Andariel

Threat Actor updated 23 days ago (2024-11-29T14:49:43.115Z)
Download STIX
Preview STIX
Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In some instances, these attacks and espionage operations have occurred simultaneously, even against the same entity. Andariel deploys DTrack and Maui ransomware, with the latter having been active since at least 2022. The group has also attacked ActiveX objects and is known to leave tools in specific folders post-attack. The group's activities have not gone unnoticed. The US Department of State's Rewards for Justice (RFJ) program is offering up to $10 million for information leading to key Andariel members like Rim Jong Hyok. Researchers suggest that defenders use the latest threat intelligence to identify malware on networks and advanced URL filtering and DNS security products to detect known URLs and domains associated with Andariel's malicious activity. This advice comes as Andariel continues to target critical sectors such as defense, aerospace, nuclear, and engineering companies, as well as global managed service providers. There are signs of collaboration between Andariel and the Play ransomware group. For instance, the compromised account used for initial access and spreading of Andariel's signature tools, including Silver and Dtrack, was also used prior to Play ransomware deployment. After breaching networks, Andariel moves laterally and maintains persistence by spreading the open source tool Sliver and its unique custom malware, DTrack, to other hosts via the Server Message Block (SMB) protocol. Despite some mistakes made by the group, it remains a significant cybersecurity threat.
Description last updated: 2024-11-21T10:32:53.211Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Onyx Sleet is a possible alias for Andariel. Onyx Sleet, also known as Andariel, Silent Chollima, and Stonefly, is a North Korean state-sponsored cyber group under the RGB 3rd Bureau. This threat actor utilizes an array of malware to gather intelligence for North Korea, primarily conducting cyberespionage, but also engaging in ransomware activ
6
Reconnaissance General Bureau is a possible alias for Andariel. The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency known for its clandestine operations abroad. Its cyber activities, believed to be coordinated by the secretive organization, have been linked to various threat actors since at least 2014. Notable entities include the Beagl
6
Lazarus Group is a possible alias for Andariel. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitati
5
Rgb is a possible alias for Andariel. RGB is a notorious threat actor, primarily associated with North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency. This organization falls under the General Staff Bureau of the DPRK Korean People's Army and has been linked to numerous cyber-attacks against international en
5
Stonefly is a possible alias for Andariel. Stonefly, also known as Andariel, Silent Chollima, Onyx Sleet, and APT45, is a threat actor group that has been active since at least 2015 and is believed to be linked to the North Korean government. The group has been involved in various attacks, including ransomware campaigns against Healthcare an
4
Plutonium is a possible alias for Andariel. Plutonium, also known as Jumpy Pisces and Andariel, is a notable threat actor historically involved in cyberespionage, financial crime, and ransomware attacks. Recent reports indicate that this group has been breaching the IT systems of Sellafield, a site that holds the world's largest stockpile of
3
Bluenoroff is a possible alias for Andariel. BlueNoroff, a threat actor group linked to North Korea, has been identified as the malicious entity behind several high-profile cyber-attacks. Since first making headlines with an attack on Sony Pictures in 2014, BlueNoroff and its parent group Lazarus have been involved in numerous notorious securi
3
Silent Chollima is a possible alias for Andariel. Silent Chollima, also known as Stonefly or APT45, is a threat actor with links to North Korea's foreign intelligence agency, the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau. The group has been active since at least 2015, when it began shifting its objectives. Silent Chol
3
Reconnaissance General Bureau Rgb is a possible alias for Andariel. The Reconnaissance General Bureau (RGB) of the Korean People's Army is a significant threat actor in global cybersecurity, housing various hacking groups under its control. These groups include well-known entities such as "Lazarus Group," "Bluenoroff," and "Andariel," identified by Executive Order 1
3
ZINC is a possible alias for Andariel. Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been active since 2009. This group is notorious for its cyber-attacks aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries, and executing currency generation campa
2
Jumpy Pisces is a possible alias for Andariel. Jumpy Pisces, a North Korean state-sponsored malware group, has been identified as a key player in an unprecedented collaboration with an underground ransomware network. This marks a significant development in the cybersecurity landscape, as it's the first recorded instance of such cooperation betwe
2
APT38 is a possible alias for Andariel. APT38, a threat actor suspected to be backed by the North Korean regime, has been responsible for some of the largest cyber heists observed to date. The group has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions worldwide. Despite
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Apt
Korean
Malware
Exploit
Police
Reconnaissance
Cybercrime
Vulnerability
Log4j
State Sponso...
Proxy
Teamcity
Lateral Move...
Downloader
Espionage
Bitcoin
Ransom
Backdoor
Telegram
Implant
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Dtrack Malware is associated with Andariel. DTrack is a malicious software (malware) known for its data theft capabilities. It was first associated with North Korean threat groups and has been used in numerous cyber attacks globally. The malware infiltrates systems through suspicious downloads, emails, or websites, and once inside, it collectUnspecified
3
The Collectionrat Malware is associated with Andariel. CollectionRAT is a malicious software (malware) first identified in a Cisco Talos report in 2023, with samples dating as far back as 2021. This Windows-based Remote Access Trojan (RAT) is believed to be connected to the Jupiter/EarlyRAT malware family, which has previously been linked to a Lazarus sUnspecified
2
The Earlyrat Malware is associated with Andariel. EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases, Unspecified
2
The Ninerat Malware is associated with Andariel. NineRAT is a malicious software, or malware, that was first built in May 2022 and initially used in the Operation Blacksmith campaign against a South American agricultural organization in March. It is one of two Remote Access Trojans (RATs) utilized by Lazarus, a notorious Advanced Persistent ThreatUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Kimsuky Threat Actor is associated with Andariel. Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, whichUnspecified
5
The temp.hermit Threat Actor is associated with Andariel. Temp.Hermit, also known as Selective Pisces or Diamond Sleet, is a cyber threat actor linked to North Korea. This group has been active since 2013 and targets governments, defense, telecommunications, and financial services sectors with cyberespionage operations. Temp.Hermit's activities often overlUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Log4Shell Vulnerability is associated with Andariel. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorizedUnspecified
4
The CVE-2023-42793 Vulnerability is associated with Andariel. CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurreUnspecified
4
Source Document References
Information about the Andariel Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
a month ago
DARKReading
2 months ago
Unit42
2 months ago
DARKReading
2 months ago
Unit42
3 months ago
InfoSecurity-magazine
4 months ago
Securityaffairs
5 months ago
DARKReading
5 months ago
DARKReading
5 months ago
Flashpoint
5 months ago
CISA
5 months ago
CISA
5 months ago
DARKReading
7 months ago
Securityaffairs
7 months ago
Securelist
7 months ago
Checkpoint
8 months ago
DARKReading
8 months ago
InfoSecurity-magazine
8 months ago
Securityaffairs
8 months ago
CERT-EU
10 months ago