Cyber researchers at Google Cloud’s Mandiant has upgraded a North Korean cyber threat nexus tracked over the years as Andariel, aka Onyx Sleet, Plutonium and Silent Chollima, to an official advanced persistent threat (APT) group, warning that it is targeting closely guarded atomic secrets and technology as North Korea continues its efforts to acquire nuclear weapons.
Operating since 2009 and possibly bearing links to the Lazarus hacking operation in some form, the newly designated APT45 is described as moderately sophisticated in its scope and technology.
It began its work as a financially motivated operator – like many North Korean groups, a primary goal is to steal capital to fund the ailing, isolated regime – with its suspected development and use of ransomware setting it apart from others. Mandiant cited evidence of use of the Maui and Shatteredglass ransomware strains by APT45 clusters, although it has not been definitively able to prove this point.
What is known with some confidence is that more recently, APT45’s attention has turned to other fields, including crop science, healthcare and pharmaceuticals, and lately, much of its time has been occupied with military matters, said Mandiant.
“Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defence organisations around the world,” said Mandiant principal analyst Michael Barnhart. “When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him.”
In its activities, APT45 favours a mix of publicly available hacking tools, and modified and custom malware strains.
Its library of tools appears somewhat distinct from other North Korean APTs, however, its malware does exhibit some shared characteristics, including code reuse, unique custom encoding and passwords.
FBI operation
Over the past few weeks, Mandiant has been “actively engaged” in a concerted effort, working alongside the FBI and other US agencies, to track APT45’s efforts to acquire defence and research intel from the US and other countries – including the UK, France, Germany and South Korea, as well as Brazil, India and Nigeria.
In its missions, APT45 is thought to have targeted heavy and light tanks; self-propelled howitzers; light strike and ammo supply vehicles; littoral combat ships and combatant craft; submarines; torpedoes and unmanned and autonomous underwater vehicles; modelling and simulation technology; fighter aircraft and drones; missiles and missile defence systems; satellites, satellite comms and related tech; surveillance and phased-array radar systems; and manufacturing including shipbuilding, robotics, 3D printing, casting, fabrication, moulding of metal, plastics and rubber, and machining processes.
More concerningly, the group has also been observing targeting uranium enrichment and processing, waste and storage, nuclear power plants, and facilities and research.
“APT45 isn’t bound by ethical considerations and have demonstrated they’re willing and agile enough to target any entity to achieve their objectives, including hospitals,” said Barnhart. “A coordinated global effort involving both public and private sectors is necessary to counter this persistent and evolving threat.”