ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Subgroup: Andariel, Silent Chollima

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Subgroup: Andariel, Silent Chollima

NamesAndariel (FSI)
Silent Chollima (CrowdStrike)
Stonefly (Symantec)
Plutonium (Microsoft)
Onyx Sleet (Microsoft)
APT 45 (Mandiant)
Jumpy Pisces (Palo Alto)
CountryNorth Korea North Korea
MotivationInformation theft and espionage
First seen2009
DescriptionA subgroup of Lazarus Group, Hidden Cobra, Labyrinth Chollima.
Observed
Tools used
Operations performed2014Operation “BLACKMINE”
Target: South Korean organizations.
Method: Information theft and espionage.
2014Operation “GHOSTRAT”
Target: Defense industry.
Method: Information theft and espionage.
2014Operation “XEDA”
Target: Foreign defense industries.
Method: Information theft and espionage.
2015Operation “INITROY”/Phase 1
Target: South Korean organizations.
Method: Information theft/early phase operation.
2015Operation “DESERTWOLF”/Phase 3
Target: South Korean defense industry.
Method: Information theft and espionage.
2015Operation “BLACKSHEEP”/Phase 3.
Target: Defense industry.
Method: Information theft and espionage.
2016Operation “INITROY”/Phase 2
Target: South Korean organizations.
Method: Information theft/early phase operation.
2016Operation “VANXATM”
Target: ATM companies.
Method: Financial theft/BPC.
2017Operation “Mayday”
Target: South Koran Financial Company.
Method: Information theft and espionage.
Jun 2018Operation “GoldenAxe”
<https://blog.trendmicro.com/trendlabs-security-intelligence/new-andariel-reconnaissance-tactics-hint-at-next-targets/>
Apr 2021Lazarus APT conceals malicious code within BMP image to drop its RAT
<https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/>
<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>
Jun 2021Andariel evolves to target South Korea with ransomware
<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>
Feb 2022Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage>
Aug 2022Andariel deploys DTrack and Maui ransomware
<https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/>
Oct 2022DPRK hacking groups breach South Korean defense contractors
<https://www.bleepingcomputer.com/news/security/dprk-hacking-groups-breach-south-korean-defense-contractors/>
Mar 2023Operation “Blacksmith”
Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang
<https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/>
Jun 2023Andariel’s silly mistakes and a new malware family
<https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/>
Oct 2023Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability
<https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/>
Nov 2023Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group)
<https://asec.ahnlab.com/en/59073/>
Nov 2023Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)
<https://asec.ahnlab.com/en/59318/>
Dec 2023North Korean hackers stole anti-aircraft system data from South Korean firm
<https://therecord.media/north-korea-hackers-stole-anti-aircraft-system-data>
Mar 2024Andariel Group Exploiting Korean Asset Management Solutions (MeshAgent)
<https://asec.ahnlab.com/en/63192/>
Apr 2024North Korean hackers exploit VPN update flaw to install malware
<https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-vpn-update-flaw-to-install-malware/>
May 2024Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group)
<https://asec.ahnlab.com/en/66088/>
Aug 2024Stonefly: Extortion Attacks Continue Against U.S. Targets
<https://www.security.com/threat-intelligence/stonefly-north-korea-extortion>
Counter operationsJul 2024Rewards for Justice – Reward Offer for Information on North Korean Malicious Cyber Actor Targeting U.S. Critical Infrastructure
<https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-north-korean-malicious-cyber-actor-targeting-u-s-critical-infrastructure/>
Information<https://asec.ahnlab.com/en/56405/>
<https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a>
<https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine>
MITRE ATT&CK<https://attack.mitre.org/groups/G0138/>

Last change to this card: 24 October 2024

Download this actor card in PDF or JSON format

Previous: Lazarus Group, Hidden Cobra, Labyrinth Chollima
Next: Subgroup: BeagleBoyz

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]