A North Korean threat group that has been active for more than 15 years and is known for targeting critical infrastructure, government agencies, and technology providers, is being elevated to APT45 by researchers at Mandiant.
The activity associated with APT45 is quite varied and the operators have demonstrated an ability to target a broad range of systems, including critical infrastructure, nuclear facilities, and enterprise networks, and deploy custom tools as well as publicly available malware. Mandiant researchers have been working with the FBI to track APT45’s activities and the bureau released a technical advisory today, as well. Among the topics and areas that APT45 has targeted are missile systems, tanks, nuclear facilities, military operations, satellite communications, hospitals, and many others.
APT45, which Mandiant has referred to as Andariel in the past, is just one of the myriad offensive cyber teams operating under the auspices of the North Korean government and military, but it is one of the more active and capable of those groups.
“Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defense organizations around the world. When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him,” said Michael Barnhart, the leader of Mandiant’s North Korea threat hunting team.
The decision to graduate this group to APT status is a reflection of its capabilities and persistence in going after high-level targets around the world for many years. The move comes three months after Mandiant graduated the notorious Sandworm group to APT44.
“APT45 is one of North Korea’s longest running cyber operators, and the group’s activity mirrors the regime’s geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science,” the Mandiant analysis says.
“Financially motivated activity occurring alongside intelligence collection has become a defining characteristic of North Korean cyber operations, and we expect APT45 to continue both missions. As the country has become reliant on its cyber operations as an instrument of national power, the operations carried out by APT45 and other North Korean cyber operators may reflect the changing priorities of the country’s leadership.”
"Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities."
The Mandiant team said in its analysis that APT45 may also be using ransomware in some of its intrusions. Other North Korean actors have used ransomware, as well as cryptocurrency heists, as part of their operations.
“Mandiant tracks several clusters of activity where we suspect, but cannot confirm APT45 attribution. Public reporting has claimed that these clusters have used ransomware, possibly to fund their operations or generate revenue for the regime. While Mandiant cannot confirm this ransomware use by APT45, it is plausible as they have employed diverse schemes to raise money,” the report says.
In its advisory, authored jointly with the NSA, CISA, and several other agencies, the FBI supported Mandiant's assessment of ransomware use by APT45.
"Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities, and in some instances, the authoring agencies have observed the actors launching ransomware attacks and conducting cyber espionage operations on the same day and/or leveraging ransomware and cyber espionage against the same entity," the advisory says.
The United States government has focused quite a bit of attention and resources on North Korea state-sponsored threat groups in recent years, including the Lazarus Group and Kimsuky. Last year, the U.S. government, along with the governments of Australia, Japan, and South Korea sanctioned alleged members of Kimsuky for their participation in various attacks.