APT45 | |
Other Names | Andariel |
Location | North Korea |
Date of initial activity | 2009 |
Suspected attribution | State-sponsored threat group Reconnaissance General Bureau (RGB) |
Associated Groups | Lazarus Group (APT38) |
Motivation | Cyber Espionage Intellectual Property Theft Political and Diplomatic Influence Financial Gain |
Associated tools | gh0st RAT, Andarat, Andaratm, Phandoor, Rifdoor, YamaBot, TigerRAT, MagicRat, Black RAT, Goat RAT, NukeSped, Dtrack, maui Ransomware, 1th Troy Reverse Shell, DurianBeacon, EarlyRat, MeshAgent. |
Overview
APT45, also known as Andariel, is a North Korean cyber threat group that has been active since at least 2009. Initially, their operations focused on government agencies and the defense industry, aligning with North Korea’s strategic interests. Over time, APT45 expanded its targets to include sectors such as healthcare and agriculture, reflecting shifts in the nation’s geopolitical priorities.
The group’s activities are characterized by a blend of cyber espionage and financially motivated attacks. They have been involved in stealing military secrets and engaging in ransomware attacks against hospitals, banks, and defense firms to fund their operations.
APT45 employs a variety of tactics, including spear-phishing campaigns, malware deployment, and exploiting vulnerabilities in software to gain unauthorized access to target systems.
APT45’s operations are believed to be supported by the North Korean government, specifically the Reconnaissance General Bureau (RGB), which oversees the nation’s intelligence and cyber warfare activities. The group’s cyber operations are integral to North Korea’s broader strategy of acquiring technology and information to advance its military and nuclear programs.
In response to the growing threat posed by APT45 and similar groups, international intelligence agencies, including those from the United States, the United Kingdom, and South Korea, have issued warnings and taken measures to counteract their activities. These efforts highlight the critical need for robust cybersecurity defenses and international cooperation to mitigate the risks associated with state-sponsored cyber threats.
Common targets
APT45 primarily targets organizations and entities that are strategically important to North Korea, focusing on intelligence gathering, espionage, and sometimes financial theft. The group’s activities are often linked to the country’s broader geopolitical and economic interests.
Key targets of APT45 include:
Countries:
- South Korea
- United States
- Japan
- European Union countries (including the United Kingdom, Germany, and France)
- Russia
- India
- Canada
- Other North American countries
- Other European nations
Entities:
- Government institutions (particularly in South Korea, the U.S., Japan, and European countries)
- Defense contractors
- Technology companies (in the U.S., Japan, South Korea, and Europe)
- Diplomatic organizations
- Organizations involved in research related to security and defense
- International organizations enforcing sanctions against North Korea
- Critical infrastructure sectors (energy, defense, scientific research, and technological sectors)
Attack Vectors
APT45 utilizes several attack vectors to breach targeted networks and systems. Some of the most common methods include:
- Spear-phishing: The group frequently uses spear-phishing emails to deliver malicious payloads. These emails are often tailored to specific individuals within the target organization, increasing the likelihood of success.
- Exploiting Vulnerabilities: APT45 is known to take advantage of unpatched software vulnerabilities. This includes both public-facing vulnerabilities and those within third-party software used by organizations.
- Malicious Web Shells: In some cases, they deploy web shells on compromised servers to maintain access. This allows them to control the server and move laterally across the network.
- Credential Dumping: APT45 also focuses on credential theft, leveraging tools to dump passwords from compromised systems. This helps them escalate privileges and move further into the target environment.
- Command and Control (C2) Communications: The group is known to use legitimate services, such as social media platforms and cloud storage services, for C2 communications. This enables them to avoid detection by blending in with normal web traffic.
By combining these attack vectors, APT45 increases their chances of successfully breaching targets and maintaining long-term access. Their focus on specific industries and the use of social engineering make them a persistent threat to high-value targets.
How they operate
APT45 operates using a variety of tactics, techniques, and procedures (TTPs) to gain access, maintain persistence, and exfiltrate valuable data from their targets. Here’s an overview of how they typically carry out their attacks:
1. Initial Access (Phishing and Social Engineering)
APT45 often begins its operations with phishing campaigns, typically leveraging social engineering techniques to trick users into opening malicious attachments or clicking on compromised links. They use carefully crafted emails that appear legitimate, often impersonating trusted entities, to lure victims into downloading malicious files or providing login credentials. This is a primary vector for initial access, which may include spear-phishing targeting specific individuals or organizations.
In some cases, they may exploit public-facing vulnerabilities in websites or web applications to gain entry into an organization’s network. They also use watering hole attacks where they compromise websites that their intended victims are likely to visit, injecting malicious code to infect their systems.
