In the April 2023 OODA Network Member Meeting discussion – The DoD Discord Leak and the Future of Security Measures – there was the realization that” we have this generational shift that is going on right now with the younger generations that are fully digital and born-digital – Gen Y, and Gen Z”….and beyond.  Discord’s server-based community and communications were central to the 2023 Airman Jack Texeira case. Still, by all accounts, Discord-based comms usually run parallel to multi-player gaming activity amongst this age cohort.   Fortnite, Minecraft, and Roblox?  All are current building blocks of the future metaverse.  The Global Gaming Ecosystem is all at once an attack surface and point of entry.  Game worlds are already a clear gathering place – but do law enforcement, and the IC have adequate entry into these communities for attribution efforts in response to incidents based on these platforms and in these younger communities? We continue to track notable convergences in this space. Details here.  

North Korea’s ‘Moonstone Sleet’ using fake tank game, custom ransomware in attacks

“They created a web of fake websites and social media accounts to make the game look legitimate and used a fake company called C.C. Waterfall to contact targets.”  

A new North Korean hacking group targets software companies and defense firms with custom ransomware variants and several elaborate scams.  Microsoft said this week that the hacker group it tracks as “Moonstone Sleet” uses several new tactics not previously seen among North Korean groups.  According to the report, the group has targeted individuals as well as organizations involved in the IT, education, and defense industrial base sectors.

Tank games and malware

In addition to the new strain of ransomware, Microsoft tracked multiple other tactics used by North Korean threat actors in recent months that drew their concern.   The company has been tracking a campaign since February that involved a tank game called “DeTankWar.” Hackers contacted victims by email or on social media claiming to be a game developer looking for investors. 

They created a web of fake websites and social media accounts to make the game look legitimate and used a fake company called C.C. Waterfall to contact targets.   They included a download link in each message, which when clicked loads malware onto the device, allowing the hackers to steal browser data and gain other information on the victim’s network. Microsoft noted that when successful, hackers will take further direct action to search for credentials and other data.

From the Microsoft Report:  Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

Who is Moonstone Sleet?

Moonstone Sleet is a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned and uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies. When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet, extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. However, Moonstone Sleet quickly shifted to its own bespoke infrastructure and attacks. Subsequently, Microsoft has observed Moonstone Sleet and Diamond Sleet conducting concurrent operations, with Diamond Sleet still utilizing much of its known, established tradecraft.

Moonstone Sleet has an expansive set of operations supporting its financial and cyberespionage objectives. These range from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT workers.

Moonstone Sleet tradecraft

Malicious tank game

Since February 2024, Microsoft has observed Moonstone Sleet infecting devices using a malicious tank game it developed called DeTankWar (also called DeFiTankWar, DeTankZone, or TankWarsZone). DeTankWar is a fully functional downloadable game that requires player registration, including username/password and invite code. In this campaign, Moonstone Sleet typically approaches its targets through messaging platforms or by email, presenting itself as a game developer seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies. To bolster the game’s superficial legitimacy, Moonstone Sleet has also created a robust public campaign that includes the websites detankwar[.]com and defitankzone[.]com, and many X (Twitter) accounts for the personas it uses to approach targets and for the game itself.

Figure 3. Example of a Moonstone Sleet X (Twitter) account for its DeTankWar game

Moonstone Sleet used a fake company called C.C. Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target the opportunity to collaborate, with a link to download the game included in the body of the message. More details about C.C. Waterfall and another fake company that Moonstone Sleet set up to trick targets are included below:

Figure 4. Moonstone Sleet using CC Waterfall to email a link to their game

When targeted users launch the game, delfi-tank-unity.exe, additional included malicious DLLs are also loaded. The payload is a custom malware loader that Microsoft tracks as YouieLoad. Similarly to SplitLoader, YouieLoad loads malicious payloads in memory and creates malicious services that perform functions such as network and user discovery and browser data collection. For compromised devices of particular interest to the group, the threat actor launches hands-on-keyboard commands with further discovery and conducts credential theft.

