Silent Chollima

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Silent Chollima, a North Korea-nexus threat actor, is known for its malicious cyber activities. The group, which is part of the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau, North Korea's foreign intelligence agency, has been associated with other groups such as Lazarus, APT38, and Andariel. Silent Chollima, also known as Andariel or Stonefly, began shifting their objectives in 2015. Prior to this shift, their operations demonstrated both destructive and espionage components. There was also an attempt at revenue generation by Silent Chollima, identified by CrowdStrike, before tracking Stardust Chollima, another North Korea-nexus threat actor. Japanese organizations have been targeted due to the proximity of Japan to North Korea and the geopolitical tensions in the region. The cybersecurity firm noted a definitive shift in Silent Chollima's tactics, overlapping with the cluster widely tracked as Andariel (aka Onyx Sleet or Silent Chollima), a subgroup within the Lazarus umbrella. It remains unclear whether the TwoPence framework is used exclusively by Stardust Chollima, or if elements of it are shared between other related DPRK adversaries such as Labyrinth Chollima, Ricochet Chollima, or Silent Chollima. The most recent attacks linked to Silent Chollima involved the exploitation of CVE-2023-42793, a severe vulnerability with a CVSS score of 9.8. These attacks were attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). Despite the unique tools and infrastructure leveraged by Silent Chollima, no overlap was identified between this group and Stardust Chollima, suggesting distinct operational strategies amongst these threat actors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Andariel
3
Andariel, a notorious threat actor associated with the Lazarus Group and linked to North Korea, is known for its malicious cyber activities. The group has been identified using DTrack malware and Maui ransomware, notably in mid-2022, and has developed a reputation for exploiting ActiveX objects. Res
Labyrinth Chollima
2
Labyrinth Chollima, a threat actor linked to North Korea, has been involved in numerous malicious activities since 2009. Tracked by CrowdStrike and other cybersecurity organizations, Labyrinth Chollima is part of the Lazarus Group, known for stealthy attacks targeting various industries such as acad
Stonefly
2
Stonefly, also known as Andariel or Silent Chollima, is a threat actor group believed to be linked with the North Korean government. Active since at least 2015, Stonefly has been involved in numerous attacks, including several attributed to the North Korean state-sponsored operation Lazarus. The gro
APT38
1
APT38, also known as TA444, BlueNoroff, BlackAlicanto, Coperenicum, Sapphire Sleet, Stardust Chollima, and TraderTraitor, is a threat actor group suspected to be backed by the North Korean regime. The group has been active in operations across over 16 organizations in at least 11 countries, primaril
Onyx Sleet
1
Onyx Sleet, a North Korean nation-state threat actor, has been identified as a significant cybersecurity risk by Microsoft. Operating under the Lazarus Group umbrella, Onyx Sleet primarily targets defense and IT services organizations in South Korea, the United States, and India. In October 2023, Mi
Reconnaissance General Bureau
1
The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency responsible for clandestine operations abroad, including cyber activities. The RGB has been associated with several threat actors, including the BeagleBoyz, who have likely been active since at least 2014. Other groups lin
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Espionage
Apt
Crowdstrike
Reconnaissance
Japan
Exploit
Dprk
Backdoor
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
StardustUnspecified
1
Stardust is a potent malware that has been identified in cyber attacks on specific targets, notably the Katerji Group and Arfada Petroleum, both located in Syria. The malware is part of a family of malicious payloads that include Meteor and Comet, but with distinct characteristics. Stardust does not
Nemesis KittenUnspecified
1
Nemesis Kitten, also known as Lord Nemesis, is a malware attributed to an Iran-nexus threat group, closely aligned with the Iranian government. It emerged in late 2023 and quickly made its mark with a significant cyberattack on Rashim, a software company. The malware is known for exploiting misconfi
NemesisUnspecified
1
Nemesis is a type of malware, specifically known as an infostealer, which infiltrates systems to exploit and cause damage. It often enters systems undetected through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. A deeper lo
DtrackUnspecified
1
DTrack is a type of malware, or malicious software, known for its destructive capabilities. It can infiltrate systems through dubious downloads, emails, or websites and wreak havoc by stealing personal information, disrupting operations, or holding data hostage for ransom. Notably, DTrack was utiliz
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Stardust ChollimaUnspecified
1
Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the f
Diamond SleetUnspecified
1
Diamond Sleet is a threat actor group associated with North Korea that has been implicated in a series of advanced persistent threat (APT) supply chain attacks. These attacks have notably relied on the exploitation of CyberLink software, a popular multimedia application suite. The cybersecurity indu
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-42793Unspecified
1
CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurre
Source Document References
Information about the Silent Chollima Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans
CERT-EU
9 months ago
Microsoft Warns of North Korean Attacks Exploiting JetBrains TeamCity Flaw
CERT-EU
a year ago
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware
CERT-EU
a year ago
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware – GIXtools
CrowdStrike
a year ago
Adversary Insights from Japan Front Lines | CrowdStrike
MITRE
a year ago
Adversary: Silent Chollima - Threat Actor | Crowdstrike Adversary Universe
MITRE
a year ago
STARDUST CHOLLIMA | Threat Actor Profile | CrowdStrike
CSO Online
a year ago
APT groups use ransomware TTPs as cover for intelligence gathering and sabotage
Malwarebytes
a year ago
CISA issues alert with South Korean government about DPRK's ransomware antics
CERT-EU
a year ago
APT trends report Q1 2023
CERT-EU
a year ago
APT trends report Q1 2023 - GIXtools