Andariel

Threat Actor updated a month ago (2024-08-13T10:18:05.657Z)
Download STIX
Preview STIX
Andariel, a state-backed threat group linked to North Korea's Reconnaissance General Bureau, has been identified as a significant cyber threat. The group has demonstrated its capabilities by compromising critical national infrastructure organizations, accessing classified technical information and intellectual property. Notably, the group has also targeted healthcare entities in the U.S., funding their espionage activities through ransomware operations. In some instances, Andariel has launched ransomware attacks and conducted cyber espionage operations simultaneously against the same entity. The group has also shown a trend of exploiting vulnerabilities in server security products and IT management software for mass infections due to their high-level access and control. In April 2024, Andariel was found exploiting vulnerabilities in domestic VPN and server security software, distributing a remote control malware called DoraRAT to construction and machinery companies. This activity demonstrates the group's ability to use custom tools and malware to establish remote access, enable lateral movement, and steal data once they gain access to a network. A joint advisory listed 41 Common Vulnerabilities and Exposures (CVEs) that Andariel actors have exploited as part of their cyberespionage campaign. The advisory also detailed other tactics, techniques, and procedures (TTPs) used by Andariel, enabling organizations to take protective measures. Andariel is associated with other North Korean Advanced Persistent Threat (APT) groups such as Kimsuky and Lazarus Group. The group has been active for several years, demonstrating consistent and effective tradecraft in their cyberattacks. The breadth of information pursued in their current campaign is diverse, reflecting a broad range of interests and targets. As Andariel continues to pose a significant cyber threat, it is crucial for organizations to remain vigilant and proactive in their cybersecurity efforts.
Description last updated: 2024-08-13T10:16:17.357Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Reconnaissance General Bureau
6
The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency responsible for clandestine operations abroad, and it is believed to coordinate the nation's cyber activities. The RGB has been linked to several advanced persistent threat (APT) groups, including BeagleBoyz, Kimsuky, Anda
Lazarus Group
5
The Lazarus Group, a notorious threat actor associated with North Korea, has been implicated in several high-profile cyber attacks and exploitation activities. The group's objective often involves establishing a kernel read/write primitive, which allows them to gain high-level access to systems and
Rgb
5
RGB is a threat actor group associated with North Korea's Reconnaissance General Bureau (RGB), which has been involved in numerous cyber espionage activities. The RGB 3rd Bureau, based in Pyongyang and Sinuiju, includes state-sponsored cyber groups known as Andariel, Onyx Sleet (formerly PLUTONIUM),
Onyx Sleet
5
Onyx Sleet, also known as Andariel, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa, is a threat actor associated with North Korea's state-sponsored cyber operations. This group operates under the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau, based
Stonefly
4
The Andariel APT (also known as Stonefly, Silent Chollima, and Onyx Sleet) is a threat actor believed to be associated with the North Korean government. Active since at least 2015, it has been implicated in several cyber attacks, notably using ransomware campaigns to target US Healthcare and Public
Reconnaissance General Bureau Rgb
3
The Reconnaissance General Bureau (RGB) is a North Korean threat actor, responsible for executing actions with malicious intent. It's associated with several hacking groups known within the global cybersecurity industry as Lazarus Group, Bluenoroff, and Andariel, which have been identified as agenci
Silent Chollima
3
Silent Chollima, a North Korea-nexus threat actor, is known for its malicious cyber activities. The group, which is part of the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau, North Korea's foreign intelligence agency, has been associated with other groups such as Lazarus,
APT38
2
APT38, also known as TA444, BlueNoroff, BlackAlicanto, Coperenicum, Sapphire Sleet, and Stardust Chollima, is a North Korea-linked advanced persistent threat (APT) group. It has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions wor
Bluenoroff
2
BlueNoroff, a threat actor closely associated with the notorious Lazarus Group, has been actively involved in malicious cyber activities primarily targeting financial institutions and cryptocurrency businesses. Known for its sophisticated attacks on banks, casinos, fintech companies, POST software,
ZINC
2
Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been actively involved in cyberattacks on global media, defense, and IT industries. Microsoft's Threat Intelligence Center has been tracking the group's activities, which have included weaponizing open-source softw
Plutonium
2
Plutonium, a threat actor with potentially global implications, has been involved in several critical incidents. The group's activities have been traced back to the 1960s when alleged Israeli scientists visited NUMEC, claiming to obtain plutonium-238 for non-nuclear projects. The lack of stringent r
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Apt
Korean
Exploit
Reconnaissance
Police
Vulnerability
Cybercrime
Proxy
Log4j
State Sponso...
