The state-sponsored Andariel hacking group linked to North Korea has been associated with the infamous Play ransomware operation, according to a recent report from Palo Alto Networks’ Unit 42 researchers. The group, believed to be a part of North Korea’s Reconnaissance General Bureau, is possibly using the ransomware-as-a-service (RaaS) platform to conceal its activity and bypass international sanctions.
Andariel aka Jumpy Pisces, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly, has been active in cyber-espionage and financial cybercrime, often with the goal of funneling resources to North Korea’s isolated regime. US sanctions were imposed in 2019 on North Korean-affiliated groups Lazarus, Bluenoroff, and Andariel, following their attacks on US targets. In July 2024, the US authorites charged an alleged Andariel member with ransomware attacks targeting organizations in the US and worldwide.
The Unit 42 theorizes that Andariel is either working as an affiliate of Play ransomware or serving as an initial access broker (IAB). In this capacity, they would breach targeted networks, maintain long-term access, and later facilitate ransomware deployment. The analysis showed that Andariel had been present on a customer network months prior to the Play ransomware incident, indicating an extensive planning.
The researchers were able to trace Andariel’s movements within the breached network. Andariel had initially accessed the network in May 2024 by exploiting a compromised user account. Once inside, the group extracted registry dumps and used the credential-harvesting tool Mimikatz to collect sensitive login information.
The attackers then employed Sliver, an open-source penetration-testing framework, to establish command-and-control (C2) beacons, which enabled remote control over the compromised network. Andariel also deployed DTrack, a custom-built information-stealing malware, across multiple hosts through Server Message Block (SMB) sharing. DTrack, previously associated with North Korean APT activity, is designed to collect and exfiltrate valuable data.
Over the following months, Andariel created malicious services, establishing Remote Desktop Protocol (RDP) sessions for remote access, removing endpoint detection and response (EDR) tools to evade security measures.
The operation escalated as the Play ransomware was deployed, encrypting files across the network. The coordinated timeline between Andariel’s activity and the Play ransomware deployment has led Unit 42 to conclude, with moderate confidence, that Andariel’s infiltration was directly linked to the ransomware attack.
However, while the evidence suggests a relationship between Andariel and Play, it remains uncertain whether Andariel acted as a direct affiliate of the ransomware group or if it merely sold access to the compromised network.