25 July 2024

North Korean APT45 expanding into financially-motivated operations


North Korean APT45 expanding into financially-motivated operations

Google-owned cybersecurity firm Mandiant released a report detailing activities of a long-running threat actor it tracks as APT45. Also known as Andariel, Onyx Sleet, Stonefly, and Silent Chollima, the group has been active since at least 2009, gradually shifting its focus from cyberespionage to financially-motivated operations and ransomware campaigns.

Mandiant believes that APT45 supports the interests of the Democratic People's Republic of Korea (DPRK). The threat actor has been observed targeting critical infrastructure more frequently than other North Korean threat actors. In 2019, the group targeted nuclear research facilities and nuclear power plants, including the Kudankulam Nuclear Power Plant in India, marking one of the few publicly known instances of North Korean cyber operations against critical infrastructure.

The financial sector has also been a significant target for APT45. In 2016, the group leveraged a tool called RIFLE to attack a South Korean financial organization.

APT45 has also engaged in intellectual property theft to address domestic deficiencies. In September 2020, the group targeted the crop science division of a multinational corporation, likely due to deteriorating agricultural production following border closures related to COVID-19.

During a suspected COVID-19 outbreak in North Korea in 2021, multiple North Korea-nexus operators, including APT45, focused on the healthcare and pharmaceutical sectors. Activity observed from APT45 in 2023 indicates a continued interest in health-related research, suggesting an ongoing mandate to collect related information.

Mandiant said it tracks several activity clusters where APT45 is suspected, but not confirmed, to be involved. Public reports suggest these clusters have used ransomware, possibly to fund operations or generate revenue for the regime. In 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) reported on North Korean state-sponsored actors' use of MAUI ransomware to target the healthcare and public health sectors.

In 2021, security researchers identified ransomware called SHATTEREDGLASS, which has been used by suspected APT45 clusters.

APT45 employs a mix of publicly available tools, such as 3PROXY, and malware modified from publicly available sources, like ROGUEEYE, alongside custom malware families.

Back to the list

Latest Posts

Global police op shuts down major DDoS platforms

Global police op shuts down major DDoS platforms

As part of the effort, three suspected administrators were arrested in France and Germany.
11 December 2024
US authorities charge Chinese hacker for exploiting zero-day bug in Sophos firewalls

US authorities charge Chinese hacker for exploiting zero-day bug in Sophos firewalls

The US Department of State offered a reward of up to $10 million for information leading to the hacker's capture.
11 December 2024
Microsoft’s December 2024 Patch Tuesday fixes over 70 flaws, one actively exploited

Microsoft’s December 2024 Patch Tuesday fixes over 70 flaws, one actively exploited

0Day affects the CLFS Driver and can be abused by a local user for code execution with SYSTEM privileges.
11 December 2024