Andariel (G0138): North Korea's Dual-Threat Cyber Espionage and Ransomware Group
- Suspected Origin
- North Korea
- Motivation
- Espionage, Financial Gain, Destruction
- Aliases
- Silent Chollima, PLUTONIUM, Onyx Sleet
- Target Sectors
- Government, Military, Defense, Aerospace, Nuclear, Financial Services, Healthcare, Energy, IT Services, Critical Infrastructure, Manufacturing, Education, Construction
- Associated Malware
- Maui, DTrack, NukeSped, MagicRAT, YamaBot, EarlyRat, Sliver, 3Proxy, PLINK, Stunnel, Mimikatz, ProcDump, Dumpert, Bmdoor, Rifdoor, Phandoor, Andarat, GhostRat
Overview
Andariel, tracked by MITRE ATT&CK as G0138, is a highly adaptive and persistent North Korean state-sponsored threat group operating under the umbrella of the infamous Lazarus Group. Also known by aliases such as Silent Chollima, PLUTONIUM, and Onyx Sleet, this group has been active since at least 2009, with some reporting indicating operations as early as 2007. Andariel is directly attributed to North Korea’s Reconnaissance General Bureau (RGB), specifically its 3rd Bureau, also identified as Bureau 121 or Lab 110.
The group’s operational objectives are multifaceted, aligning closely with Pyongyang’s strategic and financial imperatives. Historically, Andariel conducted destructive attacks and focused heavily on cyber espionage to gather intelligence, particularly against South Korean government and military targets. In recent years, however, Andariel has evolved to become a significant player in financially motivated cybercrime, actively engaging in ransomware attacks and cryptocurrency theft to generate revenue. This dual-track approach—combining espionage with revenue generation—is a hallmark of North Korean cyber operations, allowing Andariel to fund its own espionage activities and support the regime’s military and nuclear ambitions, often circumventing international sanctions.
Andariel’s primary geographic focus has historically been South Korea, targeting government agencies, military organizations, and domestic companies. However, their operations have expanded globally, with documented targets in the United States, Japan, and India. The group casts a wide net across critical sectors, including defense, aerospace, nuclear engineering, financial services, and healthcare. Their targets range from acquiring intellectual property related to satellite technology and military aircraft to disrupting operations and stealing sensitive data from financial institutions and healthcare providers.
Tactics & Techniques
Andariel’s tactics and techniques are sophisticated and constantly adapting, demonstrating a keen understanding of modern cyber vulnerabilities. For initial access, the group primarily leverages spear-phishing campaigns, often employing malicious attachments (Word, Excel) or fake job offers tailored to deceive victims. They are also well-known for utilizing watering hole attacks, frequently incorporating zero-day exploits and limiting these attacks to specific IP ranges to compromise targets discreetly.
A significant aspect of their initial access methodology involves exploiting public-facing applications and web servers. Andariel regularly targets known and critical vulnerabilities in widely used software, prioritizing unpatched systems. Notable exploits include those against the infamous Log4j vulnerability (CVE-2021-44228), VMware Horizon, Apache Tomcat, Microsoft SharePoint servers, and the TeamCity RCE vulnerability (CVE-2023-42793). Once inside, they establish persistence through various means, including scheduled tasks, registry modifications, and custom malware families.
For internal network navigation and privilege escalation, Andariel employs credential dumping techniques, using publicly available tools such as Mimikatz, ProcDump, and Dumpert to access Active Directory domain databases. They conduct extensive discovery operations, using commands like tasklist to enumerate processes and netstat -naop tcp to display network connections. They also gather detailed victim host and network information, including browser types, system languages, and IP addresses.
Command and Control (C2) infrastructure often involves tunneling traffic over various protocols from compromised hosts to their C2 servers using tools like 3Proxy, PLINK, and Stunnel. The group has also been observed deploying the Sliver implant, an open-source C2 framework. Data exfiltration is a meticulously planned process: files are collected, often archived into RAR files (sometimes with malicious WinRAR), and then transferred to cloud storage or secondary servers before being moved to North Korean infrastructure via tools like PuTTY, WinSCP, FTP, and RDP. Andariel also employs evasion techniques, such as hiding malicious executables within PNG files and using commercial packers like Themida and VMProtect to obfuscate their malware.
