Andariel, Silent Chollima
Description
A subgroup of Lazarus Group, Hidden Cobra, Labyrinth Chollima.
Names
| Name | Name-Giver |
|---|---|
| Andariel | FSI |
| Silent Chollima | CrowdStrike |
| Stonefly | Symantec |
| Plutonium | Microsoft |
| Onyx Sleet | Microsoft |
| APT 45 | Mandiant |
| Jumpy Pisces | Palo Alto |
Country
Motivation
- Information theft and espionage
First Seen
2009
Operations
- 2014: Operation “BLACKMINE” Target: South Korean organizations. Method: Information theft and espionage.
- 2014: Operation “GHOSTRAT” Target: Defense industry. Method: Information theft and espionage.
- 2014: Operation “XEDA” Target: Foreign defense industries. Method: Information theft and espionage.
- 2015: Operation “INITROY”/Phase 1 Target: South Korean organizations. Method: Information theft/early phase operation.
- 2015: Operation “DESERTWOLF”/Phase 3 Target: South Korean defense industry. Method: Information theft and espionage.
- 2015: Operation “BLACKSHEEP”/Phase 3. Target: Defense industry. Method: Information theft and espionage.
- 2016: Operation “INITROY”/Phase 2 Target: South Korean organizations. Method: Information theft/early phase operation.
- 2016: Operation “VANXATM” Target: ATM companies. Method: Financial theft/BPC.
- 2017: Operation “Mayday” Target: South Koran Financial Company. Method: Information theft and espionage.
- 2018-06: Operation “GoldenAxe” https://blog.trendmicro.com/trendlabs-security-intelligence/new-andariel-reconnaissance-tactics-hint-at-next-targets/
- 2021-04: Lazarus APT conceals malicious code within BMP image to drop its RAT https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
- 2021-06: Andariel evolves to target South Korea with ransomware https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
- 2022-02: Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage
- 2022-08: Andariel deploys DTrack and Maui ransomware https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/
- 2022-10: DPRK hacking groups breach South Korean defense contractors https://www.bleepingcomputer.com/news/security/dprk-hacking-groups-breach-south-korean-defense-contractors/
- 2023-03: Operation “Blacksmith” Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/
- 2023-06: Andariel’s silly mistakes and a new malware family https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/
- 2023-10: Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
- 2023-11: Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group) https://asec.ahnlab.com/en/59073/
- 2023-11: Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604) https://asec.ahnlab.com/en/59318/
- 2023-12: North Korean hackers stole anti-aircraft system data from South Korean firm https://therecord.media/north-korea-hackers-stole-anti-aircraft-system-data
- 2024-03: Andariel Group Exploiting Korean Asset Management Solutions (MeshAgent) https://asec.ahnlab.com/en/63192/
- 2024-04: North Korean hackers exploit VPN update flaw to install malware https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-vpn-update-flaw-to-install-malware/
- 2024-05: Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group) https://asec.ahnlab.com/en/66088/
- 2024-08: Stonefly: Extortion Attacks Continue Against U.S. Targets https://www.security.com/threat-intelligence/stonefly-north-korea-extortion
- 2024 Mid: Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger) https://asec.ahnlab.com/en/85400/
- 2024-10: Jumpy Pisces Engages in Play Ransomware https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/
Counter Operations
- 2024-07: Rewards for Justice – Reward Offer for Information on North Korean Malicious Cyber Actor Targeting U.S. Critical Infrastructure https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-north-korean-malicious-cyber-actor-targeting-u-s-critical-infrastructure/
Information
- https://asec.ahnlab.com/en/56405/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a
- https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine
Mitre Attack
Other Information
Uuid
00089621-cabc-421a-b2ce-3fd18f6bfa9c
Last Card Change
2024-12-28