Cyber Threat Report: 'APT45: North Korea’s Digital Military Machine'

This report from threat intelligence analysts at Google's Mandiant marks the graduation of this cyber actor to a fully designated APT - APT45. The report describes APT45 as a moderately sophisticated cyber operator supporting the interests of the DPRK, who have been active since at least 2009. Initially focusing on espionage campaigns against government agencies and defense industries, APT45 has expanded its operations to include financially-motivated activities, such as targeting the financial sector and developing ransomware. The group has also shown a sustained interest in healthcare and pharmaceuticals, particularly during the COVID-19 pandemic, and has targeted nuclear-related entities. APT45's operations reflect the shifting geopolitical priorities of North Korea, with malware samples indicating activity as early as 2009 and a focus on government and defense industries beginning in 2017. The group's financially-motivated operations may support its own activities and generate funds for other North Korean state priorities. APT45 relies on a mix of publicly available tools, modified malware, and custom malware families, exhibiting distinct shared characteristics over time. Mandiant assesses with high confidence that APT45 is a state-sponsored cyber operator conducting threat activity in support of the North Korean regime, likely attributable to North Korea’s Reconnaissance General Bureau (RGB). The group's activity has been publicly reported under other names, including "Andariel," "Onyx Sleet," "Stonefly," and "Silent Chollima". As North Korea continues to rely on cyber operations as an instrument of national power, the analysts expect APT45 to persist in both intelligence collection and financially-motivated activities.