fresnel6 - Fotolia
North Korean cyber APT targeting nuclear secrets
Mandiant has upgraded the North Korean threat actor known as Andariel to APT status and warned of coordinated efforts to steal western military IP, including nuclear secrets
Cyber researchers at Google Cloud’s Mandiant has upgraded a North Korean cyber threat nexus tracked over the years as Andariel, aka Onyx Sleet, Plutonium and Silent Chollima, to an official advanced persistent threat (APT) group, warning that it is targeting closely guarded atomic secrets and technology as North Korea continues its efforts to acquire nuclear weapons.
Operating since 2009 and possibly bearing links to the Lazarus hacking operation in some form, the newly designated APT45 is described as moderately sophisticated in its scope and technology.
It is likely controlled though North Korea's Reconnaissance General Bureau (RGB) 3rd Bureau and began its work as a financially motivated operator – like many North Korean groups, a primary goal is to steal capital to fund the ailing, isolated regime – with its suspected development and use of ransomware setting it apart from others. Mandiant cited evidence of use of the Maui and Shatteredglass ransomware strains by APT45 clusters, although it has not been definitively able to prove this point.
What is known with some confidence is that more recently, APT45’s attention has turned to other fields, including crop science, healthcare and pharmaceuticals, and lately, much of its time has been occupied with military matters, said Mandiant.
“Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defence organisations around the world,” said Mandiant principal analyst Michael Barnhart. “When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him.”
In its activities, APT45 favours a mix of publicly available hacking tools, and modified and custom malware strains.
Its library of tools appears somewhat distinct from other North Korean APTs, however, its malware does exhibit some shared characteristics, including code reuse, unique custom encoding and passwords.
FBI operation
Over the past few weeks, Mandiant has been “actively engaged” in a concerted effort, working alongside the FBI and other US agencies, to track APT45’s efforts to acquire defence and research intel from the US and other countries – including the UK, France, Germany and South Korea, as well as Brazil, India and Nigeria.
In its missions, APT45 is thought to have targeted heavy and light tanks; self-propelled howitzers; light strike and ammo supply vehicles; littoral combat ships and combatant craft; submarines; torpedoes and unmanned and autonomous underwater vehicles; modelling and simulation technology; fighter aircraft and drones; missiles and missile defence systems; satellites, satellite comms and related tech; surveillance and phased-array radar systems; and manufacturing including shipbuilding, robotics, 3D printing, casting, fabrication, moulding of metal, plastics and rubber, and machining processes.
More concerningly, the group has also been observing targeting uranium enrichment and processing, waste and storage, nuclear power plants, and facilities and research.
“APT45 isn’t bound by ethical considerations and have demonstrated they’re willing and agile enough to target any entity to achieve their objectives, including hospitals,” said Barnhart. “A coordinated global effort involving both public and private sectors is necessary to counter this persistent and evolving threat.”
NCSC issues warning
Meanwhile, the UK's National Cyber Security Centre (NCSC), alongside allied agencies from around the world, including the US and South Korea, issued its own alert over APT45's activity.
It said intelligence suggested APT45 poses an “ongoing threat” to critical infrastructure organisations globally.
“The global cyber espionage operation that we have exposed today shows the lengths that DPRK state-sponsored actors are willing to go to pursue their military and nuclear programmes,” said NCSC operations director Paul Chichester.
“It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse. The NCSC, alongside our US and Korean partners, strongly encourage network defenders to follow the guidance set out in this advisory to ensure they have strong protections in place to prevent this malicious activity.”
The full advisory, included indicators of compromise (IOCs), can be read here.
This article was updated at 16:40 on Thursday 25 July to incorporate the NCSC's advisory.
Read more about North Korean threat activity
- Joint parliamentary security committee chair Margaret Beckett writes to prime minister urging government to prepare for foreign states interfering with 4 July election.
- The local authority for Europe’s biggest nuclear site has been slammed by auditors for its response to a North Korea-linked cyber attack that temporarily crippled its operations.
- Threat actors from China, Iran, North Korea and Russia have all been probing use cases for generative AI service ChatGPT, but have yet to use such tools in a full-blown cyber attack.