Figure 5. Page from the DeTankWar website

Fitting into the North Korean threat actor landscape

Moonstone Sleet’s diverse set of tactics is notable not only because of their effectiveness, but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives. For example, North Korea has for many years maintained a cadre of remote IT workers to generate revenue in support of the country’s objectives. Moonstone Sleet’s pivot to conduct IT work within its campaigns indicates it may not only be helping with this strategic initiative, but possibly also expanding the use of remote IT workers beyond just financial gain. Additionally, Moonstone Sleet’s addition of ransomware to its playbook, like another North Korean threat actor, Onyx Sleet, may suggest it is expanding its set of capabilities to enable disruptive operations. Microsoft reported on Onyx Sleet’s and Storm-0530’s h0lyGhost ransomware in 2022.

In recent months, Microsoft and other security researchers have reported on North Korean threat actors’ use of software supply chain attacks to conduct widespread malicious operations. In November 2023, Microsoft reported on Diamond Sleet’s supply chain compromise of CyberLink, a multimedia application. While Microsoft has not yet identified any Moonstone Sleet supply chain attacks, the actor has extensively targeted software development firms in its campaigns. Large-scale access to software companies would pose a particularly high risk for future supply chain attacks against those organizations.

Moonstone Sleet’s appearance is an interesting development, considering that North Korea has carried out a series of changes in its foreign relations and security apparatus. In November 2023, North Korea closed embassies in several countries, and in March 2024, may have dissolved the United Front Department (UFD), an agency believed to be responsible for reunification and propaganda.

Despite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve and has positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime.

What Next?

Following are OODA Loop follow-up research insights and questions that emerged from the April 2023 OODA Network discussion of the 2023 DoD document links via Discord Server by Airman Jack Texeira – on which we continue to pull the string: 

• A member clarified the point that no one on the call was suggesting that certain younger generations were inherently bad, but more that we currently have digital inputs on a scale and with an intensity and frequency that we cannot imagine.
  • We are dealing with impacts on the development of the human brain that we won’t know the true extent of for another 20 or 30 or 40 years.
  • Also, the social structures are vastly different for these younger generations. And we simply do not know enough about it. 
  • Some of the core foundations of prior generations (civic education, frequent churchgoing, or religious affiliations) are weak or non-existent today.
  • We have created different, new young people and then young adults that are different from prior generations. And we’ll have to take that into account as we think about what behaviors are acceptable, nominal, normal, and make a judgment call about someone’s suitability to have access to classified information.
• One network member went on to share: “I think the lesson corporate can take from this DoD leak is that these threats are a who, not a what;  ‘I think the conversations we’re having here around this 21-year-old having access shows that we are seeing a lot more classified information in gaming forums  – because people are saying while gaming ”That plane couldn’t fly that way, and that move you made, that you attacked me with, it wasn’t right.” And the response is:  “Well, yes, it is. Here’s the technical diagram from the F-35.” There are people and their motivations – which are always evolving. When it comes to this government, we are probably the best in the world when understanding our adversaries.  When it comes to government employees, we are not.  And that will be an ongoing problem.”
• Questions positioned throughout this discussion included:
  • Will the intelligence community and the Department of Defense (DoD) perform any sort of damage assessment?
  • Do they want the damage assessment? Or would they rather not do the assessment because it may compel actions they don’t want to do?
  • Will the American public stay engaged in this event and this topic? Or will it move on to the next item in the news cycle?
  • Is there any political will to do anything about this issue?
  • What about the incentive structures and lack of punitive measures for these security breaches?
  • Will this breach drive some change within the IC and within the Department of Defense?
  • What should corporate America – and those who focus on risk mitigation and risk management within corporate America – be taking away as a lesson from this?   
  • Are there unique lessons from this leak that apply to corporate America? And are there generational changes that are occurring that are going to complicate things even more?
  • How is releasing some of these leaks in the public interest when they jeopardize current national security operations?
  • Do System Administrators simply have too much root/super user access to classified information?