APT45, a North Korean cyber threat group, has emerged as a formidable player in the digital landscape. Recently designated as an Advanced Persistent Threat by Mandiant, this group has evolved from traditional espionage to financially motivated operations, including suspected ransomware development. Active since at least 2009, APT45 has expanded its targets from government agencies and defense industries to critical infrastructure, healthcare, pharmaceuticals, and financial institutions. This shift in focus mirrors North Korea’s changing geopolitical priorities and underscores APT45’s distinctive role among North Korean cyber operators. The group’s activities have significantly contributed to North Korea’s military advancements, with Michael Barnhart of Mandiant stating, “When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him”
APT45’s Evolution and Operations
APT45, also known by various aliases such as Andariel and Silent Chollima, has been active since at least 2009. Initially, the group’s activities focused on espionage against government and defense sectors, primarily targeting South Korea. However, over the years, APT45 has expanded its operations to include financially motivated attacks, marking a significant shift in its modus operandi.
Espionage and Financially Motivated Operations
The group’s early operations were characterized by traditional cyber espionage, targeting government agencies and defense industries. This focus shifted around 2017, aligning with North Korea’s continued interest in nuclear issues and energy. By 2019, APT45 had directly targeted nuclear research facilities and power plants, including the Kudankulam Nuclear Power Plant in India, showcasing its capability to impact critical infrastructure.
In recent years, APT45 has ventured into financially motivated operations. The group has been suspected of developing and deploying ransomware, a tactic that sets it apart from other North Korean operators. This ransomware activity is believed to support not only the group’s operations but also generate funds for other state priorities. For instance, in 2016, APT45 likely used the RIFLE malware to target a South Korean financial organization, and in 2021, it was identified spear-phishing a South Asian bank.
Targeted Sectors and Geopolitical Impact
APT45’s operations have targeted a diverse range of sectors, reflecting North Korea’s evolving priorities. These sectors include agriculture, healthcare, finance, government, and defense. The group’s activities have been observed in several countries, including both Koreas and India.
Healthcare and Agriculture
During the COVID-19 pandemic, multiple North Korean cyber groups, including APT45, targeted the healthcare and pharmaceutical sectors. This focus extended beyond the initial stages of the pandemic, with APT45 continuing to target health-related research into 2023. This ongoing interest suggests a mandate to collect related information, possibly to address domestic deficiencies.
In September 2020, APT45 targeted the crop science division of a multinational corporation. This attack was likely motivated by the need to address deteriorating agricultural production in North Korea, exacerbated by the closure of border trade due to COVID-19 contagion fears.
Malware and Techniques
APT45 employs a variety of malware families and techniques to achieve its objectives. Some of the notable malware families associated with the group include RIFLE, Maui Ransomware, SHATTEREDGLASS, 3PROXY, and ROGUEEYE. These tools are used in conjunction with a range of tactics, techniques, and procedures (TTPs) identified by the MITRE ATT&CK framework. Key TTPs include:
- T1047: Windows Management Instrumentation
- T1063: Security Software Discovery
- T1082: System Information Discovery
- T1053: Scheduled Task/Job
- T1195: Supply Chain Compromise
- T1567: Exfiltration Over Web Service
- T1059: Command and Scripting Interpreter
- T1204: User Execution
- T1571: Non-Standard Port
- T1027: Obfuscated Files or Information
- T1132: Data Encoding
- T1588: Obtain Capabilities
- T1213: Data from Information Repositories
- T1485: Data Destruction
- T1498: Network Denial of Service
- T1018: Remote System Discovery
Looking Ahead
APT45’s activities mirror North Korea’s geopolitical priorities, shifting from espionage to include financially motivated operations. As North Korea continues to rely on cyber operations as an instrument of national power, APT45 and other North Korean cyber operators are expected to adapt to the changing priorities of the country’s leadership. This adaptability, coupled with the group’s willingness to target any entity to achieve its objectives, underscores the ongoing threat posed by APT45 in the global cyber landscape.