2. Execution (Running Malicious Code)
Once the attacker has gained initial access, they deploy tools such as PowerShell-based scripts or remote access trojans (RATs) to execute commands on compromised systems. PowerShell is particularly useful because it allows attackers to run scripts directly in memory, reducing the likelihood of detection by traditional antivirus software. Tools like Meterpreter or Quasar RAT are used to establish remote control over infected systems, enabling the attackers to perform additional actions or install further malware.
In some cases, APT45 uses web shells to maintain access to compromised servers. These web shells provide a remote command-line interface that allows the group to control the server and exfiltrate data without triggering alarms from basic intrusion detection systems.
3. Privilege Escalation and Lateral Movement
Once inside the network, APT45 seeks to escalate privileges and extend its reach within the environment. They often use tools like Mimikatz to dump credentials from memory and gather authentication tokens. With these credentials, they can escalate their access to higher-value systems or domains within the network.
Lateral movement is a key aspect of their operations. APT45 often uses tools like RDP (Remote Desktop Protocol) or SMB (Server Message Block) to move from one compromised system to another within the network. This helps them to gather more intelligence, exfiltrate data, and reach high-value targets such as financial systems, intellectual property, or strategic data.
4. Exfiltration and Persistence
Once they have gathered the required data, APT45 works to exfiltrate it back to their infrastructure. They use encrypted channels (e.g., HTTPS, FTP, or SFTP) to securely send the data out of the network, making it harder to detect. In addition, they employ steganography and exfiltration via cloud services to hide their activities and evade detection.
APT45 is also focused on persistence—ensuring that even if they are discovered or a breach is mitigated, they can regain access. This is achieved through the deployment of backdoors, web shells, and redundant remote access tools, making it difficult for defenders to fully remove the threat once it’s entrenched in the network.
5. Avoiding Detection and Evasion
APT45 employs several methods to avoid detection, including:
- Fileless malware: Instead of relying on traditional files to execute malicious code, APT45 often uses fileless techniques that run in the system’s memory, making them harder to detect.
- Living off the land: They use legitimate system tools and administrative functions, such as PowerShell and Windows Management Instrumentation (WMI), to execute their commands and interact with compromised systems without triggering alarms.
- Domain fronting: To avoid detection while communicating with their command-and-control (C2) infrastructure, APT45 has been known to use domain fronting techniques, disguising malicious traffic as legitimate traffic.
6. Operations and Long-Term Persistence
APT45 is adept at staying undetected within an organization for long periods, often monitoring and gathering intelligence before executing any major moves. Their activities are characterized by patience and subtlety, with a focus on slow and methodical information gathering, allowing them to avoid alerting security teams. They also rely on multiple backups of C2 channels to ensure they can maintain access even if some routes are blocked or detected.
MITRE ATT&CK Techniques used by APT45:
- T1005 Data from Local System: APT45 has collected large numbers of files from compromised network systems for later extraction.
- T1189 Drive-by Compromise: APT45 has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.
- T1203 Exploitation for Client Execution: APT45 has exploited numerous ActiveX vulnerabilities, including zero-days.
- T1592.002 Gather Victim Host Information – Software: APT45 has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data.
- T1590.005 Gather Victim Network Information – IP Addresses: APT45 has limited its watering hole attacks to specific IP address ranges.
- T1105 Ingress Tool Transfer: APT45 has downloaded additional tools and malware onto compromised hosts..
- T1027.003 Obfuscated Files or Information – Steganography: APT45 has hidden malicious executables within PNG files.
- T1588.001 Obtain Capabilities – Malware: APT45 has used a variety of publicly-available remote access Trojans (RATs) for its operations.
- T1566.001 Phishing – Spearphishing Attachment: APT45 has conducted spearphishing campaigns that included malicious Word or Excel attachments.
- T1057 Process Discovery: APT45 has used
tasklist
to enumerate processes and find a specific string. - T1049 System Network Connections Discovery: APT45 has used the
netstat -naop tcp
command to display TCP connections on a victim’s machine. - T1204.002 User Execution – Malicious File: APT45 has attempted to lure victims into enabling malicious macros within email attachments.
Significant Attacks
APT45′ notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.
References:
- APT45: North Korea’s Digital Military Machine
- Andariel
- Andariel Group Exploiting Korean Asset Management Solutions (MeshAgent)
- Analysis of Andariel’s New Attack Activities
- Andariel’s silly mistakes and a new malware family
- Andariel deploys DTrack and Maui ransomware
- Andariel evolves to target South Korea with ransomware
- New Andariel Reconnaissance Tactics Uncovered
- Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups