North Korea's APT45: A Dual-Threat Cyber Operator

APT45, a North Korean cyber operator active since 2009, has evolved from espionage to include financially motivated operations, distinguishing itself with unique malware and frequent critical infrastructure targeting.

APT45 supports North Korea's interests through a range of cyber operations, including espionage and financially motivated activities. Initially targeting government and defence sectors, APT45 has expanded its focus to include healthcare, pharmaceuticals, and nuclear-related entities. The group's continued targeting of health-related research suggests a sustained mandate.

APT45's operations have shifted with North Korea's priorities. The group has targeted government agencies, defence industries, and nuclear facilities, including India's Kudankulam Nuclear Power Plant. In response to agricultural challenges, APT45 targeted a crop science division in 2020. The group's ongoing interest in health-related research in 2023 indicates continued resource allocation.

While not confirmed, APT45 is suspected of using ransomware. The U.S. Cybersecurity and Infrastructure Security Agency reported North Korean use of MAUI ransomware in 2022, and Kaspersky identified ransomware linked to APT45 clusters in 2021.

“APT45 has a history of targeting government and defence companies around the world, but this indictment showcases that North Korean threats groups also pose a serious threat to citizens’ everyday lives and can’t be ignored or disregarded. Their targeting of hospitals to generate revenue and fund their operations demonstrates a relentless focus on fulfilling their priority mission of intelligence gathering, regardless of the potential consequences it may have on human lives.

Public indictments serve as a powerful deterrent and a show of force against cybercriminals, signalling to both the perpetrators and potential victims that these activities will not be tolerated. For the international community, often silently facing similar threats, these indictments offer reassurance that collaborative efforts are underway to address the issue.

By combining Mandiant’s expertise with the capabilities of our partners in law enforcement, we’re proud to have played a supporting role in combating APT45’s cyber threats worldwide.” - Michael Barnhart, Mandiant Principal Analyst - Google Cloud

APT45 employs a mix of publicly available tools, modified malware, and custom families. Their malware shows unique characteristics such as code reuse, custom encoding, and passwords, making their toolkit distinct from other North Korean clusters.

Mandiant assesses that APT45 is a state-sponsored operator supporting the North Korean regime, likely linked to the Reconnaissance General Bureau (RGB). APT45's activities are reported under various names, including Andariel, Onyx Sleet, Stonefly, and Silent Chollima, and are associated with the Lazarus Group.

APT45 is expected to continue its dual focus on intelligence collection and financially motivated activities, reflecting North Korea's evolving geopolitical priorities.

© Scoop Media