The activity, observed between May and September 2024, has been attributed to a threat actor tracked as Jumpy Pisces, which is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly.
"We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group," Palo Alto Networks Unit 42 said in a new report published today.
"This incident is significant because it marks the first recorded collaboration between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware network."
Andariel, active since at least 2009, is affiliated with North Korea's Reconnaissance General Bureau (RGB). It has been previously observed deploying two other ransomware strains known as SHATTEREDGLASS and Maui.
Earlier this month, Symantec, part of Broadcom, noted that three different organizations in the U.S. were targeted by the state-sponsored hacking crew in August 2024 as part of a likely financially motivated attack, even though no ransomware was deployed on their networks.
Play, on the other hand, is a ransomware operation that's believed to have impacted approximately 300 organizations as of October 2023. It is also known as Balloonfly, Fiddling Scorpius, and PlayCrypt.
While cybersecurity firm Adlumin revealed late last year that the operation may have transitioned to a ransomware-as-a-service (RaaS) model, the threat actors behind Play have since announced on their dark web data leak site that it's not the case.
In the incident investigated by Unit 42, Andariel is believed to gained initial access via a compromised user account in May 2024, followed by undertaking lateral movement and persistence activities using the Sliver command-and-control (C2) framework and a bespoke backdoor called Dtrack (aka Valefor and Preft).
"These remote tools continued to communicate with their command-and-control (C2) server until early September," Unit 42 said. "This ultimately led to the deployment of Play ransomware."
The Play ransomware deployment was preceded by an unidentified threat actor infiltrating the network using the same compromised user account, after which they were observed carrying out credential harvesting, privilege escalation, and uninstallation of endpoint detection and response (EDR) sensors, all hallmarks of pre-ransomware activities.