: I agree. I think it's interesting to watch the various programs at North Korea, China, Russia, Iran, and see sort of where they're going, what the trends are. It's almost like, I'll go ahead and make this analogy. It's almost like if you watch haute couture fashion, like if you watch runways, you see designers playing off of each other, but also wanting to really be unique, and novel, and have their own point of view and their own way of doing things. But as we see with, whether it's nation-sponsored or crime, there is a lot of borrowing going on a lot of times, whether it's TTPs or IOCs, threat actors love to share occasionally. We see that sometimes, and you know there's always that question of, are the nation-sponsored programs taking from crime? Are they overlapping? How does that work? What do those gray areas look like? And that's a - a very expansive and nuanced discussion to have for another episode of the Microsoft Threat Intelligence Podcast, but I think it is important to remember that there is a level of derivativeness, or as Andy Warhol said, good artists borrow. Great artists steal. And I think that threat actors probably are in that same boat. Well, that was Anna Seitz and Elise Eldridge with a fantastic look into Seashell Blizzard and the OSINT landscape for North Korea. Thank you both for joining me, and I will hopefully talk to you both again soon on the Microsoft Threat Intelligence Podcast.

Anna Seitz: Thank you.

Elise Eldridge: Thanks. [ Music ]

Sherrod DeGrippo: Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app. [ Music ]