Andariel

Threat Actor updated 4 days ago (2024-09-10T04:18:36.016Z)
Download STIX
Preview STIX
Andariel, also known as Jumpy Pisces and Onyx Sleet, is a threat actor primarily involved in cyberespionage and ransomware activities. Originating from North Korea, this group has been linked to several malicious cyber activities alongside other groups like Lazarus Group and Bluenoroff. The group's modus operandi includes exploiting vulnerabilities in server security products, domestic VPNs, and IT management software to distribute malware such as DoraRAT and gain high-level access and control over their targets. Their victims range from U.S. healthcare entities to critical national infrastructure organizations, with the intent to extract classified technical information and intellectual property. In recent years, Andariel has intensified its operations, often conducting ransomware attacks and cyber espionage on the same day or against the same entity. A notable instance occurred in April 2024, when the group exploited vulnerabilities to deliver remote control malware to construction and machinery companies. In addition to these activities, Andariel also funds its espionage activity through ransomware operations, particularly targeting U.S. healthcare entities. This dual approach of espionage and ransomware indicates a sophisticated and multifaceted threat strategy. The joint advisory from the UK, US, and South Korean governments has listed 41 Common Vulnerabilities and Exposures (CVEs) that Andariel actors have exploited as part of their cyberespionage campaign. Once they gain access to a network, the group uses a variety of custom tools and malware to establish remote access, enable lateral movement, and steal data. Despite the increasing awareness and protective measures taken by targeted entities, Andariel continues to employ the same tactics, techniques, and procedures (TTPs) over extended periods, indicating their confidence in the effectiveness of their tradecraft.
Description last updated: 2024-09-10T03:18:29.615Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Reconnaissance General Bureau
6
The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency responsible for clandestine operations abroad, and it is believed to coordinate the nation's cyber activities. The RGB has been linked to several advanced persistent threat (APT) groups, including BeagleBoyz, Kimsuky, Anda
Onyx Sleet
6
Onyx Sleet, also known as Andariel, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa, is a North Korean state-sponsored cyber group associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju. This threat actor pri
Lazarus Group
5
The Lazarus Group, also known as APT38, is a notorious threat actor believed to be backed by the North Korean regime. This group has been associated with several high-profile cyber attacks and thefts, including the infamous $600 million Ronin sidechain exploit in 2022. Known for their sophisticated
Rgb
5
RGB is a threat actor group, part of North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency under the General Staff Bureau of the Korean People's Army. Over the years, the RGB has revealed at least six threat groups, including Andariel, also known as Onyx Sleet, formerly P
Stonefly
4
The Andariel APT (also known as Stonefly, Silent Chollima, and Onyx Sleet) is a threat actor believed to be associated with the North Korean government. Active since at least 2015, it has been implicated in several cyber attacks, notably using ransomware campaigns to target US Healthcare and Public
Reconnaissance General Bureau Rgb
3
The Reconnaissance General Bureau (RGB) is a key threat actor group associated with North Korea's cyber espionage activities. Known within the global cybersecurity industry as the umbrella organization for hacking groups like "Lazarus Group," "Bluenoroff," and "Andariel," it operates under the Korea
Silent Chollima
3
Silent Chollima, a North Korea-nexus threat actor, is known for its malicious cyber activities. The group, which is part of the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau, North Korea's foreign intelligence agency, has been associated with other groups such as Lazarus,
APT38
2
APT38, a threat actor suspected to be backed by the North Korean regime, has been responsible for some of the largest cyber heists observed to date. The group has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions worldwide. Despite
Bluenoroff
2
BlueNoroff, a threat actor closely associated with the Lazarus hacking group, has been identified as a significant cybersecurity risk. Known for their financially motivated attacks, BlueNoroff targets banks, casinos, fintech companies, POST software and cryptocurrency businesses, and ATMs. They have
ZINC
2
Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been active since 2009. This group is notorious for its cyber-attacks aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries, and executing currency generation campa
Plutonium
2
Plutonium, a threat actor with potentially global implications, has been involved in several critical incidents. The group's activities have been traced back to the 1960s when alleged Israeli scientists visited NUMEC, claiming to obtain plutonium-238 for non-nuclear projects. The lack of stringent r
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Apt
Korean
Exploit
Cybercrime
Police
Reconnaissance
Vulnerability
Log4j
State Sponso...
