The inner workings of North Korea’s government-run hacking operations came into sharper focus this week with a new Mandiant report documenting the emergence of APT45 as an aggressive ransomware actor targeting healthcare providers, financial institutions, and energy companies.
The newly designated APT45, tracked for many years as Andariel or Silent Chollima, is known for cyberespionage operations supporting strategic interests of Kim Jung Un’s regime but has more recently expanded operations to include data-extortion ransomware attacks against very sensitive targets.
The new Mandiant report coincides with a mass-advisory from the U.S. government and its allies exposing the tools and tactics used by the dangerous North Korea hacking group. A Mandiant spokesman said the company has worked closely with multiple U.S. government agencies, including the FBI, to track this group’s efforts to acquire defense and R&D intelligence.
The multi-agency bulletin is expected to highlight how the DPRK hackers targeted information about heavy and light tanks and self-propelled howitzers, light strike vehicles and ammunition supply vehicles, Littoral combat ships and combatant craft and submarines, torpedoes, unmanned underwater vehicles (UUV), and autonomous underwater vehicles (AUV).
“When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him,” said Michael Barnhart, who leads Mandiant’s North Korean threat hunting team. “APT45 isn’t bound by ethical considerations and has demonstrated they’re willing and agile enough to target any entity to achieve their objectives, including hospitals.”
Although the group’s earliest observed activities consisted of espionage campaigns against government agencies and defense industries (mostly in South Korea), Mandiant’s researchers found that APT45 expanded to financially-motivated operations, including targeting of the financial vertical.
“We also assess with moderate confidence that APT45 has engaged in the development of ransomware,” the incident response firm said. “The group has conducted operations against nuclear-related entities, underscoring its role in supporting DPRK priorities.”
In addition to an interest in launching ransomware attacks, Mandiant found APT45 directly targeted nuclear research facilities and nuclear power plants such as the Kudankulam Nuclear Power Plant in India, marking one of the few publicly known instances of North Korean cyber operations targeting critical infrastructure.
While Mandiant is carefully hedging its attribution of APT45 to ransomware attacks, the company pointed to public reporting that the group has been conducting financial crime to fund their operations or generate revenue for the regime.
While Mandiant cannot confirm that ransomware is part of APT45’s arsenal, it pointed to the U.S. government’s cybersecurity agency CISA warnings on North Korean state-sponsored actors’ use of MAUI ransomware to target the healthcare and public health sectors.
Like most hacking teams out of North Korea, Mandiant said APT45 malware exhibits distinct shared characteristics over time, including the re-use of code, unique custom encoding, and passwords.
Mandiant published a VirusTotal Collection featuring APT45-related indicators of compromise to help defenders hunt for signs of infections.
Related: KnowBe4 Hires Fake North Korean, Catches New Employee Planting Malware
Related: North Korean Threat Actor Engaging in Espionage, Revenue Generation Attacks
Related: North Korean .Gov Hackers Back With Fake Pen-Test Company
Related: Google Warning: North Korean Gov Hackers Targeting Security Researchers
