Andariel: North Korean APT Group Targets Military and Nuclear Programs

2024-07-26 • Picus Security •

https://www.picussecurity.com/resource/blog/andariel-north-korean-apt-group-targets-military-and-nuclear-programs

#Andariel #T1090 #T1083 #T1027 #T1567 #T1071 #T1059 #T1003 #T1190 #T1087 #T1048 #T1021 #T1572

Thumbnail for Andariel: North Korean APT Group Targets Military and Nuclear Programs

Picus profiles Andariel, also known as Onyx Sleet, as a North Korea-linked APT associated with the Reconnaissance General Bureau. The source says the group targets defense, aerospace, nuclear and engineering organizations for espionage and also conducts ransomware operations against U.S. healthcare organizations to fund activity. Andariel gains access through spear phishing and exploitation of public-facing web servers, then uses discovery commands, web shells, scheduled tasks, custom malware, RATs and open-source tools for persistence, lateral movement and exfiltration. The TTP section calls out credential dumping with Mimikatz, ProcDump and Dumpert, AD enumeration with AdFind, tunneling through 3Proxy, PLINK and Stunnel, and exfiltration through web services, PuTTY, WinSCP and FTP.

Related Actors

Andariel

FSI

First seen: Jul 2017

Last seen: May 2026

Related Reports

2024-07-25 • 80% Match

North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs

USCISA

#Andariel #YARA #T1090 #T1587.001 #T1560 #T1083 #T1027 #T1567 #T1071 #T1059 #T1003 #T1190 #T1592 #T1087 #T1591 #T1596 #T1048 #T1021.002 #T1021 #T1040 #T1572 #T1595 #T1039 #T1587.004

Shares tags: Andariel, T1090, T1083 • Published within a week

2024-07-19 • 67% Match

APT Quarterly Highlights : Q2 2024

Cyfirma

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584

Shares tags: Andariel, T1090, T1083 • Published within a week

2024-07-26 • 55% Match

Response to CISA Advisory (AA24-207A)

Attack IQ

#Andariel #T1082 #T1083 #T1053.005 #T1003 #T1105 #T1049 #T1087 #T1021.001 #T1048 #T1087.002

Shares tags: Andariel, T1083, T1003 • Published within a week

2024-07-31 • 52% Match

Emulating the Politically Motivated North Korean Adversary Andariel – Part 2

Attack IQ

#Andariel #Blacksmith #T1082 #T1083 #T1057 #T1518.001 #T1003 #T1105 #T1049 #T1098 #T1087 #T1016 #T1018 #T1003.001 #T1562 #T1047 #T1136.001 #T1033 #T1543.003 #T1012 #T1069 #T1654

Shares tags: Andariel, T1083, T1003 • Published within a week

2024-08-05 • 46% Match

북한 해킹조직의 건설ㆍ기계 분야 기술절취 주의

KRNCSC

#Andariel #Kimsuky #TrollAgent #DoraRAT #T1119 #T1005 #T1041 #T1113 #T1071.001 #T1083 #T1036 #T1204.002 #T1195 #T1027.002 #T1189 #T1573.002 #T1074.001 #T1217

Shares tags: Andariel, T1083 • Published within a month

2024-07-25 • 43% Match

North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers

USJustice

#Andariel #Maui #MoneyLaundering #ArkansasHealthcare #CaliforniaDefense #ChineseEnergy #ColoradoMedical #ConnecticutHealthcare #FloridaHospital #KansasHospital #MassachusettsDefense #MichiganDefense #NASA #OregonDefense #RandolphAirForce #RobinsAirForce #SouthKoreanManufacturing #TaiwaneseDefense

Shares tag: Andariel • Published within a week

« Back