TTPs11_Operation_An_Octopus_-_중앙_집중형_관리_솔루션을_노리는_공격전략_분석.pdf (7 MB)

Andariel, described as a Lazarus subgroup, is analyzed using vulnerabilities in centralized management solutions deployed by South Korean enterprises. The activity relied heavily on exposed administrator console ports and scanning for vulnerable software, allowing the group to compromise organizations where management tools were reachable from the internet. The report says the operation evolved beyond opportunistic scanning into supply-chain distribution through developers with many downstream customers. Separating attacker rented-server TTPs from victim-environment intrusion TTPs helps defenders focus on attack-surface management, third-party software monitoring, and controls around file-distribution and administrative platforms.