Proxy
Bitcoin
Ransom
Telegram
Espionage
Lateral Move...
Implant
Backdoor
Downloader
Teamcity
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
EarlyratUnspecified
2
EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases,
CollectionratUnspecified
2
CollectionRAT is a malicious software (malware) first identified in a Cisco Talos report in 2023, with samples dating as far back as 2021. This Windows-based Remote Access Trojan (RAT) is believed to be connected to the Jupiter/EarlyRAT malware family, which has previously been linked to a Lazarus s
NineratUnspecified
2
NineRAT is a malicious software, or malware, that was first built in May 2022 and initially used in the Operation Blacksmith campaign against a South American agricultural organization in March. It is one of two Remote Access Trojans (RATs) utilized by Lazarus, a notorious Advanced Persistent Threat
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
KimsukyUnspecified
5
Kimsuky, a threat actor linked to North Korea, has been increasingly active in conducting cyber espionage and malicious attacks. This group, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, was first identified by Kaspersky researchers in 2013. In recent de
temp.hermitUnspecified
2
Temp.Hermit, also known as Selective Pisces or Diamond Sleet, is a cyber threat actor linked to North Korea. This group has been active since 2013 and targets governments, defense, telecommunications, and financial services sectors with cyberespionage operations. Temp.Hermit's activities often overl
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
Log4ShellUnspecified
4
Log4Shell is a significant software vulnerability, specifically a flaw in the design or implementation of Log4j, a popular Java-based logging utility. This vulnerability, officially known as CVE-2021-44228, allows malicious actors to execute arbitrary code on affected systems, providing an avenue fo
CVE-2023-42793Unspecified
4
CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurre
Source Document References
Information about the Andariel Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
4 days ago
Threat Assessment: North Korean Threat Groups
InfoSecurity-magazine
a month ago
South Korea Warns Pyongyang Has Stolen Spy Plane Details
Securityaffairs
a month ago
North Korea-linked hackers target construction and machinery sectors with watering hole and supply chain attacks
DARKReading
a month ago
Feds Warn of North Korean Cyberattacks on US Critical Infrastructure
DARKReading
a month ago
US Offers $10M Reward for Information on North Korean Hacker
Flashpoint
a month ago
COURT DOC: North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers
CISA
a month ago
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs | CISA
CISA
a month ago
FBI, CISA, and Partners Release Advisory Highlighting North Korean Cyber Espionage Activity | CISA
DARKReading
3 months ago
LilacSquid APT Employs Open Source Tools, QuasarRAT
Securityaffairs
3 months ago
LilacSquid APT targeted orgs in the U.S., Europe, and Asia
Securelist
4 months ago
APT trends report Q1 2024 – Securelist
Checkpoint
5 months ago
29th April – Threat Intelligence Report - Check Point Research
DARKReading
5 months ago
3 DPRK APTs Spied on South Korea Defense Industry
InfoSecurity-magazine
5 months ago
North Korean Hackers Target Dozens of Defense Companies
Securityaffairs
5 months ago
North Korea-linked APT groups target South Korean defense contractors
CERT-EU
6 months ago
Critical JetBrains TeamCity flaws come under active attacks
CERT-EU
6 months ago
JetBrain urges to fix critical TeamCity On-Premises vulnerabilities
CERT-EU
9 months ago
Cyber Security Week In Review: December 29, 2023
CERT-EU
9 months ago
Apache ActiveMQ Vulnerability: The Threat That Cannot Be Ignored
DARKReading
9 months ago
Global TeamCity Exploitation Opens Door to SolarWinds-Style Nightmare