Google Cloud's Mandiant cyber researchers have upgraded Andariel, also known as Onyx Sleet, Plutonium, and Silent Chollima, to an official advanced persistent threat (APT) group, alerting that it is targeting extremely sensitive atomic secrets and technology as North Korea continues its nuclear weapons acquisition efforts.
APT45, which has been active since 2009 and may have some connection to the Lazarus hacking operation, is characterised as having a moderate level of sophistication in terms of both scope and technology. Like many North Korean groups, its main objective is to steal money to fund the failing, isolated regime. It is most likely under the control of North Korea's Reconnaissance General Bureau (RGB) 3rd Bureau and started out as a financially motivated operator.
What sets it apart from other groups, though, is its suspected development and use of ransomware. Mandiant provided evidence of APT45 clusters using the Maui and Shatteredglass ransomware strains, while it hasn't been able to corroborate this claim with certainty.
What is known with some certainty is that APT45's interest has recently shifted to other fields, such as crop science, healthcare, and pharmaceuticals, with much of its time being devoted to military affairs, according to Mandiant.
“Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defence organisations around the world,” stated Mandiant principal analyst Michael Barnhart. “When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him.”
APT45's actions involve a combination of publicly available hacking tools and modified and secret malware variants. Its tool library appears to be distinct from those of other North Korean APTs, although its malware shares some traits, such as code reuse, unique custom encoding, and passwords.
FBI operation
Over the last few weeks, Mandiant has been "actively engaged" in an organised effort, operating alongside the FBI and other US agencies, to monitor APT45's efforts to gather defence and research intelligence from the US and other nations, including the UK, France, Germany, and South Korea, as well as Brazil, India, and Nigeria.
APT45 is believed to have targeted heavy and light tanks, self-propelled howitzers, light strike and ammo supply vehicles, littoral combat ships and combatant craft, submarines, torpedoes, and unmanned and autonomous underwater vehicles; modelling and simulation technology; fighter aircraft and drones; missiles and missile defence systems; satellites, satellite communications, and related technology; surveillance and phased-array radar systems; and manufacturing, including shipbuilding, robotics, 3D printing, casting, fabrication, moulding of metal, plastics and rubber, and machining processes.
More worrisomely, the group has also been tracking facilities and research, nuclear power plants, waste and storage, and uranium enrichment and processing.
“APT45 isn’t bound by ethical considerations and have demonstrated they’re willing and agile enough to target any entity to achieve their objectives, including hospitals,” added Barnhart. “A coordinated global effort involving both public and private sectors is necessary to counter this persistent and evolving threat.”