Andariel
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | North Korea |
| Directly Linked Intrusion Sets | Onyx Sleet , APT45 |
| Associated Threat Actor | North Korean Reconnaissance General Bureau 3rd Bureau |
| Associated MITRE ATT&CK Group | Andariel (G0138) |
Andariel is a state-sponsored cyber organization based in Pyongyang and Sinuiju, North Korea. It operates under the Reconnaissance General Bureau's (RGB) 3rd Bureau. Andariel has been active since around 2009 and focuses on espionage. Initially targeting defense contractors and military organizations, it has expanded its scope to include nuclear weapons information and, during the pandemic, organizations in the life sciences and pharmaceutical sector.
Andariel's primary objective is to steal sensitive and classified technical information, intellectual property, and military secrets. It has compromised organizations globally, seeking to further North Korea's military and nuclear ambitions. The group poses an ongoing threat to critical infrastructure organizations worldwide, including defense, financial services infrastructure, aerospace, nuclear, engineering, medical, and energy sectors.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Andariel Threat Reports
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...
References
www.ncsc.gov.uk
https://www.ncsc.gov.uk/news/ncsc-partners-vigilant-dprk-sponsored-cyber-campaigncloud.google.com
https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government/attack.mitre.org
https://attack.mitre.org/groups/G0138/www.trendmicro.com
https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.htmlwww.microsoft.com
https://www.microsoft.com/en-us/security/blog/2024/07/25/onyx-sleet-uses-array-of-malware-to-gather-intelligence-for-north-korea/home.treasury.gov
https://home.treasury.gov/news/press-releases/sm774cloud.google.com
https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machinewww.ic3.gov
https://www.ic3.gov/Media/News/2024/240725.pdfMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1560 | Archive Collected Data | Collection |
| T1587.001 | Malware | Resource Development |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1021 | Remote Services | Lateral Movement |
| T1587.004 | Exploits | Resource Development |
| T1083 | File and Directory Discovery | Discovery |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1071 | Application Layer Protocol | Command and Control |
| T1591 | Gather Victim Org Information | Reconnaissance |
| T1003 | OS Credential Dumping | Credential Access |
| T1572 | Protocol Tunneling | Command and Control |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1090 | Proxy | Command and Control |
| T1592 | Gather Victim Host Information | Reconnaissance |
| T1087 | Account Discovery | Discovery |
| T1059 | Command and Scripting Interpreter | Execution |
| T1596 | Search Open Technical Databases | Reconnaissance |
| T1039 | Data from Network Shared Drive | Collection |
| T1595 | Active Scanning | Reconnaissance |