A new report by Mandiant has shed light on North Korea’s APT45, previously known as Andariel or Silent Chollima, revealing its transition from cyberespionage to aggressive ransomware attacks. APT45, which has historically supported North Korean strategic interests through espionage, has recently targeted sectors such as healthcare, financial institutions, and energy companies with data-extortion ransomware.
The report, released alongside a U.S. government advisory, highlights the sophisticated tactics and tools used by APT45. This group has expanded its operations beyond traditional espionage to include ransomware attacks that impact sensitive targets. Mandiant has collaborated with various U.S. agencies, including the FBI, to track the group’s efforts to acquire defense and research intelligence.
APT45’s activities include targeting nuclear research facilities and critical infrastructure, such as the Kudankulam Nuclear Power Plant in India. This marks one of the rare instances where North Korean cyber operations have been publicly known to affect critical infrastructure. The group’s ransomware attacks are part of a broader strategy to support the regime’s goals and generate revenue.
Mandiant’s analysis also reveals that APT45’s malware shares distinct characteristics, including reused code and custom encoding, aiding in the identification of their operations. Although Mandiant has not definitively confirmed ransomware as part of APT45’s arsenal, there is public reporting linking the group to MAUI ransomware attacks targeting healthcare and public health sectors.