NICKEL HYATT

NICKEL HYATT is a subgroup of NICKEL ACADEMY that has operated on behalf of the North Korean government since at least 2009. Its targeting has included financial institutions, defense contractors, government agencies, academic think tanks, cybersecurity vendors, and North Korean refugee support organizations. The group originally appeared to focus on South Korea but has expanded to other countries such as Japan, the U.S., and India. NICKEL HYATT has engaged in espionage, destructive attacks, and financial crime.

The threat actors have used publicly available remote access trojans (RATs), as well as custom malware such as Rifle (also known as Rifdoor), Valefor, UnitBot, and DTrack (also known as VinoSiren and Preft). DTrack was used in 2019 to target a nuclear power facility in India, and in 2020, CTU researchers observed NICKEL HYATT using DTrack to target a life sciences organization. Like other North Korean threat groups, NICKEL HYATT appeared to have an objective to steal data relating to vaccine research throughout the COVID-19 pandemic.