North Korean state-sponsored hacking group Andariel, also known as Stonefly, has been named by Kaspersky researchers to be behind the Maui ransomware attacks
launched primarily against U.S. healthcare organizations beginning in April 2021, BleepingComputer
Kaspersky researchers have established the correlation based on an earlier Maui attack aimed at a Japanese housing firm, as well as other attacks reported in Russia, India, and Vietnam.
Attackers that compromised the Japanese firm were discovered to have deployed the DTrack malware prior to file encryption, while the company's network was found to have the 3Proxy tool months before the attack. The Indian, Vietnamese, and Russian firms were also impacted by the same DTrack variant, which had an 84% code similarity to samples associated with previous Andariel attacks, according to the report.
Andariel attack techniques, including WebLogic vulnerability exploitation, was also observed in the attacks.
Financial service providers, as well as government, state, and army entities have been attacked by Andariel since 2015, with the operation among the hacking groups included in the U.S. State Department's bounty program.