Andariel

Threat Actor updated 11 hours ago (2024-11-21T11:31:53.528Z)

Download STIX

Preview STIX

Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In some instances, these attacks and espionage operations have occurred simultaneously, even against the same entity. Andariel deploys DTrack and Maui ransomware, with the latter having been active since at least 2022. The group has also attacked ActiveX objects and is known to leave tools in specific folders post-attack. The group's activities have not gone unnoticed. The US Department of State's Rewards for Justice (RFJ) program is offering up to $10 million for information leading to key Andariel members like Rim Jong Hyok. Researchers suggest that defenders use the latest threat intelligence to identify malware on networks and advanced URL filtering and DNS security products to detect known URLs and domains associated with Andariel's malicious activity. This advice comes as Andariel continues to target critical sectors such as defense, aerospace, nuclear, and engineering companies, as well as global managed service providers. There are signs of collaboration between Andariel and the Play ransomware group. For instance, the compromised account used for initial access and spreading of Andariel's signature tools, including Silver and Dtrack, was also used prior to Play ransomware deployment. After breaching networks, Andariel moves laterally and maintains persistence by spreading the open source tool Sliver and its unique custom malware, DTrack, to other hosts via the Server Message Block (SMB) protocol. Despite some mistakes made by the group, it remains a significant cybersecurity threat.

Description last updated: 2024-11-21T10:32:53.211Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Onyx Sleet is a possible alias for Andariel. Onyx Sleet, also known as Andariel, Silent Chollima, and Stonefly, is a North Korean state-sponsored cyber group under the RGB 3rd Bureau. This threat actor utilizes an array of malware to gather intelligence for North Korea, primarily conducting cyberespionage, but also engaging in ransomware activ	6
Reconnaissance General Bureau is a possible alias for Andariel. The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency known for its clandestine operations abroad. Its cyber activities, believed to be coordinated by the secretive organization, have been linked to various threat actors since at least 2014. Notable entities include the Beagl	6
Lazarus Group is a possible alias for Andariel. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North K	5
Rgb is a possible alias for Andariel. RGB is a notorious threat actor, primarily associated with North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency. This organization falls under the General Staff Bureau of the DPRK Korean People's Army and has been linked to numerous cyber-attacks against international en	5
Stonefly is a possible alias for Andariel. Stonefly, also known as Andariel, Silent Chollima, Onyx Sleet, and APT45, is a threat actor group that has been active since at least 2015 and is believed to be linked to the North Korean government. The group has been involved in various attacks, including ransomware campaigns against Healthcare an	4
Plutonium is a possible alias for Andariel. Plutonium, also known as Jumpy Pisces and Andariel, is a notable threat actor historically involved in cyberespionage, financial crime, and ransomware attacks. Recent reports have revealed that advanced persistent threats (APTs) backed by Plutonium have been breaching the Sellafield's IT systems, wh	3
Bluenoroff is a possible alias for Andariel. BlueNoroff, a threat actor group linked to North Korea, has been identified as the malicious entity behind several high-profile cyber-attacks. Since first making headlines with an attack on Sony Pictures in 2014, BlueNoroff and its parent group Lazarus have been involved in numerous notorious securi	3
Silent Chollima is a possible alias for Andariel. Silent Chollima, also known as Stonefly or APT45, is a threat actor with links to North Korea's foreign intelligence agency, the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau. The group has been active since at least 2015, when it began shifting its objectives. Silent Chol	3
Reconnaissance General Bureau Rgb is a possible alias for Andariel. The Reconnaissance General Bureau (RGB) of the Korean People's Army is a significant threat actor in global cybersecurity, housing various hacking groups under its control. These groups include well-known entities such as "Lazarus Group," "Bluenoroff," and "Andariel," identified by Executive Order 1	3
ZINC is a possible alias for Andariel. Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been active since 2009. This group is notorious for its cyber-attacks aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries, and executing currency generation campa	2
Jumpy Pisces is a possible alias for Andariel. Jumpy Pisces, a North Korean state-sponsored malware group, has been identified as a key player in an unprecedented collaboration with an underground ransomware network. This marks a significant development in the cybersecurity landscape, as it's the first recorded instance of such cooperation betwe	2
APT38 is a possible alias for Andariel. APT38, a threat actor suspected to be backed by the North Korean regime, has been responsible for some of the largest cyber heists observed to date. The group has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions worldwide. Despite	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Apt

Korean

Malware

Exploit

Police

Reconnaissance

Cybercrime

Vulnerability

Log4j

State Sponso...

