The Andariel hacking group, a notorious entity linked to North Korea, has recently shifted its focus towards financially motivated attacks on U.S. organizations. This pivot, observed in August 2024, marks a significant change in the group's operational strategy, raising concerns among cybersecurity experts and organizations alike.
Background of Andariel
Andariel, considered a sub-cluster of the notorious Lazarus Group, is also known as APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (previously Plutonium), Operation Troy, Silent Chollima, and Stonefly. They’ve been active since at least 2009.
Operating under North Korea's Reconnaissance General Bureau (RGB), Andariel is notorious for deploying ransomware strains like SHATTEREDGLASS and Maui, and developing custom backdoors such as Dtrack (aka Valefor and Preft), TigerRAT, Black RAT (aka ValidAlpha), Dora RAT, and LightHand.
They also use lesser-known tools like a data wiper called Jokra and an advanced implant named Prioxer for exchanging commands and data with a command-and-control (C2) server.
In July 2024, a North Korean military intelligence operative from Andariel was indicted by the U.S. Department of Justice (DoJ) for ransomware attacks on healthcare facilities, using the proceeds to conduct further intrusions into defense, technology, and government sectors worldwide.
The Shift in Focus
Symantec, a leading cybersecurity firm, reported that Andariel's recent campaigns have targeted U.S. organizations across various sectors, including finance, healthcare, and retail.
The group's tactics have evolved to include sophisticated phishing attacks, ransomware deployments, and exploitation of known vulnerabilities in widely used software. This shift is indicative of a broader trend where state-sponsored groups diversify their objectives to include financial motivations alongside traditional espionage.
Techniques and Tactics
Andariel's attack involves a combination of advanced persistent threats (APTs) and financially motivated cybercrime techniques. Some of the key tactics observed include:
1. Phishing Campaigns: Andariel has been leveraging highly targeted phishing emails to gain initial access to corporate networks. These emails often mimic legitimate communications and contain malicious attachments or links that deploy malware upon interaction.
2. Ransomware Attacks: The group has increasingly used ransomware to encrypt critical data and demand hefty ransoms in cryptocurrency. This tactic not only disrupts business operations but also provides a lucrative revenue stream.
3. Exploitation of Vulnerabilities: Andariel has been quick to exploit known vulnerabilities in popular software and systems. By targeting unpatched systems, they can gain unauthorized access and move laterally within networks to exfiltrate sensitive data.
4. Supply Chain Attacks: Another concerning tactic is the compromise of third-party vendors and suppliers to infiltrate larger organizations. This method allows Andariel to bypass direct defenses and gain access through trusted connections.
