Andariel

andariel · primary source: MITRE · first observed 2008

KP · DPRKState-sponsoredHigh confidencelast cited Jul 24, 2024 · 1.8y ago

DPRK state-sponsored intrusion set publicly attributed to the Reconnaissance General Bureau's 3rd Bureau (Andariel). Treated by MITRE as a sub-cluster of Lazarus Group; conducts both espionage against defense, aerospace, nuclear, and engineering targets and financially-motivated operations against banks and ATMs. Joint advisory AA24-207A in July 2024 attributed sustained intellectual-property theft against critical-infrastructure research to the group.

Aliases

Silent ChollimaCrowdStrikeOnyx SleetMicrosoftPLUTONIUMMicrosoftStoneflyOtherAPT45Mandiant

Motivations

espionagefinancial gain

Target sectors

defenseaerospacenuclearenergyfinancial

Target countries

KRUSJPIN

Lineage & relationships

full graph →

Subgroup of

Lazarus Group

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

Andariel
DPRK
espionage
financial gain

Capability

Infrastructure

—

Victim

defense
aerospace
nuclear
KR
US
+1 more

MITRE ATT&CK techniques

T1190 T1059.001 T1486 T1078

Timeline

1 event

AdvisoryHigh2024-07-25·CISA
Joint advisory AA24-207A attributes IP theft to DPRK Andariel
CISA, the FBI, the NSA, and partners from the U.K., South Korea, Germany, and others released a joint advisory attributing a long-running cyberespionage campaign against critical-infrastructure research — defense, aerospace, nuclear, and engineering — to North Korea's Reconnaissance General Bureau 3rd Bureau, also tracked as Andariel and APT45.
five-eyesattributiondprkip-theft

Indicators of compromise

2 indicators

defangedcsv

Type	Value	First seen	Source
SHA-256	ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6 Andariel implant sample listed in CISA / FBI / NSA joint advisory AA24-207A (25 July 2024) covering the RGB 3rd Bureau group also tracked as Onyx Sleet / Stonefly / Silent Chollima. The advisory ties the group to defence, aerospace, nuclear and engineering espionage in support of DPRK military and nuclear programs.	Jul 24, 2024	CISA
SHA-256	5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e family · Maui Maui ransomware sample (maui.exe). FBI / CISA / Treasury advisory AA22-187A documents its use by DPRK state actors against U.S. Healthcare and Public Health sector targets from at least May 2021. Encryption combines AES, RSA and XOR and is driven manually via CLI by the operator.	Apr 30, 2021	CISA

Related actors

shared ATT&CK techniques

IR · IranPioneer Kitten3 shared techniques
?? · UnknownALPHV/BlackCat2 shared techniques
- T1078
- T1486
CN · ChinaAPT32 shared techniques
- T1078
- T1190
IR · IranAPT392 shared techniques
- T1059.001
- T1078
CN · ChinaAPT402 shared techniques
- T1059.001
- T1190
RU · RussiaCadet Blizzard2 shared techniques
- T1059.001
- T1190

References

G0138 — Andariel
MITRE ATT&CK

cite this page

Threat Intel Tracker. (2026-05-19). Andariel — actor profile. Retrieved from https://threatintel.local/actors/andariel

latest cited activity · 2024-07-25 · 2 cataloged indicators