Notable Campaigns
Andariel has a long history of impactful campaigns:
- Operation Black Mine, Operation GoldenAxe, and Campaign Rifle: These early campaigns, active since at least 2016-2017, largely targeted South Korean military and government organizations, establishing many of the group’s foundational TTPs. Operation GoldenAxe specifically involved watering hole attacks with ActiveX zero-day exploits.
- Sony Pictures Hack (2014): Some security researchers have linked Andariel to this high-profile incident.
- Kudankulam Nuclear Power Plant (2019): Andariel targeted this Indian nuclear facility, marking one of the confirmed instances of North Korean cyber operations against critical nuclear infrastructure.
- Maui Ransomware Campaigns (2021-2023): A significant shift towards revenue generation saw Andariel deploying the Maui ransomware against U.S. healthcare entities. These campaigns were explicitly designed to extort hospitals, with proceeds potentially funding further espionage. The U.S. Department of Justice indicted Rim Jong Hyok in July 2024 in connection with Log4Shell exploitation and Maui extortion, highlighting the direct link between state-sponsored activity and cybercrime.
- Aerospace and Defense Targeting (2023-2024): Recent intelligence reports from Microsoft and CISA indicate a renewed focus on the aerospace and defense sectors, with campaigns from October 2023 to June 2024 deploying the Sliver implant to exfiltrate intellectual property related to satellite technology and military aircraft.
- Collaboration with Play Ransomware (2024): In September 2024, Andariel (tracked as Jumpy Pisces) was observed potentially collaborating with the Play ransomware group, possibly acting as an initial access broker or affiliate, indicating deeper involvement in the broader ransomware ecosystem.
Associated Malware & Tools
Andariel possesses a diverse and evolving arsenal of malware and legitimate tools.
- Ransomware: Maui is a prominent ransomware strain used by Andariel, particularly against the U.S. healthcare sector. They have also used SHATTEREDGLASS ransomware and have been observed leveraging existing ransomware infrastructure like Play ransomware.
- Remote Access Trojans (RATs) & Backdoors: Their custom toolkit includes DTrack (also known as Valefor and Preft), a long-established malware for information collection and exfiltration. Other notable RATs and backdoors include NukeSped (Manuscrypt), MagicRAT, YamaBot, EarlyRat, and the open-source Sliver implant.
- Older Custom Malware: Historically, the group has used custom malware like Bmdoor, Rifdoor, Phandoor, Andarat, and GhostRat.
- Legitimate Tools: Andariel frequently incorporates legitimate, off-the-shelf tools to blend in with normal network traffic and maintain access. These include:
- Proxy/Tunneling Tools: 3Proxy, PLINK, and Stunnel are used for command and control.
- Remote Access/Transfer Tools: Supremo remote desktop, PuTTY, WinSCP, FTP, and RDP facilitate remote access and data transfer.
- Credential Dumping: Mimikatz, ProcDump, and Dumpert are employed for credential theft.
- Other Utilities: Powerline, NTDSDumpEx, ForkDump, and even malicious WinRAR for archiving have been observed.
Current Status
Andariel remains an active and persistent threat. Recent reports from July and August 2024 from CISA and Kratos Space confirm ongoing cyber espionage campaigns, specifically targeting aerospace and defense organizations across the U.S., Japan, South Korea, and India. Microsoft Threat Intelligence, tracking Andariel as Onyx Sleet, also highlighted their continued exploitation of N-day vulnerabilities and deployment of tools like the Sliver implant in campaigns observed from October 2023 to June 2024.
The group’s operational model continues to feature a dangerous blend of cyber espionage and financially motivated attacks. They are actively engaged in ransomware operations against the U.S. healthcare sector, using the proceeds to fund their broader strategic objectives. The July 2024 indictment by the U.S. Department of Justice of Rim Jong Hyok for his role in Maui ransomware attacks against healthcare providers underscores the ongoing nature and legal consequences of Andariel’s activities. Furthermore, their observed collaboration with the Play ransomware group in September 2024 indicates a potential evolution in their financial operations model. Security researchers continue to closely monitor Andariel’s evolving tactics, techniques, and procedures, emphasizing the need for robust cybersecurity measures and international cooperation to defend against this sophisticated and adaptable threat.
Related content
APT38: North Korea's Relentless Financial Cyber Offensive
Adversary ProfileFIN13 (Elephant Beetle): Mexico-Focused Financial Threat Group
Adversary ProfilePlay Ransomware (G1040) Threat Profile: Evolving Tactics and Global Impact
Adversary ProfileCleaver (G0003): Iranian APT Targeting Critical Infrastructure
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call