Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Government

Mandiant: North Korean Hackers Targeting Healthcare, Energy

State-Sponsored Hacking Group Andariel Tied to Active and Sophisticated Campaigns
Mandiant: North Korean Hackers Targeting Healthcare, Energy
North Korean hacking group Andariel - now tracked as APT34 by Mandiant - is on the prowl for secrets. (Image: Shutterstock)

A North Korean hacking group notorious for carrying out large-scale cyberattacks against government institutions and critical infrastructure is expanding its operations to target the healthcare, energy and financial sectors, according to a Mandiant report published Thursday.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Andariel, a hacking group likely run by the Democratic People's Republic of Korea Reconnaissance General Bureau, has previously been sanctioned by the U.S. Department of the Treasury over attacks on government, military and critical infrastructure.

The advanced persistent threat group's cyber operations - like those of other North Korean hacking groups - in recent years have become increasingly sophisticated. In particular, experts see Andariel continuing to embrace more advanced tools and techniques to maximize impact while evading detection (see: Researchers: North Korean Hackers Gain Speed, Flexibility).

Mandiant, which is part of Google, says it "has been actively engaged in a concerted effort with multiple U.S. government agencies" including the FBI to track Andariel's efforts to acquire defense and research and development intelligence from government institutions. A Mandiant report published Thursday says the threat intelligence firm will begin tracking the group as APT45 and warned that the Pyongyang-affiliated hackers have been seeking intelligence on government nuclear facilities, research institutes and defense systems, among other targeted espionage campaigns.

"When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him," said Michael Barnhart, Mandiant's principal analyst. North Korean hackers "have demonstrated they're willing and agile enough to target any entity to achieve their objectives, including hospitals."

Mandiant assesses "with moderate confidence" that Andariel has also taken part in the development and deployment of ransomware, describing the group as a "moderately sophisticated cyber operator" that has been operating since at least 2009. Since then, the group's attacks have been tracked using a variety of codenames, including Onyx Sleet, Stonefly and Silent Chollima, and has sometimes been linked to the DPRK's Lazarus hacking group, it said.

North Korea is the rare state that backs for-profit hacking, using stolen money to fund development of weapons of mass destruction and to infuse Pyongyang with hard currency.

The cybersecurity firm found that Andariel directly targeted nuclear research facilities and power plants in 2019, including a facility in India. It expanded to healthcare and pharmaceutical sectors following a suspected COVID-19 outbreak in North Korea in 2021.

"The group's earliest observed activities consisted of espionage campaigns against government agencies and defense industries," the report said. "APT45 has expanded its remit to financially motivated operations, including targeting of the financial vertical."

Barnhart attributed many of North Korea's military advancements to the group's "successful espionage efforts against governments and defense organizations around the world." Mandiant previously warned that North Korean state-sponsored groups such as Andariel can "quickly change their current focus and begin working on separate, unrelated efforts" such as ransomware.

Mandiant's report follows a January warning from the South Korean National Intelligence Service about North Korea's use of generative artificial intelligence technologies to conduct sophisticated attacks and identify targets (see: North Korean Hackers Using AI in Advanced Cyberattacks).


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.