Threat Intelligence Tarot
Vol. II · 93
North Korea (RGB - 3rd Bureau)
G0045★★★★★
risk 3/5
✦ The Obsidian Hammer ✦
Onyx Sleet
Plutonium · DarkSeoul · Silent Chollima · Andariel
Defense contractorsSouth KoreaJapanIT service providersThink tanks
Active since ~2014 · Espionage, Defense intelligence theft
The Obsidian Hammer falls not with fire but with precision, driving into the defense establishments of neighboring nations to extract the blueprints of weapons that will never be developed quickly enough to matter.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1059.003
Windows Command Shell
Execution
T1547.001
Registry Run Keys / Startup Folder
Persistence
T1078
Valid Accounts
Defense Evasion
T1082
System Information Discovery
Discovery
T1105
Ingress Tool Transfer
Command and Control
T1041
Exfiltration Over C2 Channel
Exfiltration
Notable Operations
- ◆Operation Silent Chollima targeting defense contractors
- ◆Korean Air targeting for aviation intelligence
- ◆IT managed service provider compromises for downstream access
- ◆Multi-stage supply chain attacks against South Korean defense firms
Defenses
- ▸Vendor and third-party access management with least-privilege principlesCIS Control 6 ↗
- ▸Network segmentation isolating sensitive design data from internet-connected systemsCIS Control 12 ↗
- ▸Spearphishing detection and sandboxed attachment analysisCIS Control 9 ↗
- ▸Registry persistence alerting via EDR on endpointsCIS Control 10 ↗
Reversed: Their Weakness
Defense contractors who enforce strict vendor access controls and segment networks carrying classified data frustrate its primary collection objectives. Supply chain security reviews prevent downstream compromise.
Share this adversary profile
Compare →swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.