Proxy

Teamcity

Lateral Move...

Downloader

Espionage

Bitcoin

Ransom

Backdoor

Implant

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Dtrack Malware is associated with Andariel. DTrack is a malicious software (malware) known for its data theft capabilities. It was first associated with North Korean threat groups and has been used in numerous cyber attacks globally. The malware infiltrates systems through suspicious downloads, emails, or websites, and once inside, it collect	Unspecified	3
The Collectionrat Malware is associated with Andariel. CollectionRAT is a malicious software (malware) first identified in a Cisco Talos report in 2023, with samples dating as far back as 2021. This Windows-based Remote Access Trojan (RAT) is believed to be connected to the Jupiter/EarlyRAT malware family, which has previously been linked to a Lazarus s	Unspecified	2
The Earlyrat Malware is associated with Andariel. EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases,	Unspecified	2
The Ninerat Malware is associated with Andariel. NineRAT is a malicious software, or malware, that was first built in May 2022 and initially used in the Operation Blacksmith campaign against a South American agricultural organization in March. It is one of two Remote Access Trojans (RATs) utilized by Lazarus, a notorious Advanced Persistent Threat	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Kimsuky Threat Actor is associated with Andariel. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group that has been active since it was first spotted by Kaspersky researchers in 2013. The group is notorious for its cyber espionage activit	Unspecified	5
The temp.hermit Threat Actor is associated with Andariel. Temp.Hermit, also known as Selective Pisces or Diamond Sleet, is a cyber threat actor linked to North Korea. This group has been active since 2013 and targets governments, defense, telecommunications, and financial services sectors with cyberespionage operations. Temp.Hermit's activities often overl	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Log4Shell Vulnerability is associated with Andariel. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorized	Unspecified	4
The CVE-2023-42793 Vulnerability is associated with Andariel. CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurre	Unspecified	4

Source Document References

Information about the Andariel Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	15 hours ago	WhatsApp: NSO Group Operates Pegasus Spyware for Customers
DARKReading	21 days ago	North Korea's Andariel Pivots to 'Play' Ransomware
Unit42	22 days ago	Jumpy Pisces Engages in Play Ransomware
DARKReading	a month ago	Lazarus Group Exploits Chrome Zero-Day in Latest Campaign
Unit42	2 months ago	Threat Assessment: North Korean Threat Groups
InfoSecurity-magazine	3 months ago	South Korea Warns Pyongyang Has Stolen Spy Plane Details
Securityaffairs	4 months ago	North Korea-linked hackers target construction and machinery sectors with watering hole and supply chain attacks
DARKReading	4 months ago	Feds Warn of North Korean Cyberattacks on US Critical Infrastructure
DARKReading	4 months ago	US Offers $10M Reward for Information on North Korean Hacker
Flashpoint	4 months ago	COURT DOC: North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers
CISA	4 months ago	North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs \| CISA
CISA	4 months ago	FBI, CISA, and Partners Release Advisory Highlighting North Korean Cyber Espionage Activity \| CISA
DARKReading	6 months ago	LilacSquid APT Employs Open Source Tools, QuasarRAT
Securityaffairs	6 months ago	LilacSquid APT targeted orgs in the U.S., Europe, and Asia
Securelist	6 months ago	APT trends report Q1 2024 – Securelist
Checkpoint	7 months ago	29th April – Threat Intelligence Report - Check Point Research
DARKReading	7 months ago	3 DPRK APTs Spied on South Korea Defense Industry
InfoSecurity-magazine	7 months ago	North Korean Hackers Target Dozens of Defense Companies
Securityaffairs	7 months ago	North Korea-linked APT groups target South Korean defense contractors
CERT-EU	8 months ago	Critical JetBrains TeamCity flaws come under active attacks