Andariel

Overview

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle. Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau. North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Targets

Government · Private sector

Regions

Australia · Bangladesh · Bangladesh Bank · Brazil · Canada · China · Cryptocurrency exchanges in South Korea · France · Germany · Guatemala · Hong Kong · India · Japan · Sony Pictures Entertainment · South Korea · Thailand · United Kingdom · United States

Capabilities

• Exploitation of public-facing / client applications — ATT&CK T1203

TTPs — 12 techniques across 8 tactics

Tools & malware (2)

Rifdoor · gh0st RAT

Reporting (3)

• How Microsoft names threat actors — Microsoft
• Silent Chollima Adversary Profile — CrowdStrike
• Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups — US Treasury