ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Subgroup: Andariel, Silent Chollima

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Subgroup: Andariel, Silent Chollima

NamesAndariel (FSI)
Silent Chollima (CrowdStrike)
Stonefly (Symantec)
Plutonium (Microsoft)
Onyx Sleet (Microsoft)
CountryNorth Korea North Korea
MotivationInformation theft and espionage
First seen2014
DescriptionA subgroup of Lazarus Group, Hidden Cobra, Labyrinth Chollima.
Observed
Tools used
Operations performed2014Operation “BLACKMINE”
Target: South Korean organizations.
Method: Information theft and espionage.
2014Operation “GHOSTRAT”
Target: Defense industry.
Method: Information theft and espionage.
2014Operation “XEDA”
Target: Foreign defense industries.
Method: Information theft and espionage.
2015Operation “INITROY”/Phase 1
Target: South Korean organizations.
Method: Information theft/early phase operation.
2015Operation “DESERTWOLF”/Phase 3
Target: South Korean defense industry.
Method: Information theft and espionage.
2015Operation “BLACKSHEEP”/Phase 3.
Target: Defense industry.
Method: Information theft and espionage.
2016Operation “INITROY”/Phase 2
Target: South Korean organizations.
Method: Information theft/early phase operation.
2016Operation “VANXATM”
Target: ATM companies.
Method: Financial theft/BPC.
2017Operation “Mayday”
Target: South Koran Financial Company.
Method: Information theft and espionage.
Jun 2018Operation “GoldenAxe”
<https://blog.trendmicro.com/trendlabs-security-intelligence/new-andariel-reconnaissance-tactics-hint-at-next-targets/>
Apr 2021Lazarus APT conceals malicious code within BMP image to drop its RAT
<https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/>
<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>
Jun 2021Andariel evolves to target South Korea with ransomware
<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>
Feb 2022Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage>
Aug 2022Andariel deploys DTrack and Maui ransomware
<https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/>
Mar 2023Operation “Blacksmith”
Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang
<https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/>
Jun 2023Andariel’s silly mistakes and a new malware family
<https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/>
Oct 2023Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability
<https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/>
Nov 2023Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group)
<https://asec.ahnlab.com/en/59073/>
Nov 2023Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)
<https://asec.ahnlab.com/en/59318/>
Dec 2023North Korean hackers stole anti-aircraft system data from South Korean firm
<https://therecord.media/north-korea-hackers-stole-anti-aircraft-system-data>
Information<https://asec.ahnlab.com/en/56405/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0138/>

Last change to this card: 16 January 2024

Download this actor card in PDF or JSON format

Previous: Lazarus Group, Hidden Cobra, Labyrinth Chollima
Next: Subgroup: BeagleBoyz

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]