Bitcoin
Ransom
Telegram
Espionage
Lateral Move...
Implant
Backdoor
Teamcity
Downloader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
EarlyratUnspecified
2
EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases,
CollectionratUnspecified
2
CollectionRAT is a newly identified malware, discovered by cybersecurity researchers who traced its origins through reused infrastructure components. This malicious software, short for Malware, is designed to exploit and damage computers or devices, often infiltrating systems via suspicious download
NineratUnspecified
2
NineRAT is a malicious software, or malware, that was first built in May 2022 and initially used in the Operation Blacksmith campaign against a South American agricultural organization in March. It is one of two Remote Access Trojans (RATs) utilized by Lazarus, a notorious Advanced Persistent Threat
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
KimsukyUnspecified
5
Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked threat actor first identified by a Kaspersky researcher in 2013. This cyberespionage group has been associated with various malicious activities, including spear-phishing camp
temp.hermitUnspecified
2
Temp.Hermit, also known as Lazarus Group or Hidden Cobra, is a threat actor group associated with North Korea's Reconnaissance General Bureau (RGB). The group has been operational since 2013 and is known for its cyberespionage activities targeting governments and sectors such as defense, telecommuni
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
Log4ShellUnspecified
4
Log4Shell is a significant software vulnerability that exists within the Log4j Java-based logging utility. The vulnerability, officially designated as CVE-2021-44228, allows potential attackers to execute arbitrary code on targeted systems. Advanced Persistent Threat (APT) actors, including LockBit
CVE-2023-42793Unspecified
4
CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurre
Source Document References
Information about the Andariel Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
a month ago
South Korea Warns Pyongyang Has Stolen Spy Plane Details
Securityaffairs
a month ago
North Korea-linked hackers target construction and machinery sectors with watering hole and supply chain attacks
DARKReading
a month ago
Feds Warn of North Korean Cyberattacks on US Critical Infrastructure
DARKReading
a month ago
US Offers $10M Reward for Information on North Korean Hacker
Flashpoint
a month ago
COURT DOC: North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers
CISA
a month ago
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs | CISA
CISA
a month ago
FBI, CISA, and Partners Release Advisory Highlighting North Korean Cyber Espionage Activity | CISA
DARKReading
3 months ago
LilacSquid APT Employs Open Source Tools, QuasarRAT
Securityaffairs
3 months ago
LilacSquid APT targeted orgs in the U.S., Europe, and Asia
Securelist
4 months ago
APT trends report Q1 2024 – Securelist
Checkpoint
4 months ago
29th April – Threat Intelligence Report - Check Point Research
DARKReading
4 months ago
3 DPRK APTs Spied on South Korea Defense Industry
InfoSecurity-magazine
4 months ago
North Korean Hackers Target Dozens of Defense Companies
Securityaffairs
4 months ago
North Korea-linked APT groups target South Korean defense contractors
CERT-EU
6 months ago
Critical JetBrains TeamCity flaws come under active attacks
CERT-EU
6 months ago
JetBrain urges to fix critical TeamCity On-Premises vulnerabilities
CERT-EU
8 months ago
Cyber Security Week In Review: December 29, 2023
CERT-EU
9 months ago
Apache ActiveMQ Vulnerability: The Threat That Cannot Be Ignored
DARKReading
9 months ago
Global TeamCity Exploitation Opens Door to SolarWinds-Style Nightmare
BankInfoSecurity
9 months ago
Lazarus Exploits Log4Shell to Deploy Telegram-Based Malware