A long-known cyber-espionage group allegedly working on behalf of North Korea’s foreign intelligence service has been identified as systematically stealing technical information and intellectual property from organizations in the US and other countries with the goal of advancing its own nuclear and military programs. This group, known by various security vendors as Andariel, Silent Chollima, Onyx Sleet, and Stonefly, has reportedly been using ransomware attacks on US healthcare entities to finance their illicit activities, as per warnings issued by the US government this week.
According to a joint advisory from the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and other entities, Andariel has been primarily targeting defense, aerospace, nuclear, and engineering organizations in the US, Japan, South Korea, and India. The advisory emphasized that this threat actor and their cyber techniques pose an ongoing threat to various industry sectors worldwide.
In response to this threat, the US government has taken significant steps, including offering a $10 million reward under the State Department’s Rewards for Justice program for information leading to the arrest of Rim Jong Hyok, suspected to be a key player in Andariel’s malicious cyber activities. Moreover, the US Justice Department has indicted Jong Hyok on charges related to his involvement in attacks on several US entities, including NASA and two US Air Force bases.
The nature of the information targeted by Andariel in their recent campaign is extensive and diverse. They have been stealing data related to heavy and light tanks, combat ships, autonomous underwater vehicles, fighter aircraft, missiles, missile defense systems, radars, and various other technologies from defense, aerospace, and engineering organizations. In the nuclear sector, their focus is on uranium processing, enrichment, material waste, and storage. The advisory issued by the US government urged critical infrastructure organizations to promptly address vulnerabilities, secure web servers, monitor endpoints for malicious activities, and enhance authentication and remote access protections.
Andariel, also known as APT45 by researchers at Google’s Mandiant and OnyxSleet by Microsoft, has been active for several years. The group has been linked to numerous information theft campaigns and destructive attacks across critical sectors like defense, energy, finance, transportation, and healthcare. According to Mandiant’s report, APT45 has increasingly engaged in financially motivated attacks, such as ransomware attacks, alongside their traditional cyber espionage operations.
Microsoft’s recent update on the threat actor highlighted a shift in their tactics, with a greater emphasis on using vulnerability exploits instead of spear-phishing for initial access. Despite this change, Andariel’s tradecraft has largely remained consistent over the years, indicating the threat actor’s confidence in the effectiveness of their methods.
The US government advisory detailed Andariel’s exploitation of multiple well-known vulnerabilities, including flaws like the Log4Shell bug in Apache’s Log4j software, a critical vulnerability in Apache ActiveMQ server technology, and flaws in Progress Software’s MOVEit and Fortra’s GoAnywhere software. A total of 41 CVEs were listed in the advisory, with 16 disclosed by vendors last year and some dating back to 2017.
Once inside a network, Andariel actors reportedly use a range of custom tools and malware to establish remote access, move laterally, and exfiltrate data. These tools enable various functions like command execution, keylogging, screenshots, file listing, browser history retrieval, and more. The advisory provides detailed information on the tactics, techniques, and procedures employed by Andariel, along with indicators of compromise for organizations to detect the threat actor’s presence on their networks.
In conclusion, the actions of Andariel, a cyber-espionage group with alleged ties to North Korea, pose a significant threat to organizations worldwide, particularly those in critical sectors like defense, aerospace, and nuclear. The US government, along with security agencies and technology partners, continue to monitor and address the activities of Andariel to safeguard against the theft of intellectual property and sensitive information that could potentially advance North Korea’s military capabilities.