North Korean hacking group makes waves to gain Mandiant, FBI spotlight
Stepped-up activity from a North Korean hacking group is prompting Mandiant to upgrade it to a top-tier hacking threat and the FBI to issue an alert about the outfit, which the company and agency say has long sought to obtain intelligence about defense and research and development but has since expanded to other targets.
Mandiant, a cybersecurity arm of Google Cloud, said in a report it released Thursday that the newly labeled APT45 has broadened its ransomware operations — rare for North Korean groups — to target health care providers, financial institutions and energy companies.
The FBI is set to follow with an advisory and news conference Thursday about the hackers.
Mandiant, which previously called the group Andariel or UNC614, says it has been active since at least 2009. The “APT” designation — APT is short for “advanced persistent threat” — comes as the company has noticed the group’s level of sophistication rise and the victim number increase. APT45 supports the interest of the North Korean government, according to Mandiant.
“The elevation of Andariel to an APT45 designation is a reflection of heightened awareness surrounding the group’s activities,” Michael Barnhart, Mandiant principal analyst at Google Cloud, told CyberScoop in a written statement.
“This heightened awareness is a natural consequence of their increasingly sophisticated attacks and the growing number of victims across various sectors,” he said. “Andariel has demonstrated a consistent ability to execute large-scale, impactful cyber operations targeting critical infrastructure and strategic industries, often involving data breaches, ransomware deployment, and sophisticated espionage tactics.”
Mandiant said it has worked with the FBI and other government agencies to track the hackers. The FBI advisory will outline how APT45 has targeted information about a range of technologies, from tanks to drones to missile defense systems to government nuclear facilities, according to the firm.
“Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defense organizations around the world,” Barnhart said in a separate statement. “When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him.”
APT45 motives have gradually shifted toward financially motivated operations, according to Mandiant. The group initially focused on health care and pharmaceutical companies in the early stages of the COVID-19 pandemic, but continued to target those sectors after other groups had pivoted elsewhere — perhaps indicating a mandate to collect such information, the report states.
Gary Freas, Mandiant senior analyst at Google Cloud, told CyberScoop that even though the firm suspects the money obtained in such attacks is funneled back to the North Korean regime, the group’s primary objective isn’t to generate revenue.
“Upon seeing the success of ransomware attacks other threat groups were having against medical entities, APT45 began using the same, off-the-shelf ransomware and began demanding ransomware payments equal to the same price-range of other publicly reported incidents — regardless of the size of the victim,” Freas said.
This isn’t the first time the hacking group has gained U.S. government attention. The Treasury Department’s Office of Foreign Asset Control announced sanctions against it in 2019. The office cited the hackers’ focus on operations against businesses and government agencies, including the targeting of South Korea’s government, stealing bank card information and hacking into online gambling sites.
The group has been called by other names as well, such as Plutonium and Onyx Sleet.