Stonefly – aka DarkSeoul, BlackMine, Operation Troy, and Silent Chollima, is a cyberespionage group that originally made headlines in July 2009, when it launched DDoS attacks on a variety of South Korean, government, and financial websites. However, in recent years, they have reduced their attention to exclusively espionage operations against high-value targets.
Stonefly’s operations appear to be part of a larger North Korean-sponsored campaign to obtain information and intellectual property, with another North Korean group, Pompilus, conducting a bigger trawl across numerous sectors. A most recent attack discovered by security researchers was against an engineering firm that works in the energy and military sectors. The attackers breached the organization most likely by exploiting the Log4j vulnerability (CVE-2021-44228) on a public-facing server. The attackers then compromised 18 other computers.
Stonefly’s tools and techniques are still evolving and due to its capabilities and emphasis on gathering sensitive data, the group is one of the most potent North Korean cyber threat actors active today.