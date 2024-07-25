Cyber researchers at Google Cloud’s Mandiant has upgraded a North Korean cyber threat nexus tracked over the years as Andariel, aka Onyx Sleet, Plutonium and Silent Chollima, to an official advanced persistent threat (APT) group, warning that it is targeting closely guarded atomic secrets and technology as North Korea continues its efforts to acquire nuclear weapons.

Operating since 2009 and possibly bearing links to the Lazarus hacking operation in some form, the newly designated APT45 is described as moderately sophisticated in its scope and technology.

It began its work as a financially motivated operator – like many North Korean groups, a primary goal is to steal capital to fund the ailing, isolated regime – with its suspected development and use of ransomware setting it apart from others. Mandiant cited evidence of use of the Maui and Shatteredglass ransomware strains by APT45 clusters, although it has not been definitively able to prove this point.

What is known with some confidence is that more recently, APT45’s attention has turned to other fields, including crop science, healthcare and pharmaceuticals, and lately, much of its time has been occupied with military matters, said Mandiant.

“Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defence organisations around the world,” said Mandiant principal analyst Michael Barnhart. “When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him.”

In its activities, APT45 favours a mix of publicly available hacking tools, and modified and custom malware strains.

Its library of tools appears somewhat distinct from other North Korean APTs, however, its malware does exhibit some shared characteristics, including code reuse, unique custom encoding and passwords.