APT45 is a North Korean cyber operator with a history dating back to 2009. Known for its espionage campaigns, the group has expanded into financially motivated operations, including ransomware development. APT45 stands out among North Korean cyber groups for its distinct malware and frequent targeting of critical infrastructure.
Michael Barnhart, Mandiant Principal Analyst, Google Cloud, said this of the group:
“Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defence organisations around the world. When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him.”
Mandiant assesses with high confidence that APT45 is a state-sponsored operator supporting the North Korean regime, likely linked to the Reconnaissance General Bureau (RGB). APT45’s activities have been reported under various names, including Andariel, Onyx Sleet, Stonefly, and Silent Chollima, and are often associated with the Lazarus Group.
Overview:
APT45, a moderately sophisticated cyber operator, has been active since at least 2009, conducting operations aligned with North Korea’s shifting geopolitical interests. Initially focused on espionage against government and defence sectors, APT45 has expanded into financially motivated activities, including ransomware development. The group has also shown a sustained interest in healthcare and pharmaceuticals, especially during the COVID-19 pandemic, and has targeted nuclear-related entities, reflecting its strategic importance to North Korea.
Shifts in Targeting and Expanding Operations:
APT45’s activities have evolved in line with North Korea’s changing priorities. The group has targeted government agencies, the defence industry, and nuclear research facilities, including the Kudankulam Nuclear Power Plant in India. In response to domestic agricultural challenges, APT45 targeted a crop science division in 2020. The group continues to focus on health-related research, indicating ongoing resource allocation to this sector.
Barnhart continues:
“APT45 isn’t bound by ethical considerations and have demonstrated they’re willing and agile enough to target any entity to achieve their objectives, including hospitals.
A coordinated global effort involving both public and private sectors is necessary to counter this persistent and evolving threat.”
While APT45’s use of ransomware is not confirmed, public reports suggest possible involvement. The U.S. Cybersecurity and Infrastructure Security Agency reported North Korean use of MAUI ransomware in 2022, and Kaspersky identified ransomware linked to APT45 clusters in 2021.
APT45 utilises a mix of publicly available tools, modified malware, and custom families. Their malware exhibits distinct characteristics, including code reuse, unique encoding, and passwords. APT45’s malware toolkit is relatively unique compared to other North Korean activity clusters.
Looking Ahead:
As North Korea continues to rely on cyber operations, APT45 is expected to maintain its dual focus on intelligence collection and financially motivated activities. The group’s operations will likely reflect North Korea’s evolving geopolitical priorities.