Written by: Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, Michael Barnhart
Executive Summary
Mandiant assesses with high confidence that APT45 is a moderately sophisticated cyber operator that supports the interests of the DPRK. Since at least 2009, APT45 has carried out a range of cyber operations aligned with the shifting geopolitical interests of the North Korean state. Although the group's earliest observed activities consisted of espionage campaigns against government agencies and defense industries, APT45 has expanded its remit to financially-motivated operations, including targeting of the financial vertical; we also assess with moderate confidence that APT45 has engaged in the development of ransomware. Additionally, while multiple DPRK-nexus groups focused on healthcare and pharmaceuticals during the initial stages of the COVID-19 pandemic, APT45 has continued to target this vertical longer than other groups, suggesting an ongoing mandate to collect related information. Separately, the group has conducted operations against nuclear-related entities, underscoring its role in supporting DPRK priorities.
Shifts in Targeting and Expanding OperationsSimilar to other cyber threat activity attributed to North Korea-nexus groups, shifts in APT45 operations have reflected the DPRK's changing priorities. Malware samples indicate the group was active as early as 2009, although an observed focus on government agencies and the defense industry was observed beginning in 2017. Identified activity in 2019 aligned with Pyongyang’s continued interest in nuclear issues and energy. Although it is not clear if financially-motivated operations are a focus of APT45’s current mandate, the group is distinct from other North Korean operators in its suspected interest in ransomware. Given available information, it is possible that APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to generate funds for other North Korean state priorities.
Financial SectorLike other North Korea-nexus actors, APT45 targeting includes the financial sector. In 2016, APT45 likely leveraged RIFLE to target a South Korean financial organization. Direct targeting continued through at least 2021 when the group was identified spear-phishing a South Asian bank.
Critical InfrastructureIn 2019, APT45 directly targeted nuclear research facilities and nuclear power plants such as the Kudankulam Nuclear Power Plant in India, marking one of the few publicly known instances of North Korean cyber operations targeting critical infrastructure.
Intellectual Property Theft to Address Domestic DeficienciesIn September 2020, APT45 targeted the crop science division of a multinational corporation, possibly due to the exacerbation of deteriorating agricultural production following the closure of border trade related to COVID-19 contagion fears.
Multiple North Korea-nexus operators, including APT45, focused on the healthcare and pharmaceutical verticals during a suspected COVID-19 outbreak in North Korea in 2021.
Activity observed from APT45 indicating continued interest in health-related research in 2023 suggests the continued assignment of resources to related targeting.
Potential Ransomware UseMandiant tracks several clusters of activity where we suspect, but cannot confirm APT45 attribution. Public reporting has claimed that these clusters have used ransomware, possibly to fund their operations or generate revenue for the regime. While Mandiant cannot confirm this ransomware use by APT45, it is plausible as they have employed diverse schemes to raise money.
Figure 1: Countries targeted by APT45
Figure 2: Industries targeted by APT45
MalwareAPT45 relies on a mix of publicly available tools such as 3PROXY, malware modified from publicly available malware such as ROGUEEYE, and custom malware families. Like most groups of DPRK activity, APT45 malware exhibits distinct shared characteristics over time, including the re-use of code, unique custom encoding, and passwords. APT45 leverages a library of malware tools which are relatively distinct from other North Korean activity clusters.
Figure 3: APT45 Malware Overlap
Attribution and Links to Other Tracked OperationsMandiant assesses with high confidence that APT45 is a state-sponsored cyber operator conducting threat activity in support of the North Korean regime. We assess with moderate confidence that APT45 is attributable specifically to North Korea’s Reconnaissance General Bureau (RGB).
Activity attributed to APT45 by Mandiant has been publicly reported as “Andariel”, "Onyx Sleet", “Stonefly”, and “Silent Chollima”. The group's activity is also frequently reported as linked to “Lazarus Group”.
Figure 4: Assessed structure of DPRK cyber operations in 2024
Looking AheadAPT45 is one of North Korea’s longest running cyber operators, and the group’s activity mirrors the regime’s geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science. Financially motivated activity occurring alongside intelligence collection has become a defining characteristic of North Korean cyber operations, and we expect APT45 to continue both missions. As the country has become reliant on its cyber operations as an instrument of national power, the operations carried out by APT45 and other North Korean cyber operators may reflect the changing priorities of the country’s leadership.
AcknowledgementsSpecial thanks to Mandiant Advanced Practices, Mandiant FLARE, Mandiant Validation, and FBI Kansas City.
Technical Annex: Attack LifecycleFigure 5: Attack Lifecycle
Technical Annex: APT45 Indicators of CompromiseA GTI Collection featuring APT45-related indicators of compromise is now available for registered users.
Today, CISA—in partnership with the Federal Bureau of Investigation (FBI)—released a joint Cybersecurity Advisory, North Korea State-Sponsored Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs. The advisory was coauthored with the following organizations:
This advisory was crafted to highlight cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.
The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India.
All critical infrastructure organizations are encouraged to review the advisory and implement the recommended mitigations. For more information on North Korean state-sponsored threat actor activity, see CISA’s North Korea Cyber Threat Overview and Advisories page.
Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities. For more information on this ransomware activity, see joint advisories #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities and North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.
CISA released two Industrial Control Systems (ICS) advisories on July 25, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.