Cyber Threat Actor: ScarletMimic
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
0 incidents |
|---|
Profile
ScarletMimic is an alias used by a threat actor group that has been linked to operations originating from China, with public attributions pointing to North Korean state‑backed actors according to a South Korean government investigation. The group’s known activities focus on the nuclear energy sector, specifically targeting facilities such as Korea Hydro and Nuclear Power in South Korea. Their observed objectives include financial extortion, as evidenced by ransom‑style demands for an unspecified sum. They also stated that stolen reactor information could be sold to buyers in Northern Europe, Southeast Asia and South America. Disruption goals were shown by explicit demands to shut down three reactors and accompanying threats of destruction. Espionage was demonstrated by the exfiltration of employee personal data, technical manuals and partial reactor blueprints.
Initial access in the reported campaign was achieved through a large‑scale phishing effort, with 5,986 malicious e‑mails sent to 3,571 employees of the target organization. The malware deployed in the intrusion was identified as having the same composition and working methods as the kimsuky family, and it was compiled on a system configured for the Korean language. After gaining foothold, the actors leaked stolen material via a Twitter account titled “Who am I = No Nuclear Power,” using the platform to distribute blueprints, simulation manuals and other technical documents. The account’s profile claimed the author was the president of an anti‑nuclear reactor group from Hawaii. The South Korean investigation traced command‑and‑control traffic to network addresses in northeast China near the North Korean border. This finding prompted a request for assistance from Chinese authorities to locate the source of the attack.
