The North Korea-linked threat, known for its cyber espionage operations, has gradually evolved into financially motivated attacks that include the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country.
Google-owned Mandiant is tracking the activity cluster under a new alias APT45which overlaps with names like Andariel, Nickel Hyatt, Onyx Sleet, Stonefly and Silent Chollima.
“APT45 is a long-standing moderate North Korean cyber operator that has conducted espionage campaigns as far back as 2009,” researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan and Michael Barnhart said. “APT45 was the most frequently observed targeting of critical infrastructure.”
It should be noted that APT45, along with APT38 (aka BlueNoroff), APT43 (aka Kimsuky) and Lazarus Group (aka TEMP.Hermit) are elements of North Korea’s Intelligence General Bureau (RGB), the country’s main military intelligence organization.
APT45 is there especially linked to the deployment of ransomware families tracked as BROKEN GLASS and Maui targeting organizations in South Korea, Japan, and the United States in 2021 and 2022. Details of SHATTEREDGLASS were documented by Kaspersky in June 2021.
“It is entirely possible that APT45 is committing financially motivated cybercrimes not only to support its own operations, but also to generate funds for other North Korean government priorities,” Mandiant said.
Another notable malware in its arsenal is a duplicate backdoor Dtrack (aka Valefor and Preft), which was first used in a cyber attack targeted the Kudankulam nuclear power plant in India in 2019, one of the few publicly known incidents of North Korean actors striking critical infrastructure.
“APT45 is one of North Korea’s longest-running cyber operatives, and the group’s activities reflect the regime’s geopolitical priorities, even as operations have shifted from classic cyber espionage against government and defense structures to health and agriculture,” Mandiant said.
“As the country has come to depend on its cyber operations as an instrument of national power, the operations conducted by APT45 and other North Korean cyber operators may reflect a shift in leadership priorities.”
The findings come after security training firm KnowBe4 said it was tricked into hiring a North Korean IT worker as a software engineer who used the stolen identity of a US citizen and enhanced his picture with artificial intelligence (AI).
“This was a skilled North Korean IT operative supported by the state’s criminal infrastructure using the stolen identity of a US citizen who participated in multiple rounds of video interviews and bypassed the vetting processes normally used by companies,” the company said.
The army of IT workers, estimated to be part of the Munitions Department of the Workers’ Party of Korea, has job search history at US-based firms, pretending to be in the country when they are actually in China and Russia, and logging in remotely via company-issued laptops delivered to a “laptop farm”.
KnowBe4 said it detected suspicious activity on a Mac workstation sent to a person on July 15, 2024 at 9:55 PM EST, which consisted of manipulating session history files, transferring potentially malicious files, and running malicious software. The malware was downloaded using a Raspberry Pi.
25 minutes later, the Florida-based cybersecurity company said it had the employee’s device. This no evidence that an attacker gained unauthorized access to sensitive data or systems.
“The scam is that they are actually doing their job, getting paid well and giving a large amount to North Korea to fund their illegal programs,” KnowBe4 Executive Director Stu Suverman. said.
“This case highlights the critical need for more robust vetting processes, continuous security monitoring and improved coordination between HR, IT and security in defending against today’s persistent threats.”
