Citrine and Onyx Sleet: An Inside Look at North Korean Threat Actors

In this episode of the Microsoft Threat Intelligence Podcast host Sherrod DeGrippo discusses North Korean threat actors with one of our Microsoft Threat Intelligence researchers and Greg Schloemer focusing on two prominent groups: Onyx Sleet and Storm 0530. Onyx Sleet is a long-standing espionage group known for targeting defense and energy sectors, particularly in the U.S. and India. However, they’ve diversified into ransomware, using tactics like malware downloaders, zero-day vulnerabilities, and a remote access Trojan called D-Track. The conversation also touches on the use of fake certificates and the group's involvement in the software supply chain space.    In this episode you’ll learn:       The relationship between Onyx Sleet and Storm 0530  North Korea's broader strategy of using cyber-attacks and moonlighting activities  Surprising nature of recent attack chains involving vulnerability in the Chromium engine    Some questions we ask:      Does Onyx Sleet engage in cryptocurrency activities as well as traditional espionage?  How does the use of a fake Tableau software certificate fit into Onyx Sleet's attack chain?  Where does the name "Holy Ghost" come from, and why did they choose it?    Resources:   View Greg Schloemer on LinkedIn   View Sherrod DeGrippo on LinkedIn     Related Microsoft Podcasts:                    Afternoon Cyber Tea with Ann Johnson  The BlueHat Podcast  Uncovering Hidden Risks      Discover and follow other Microsoft podcasts at microsoft.com/podcasts     Get the latest threat intelligence insights and guidance at Microsoft Security Insider      The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.