A threat group with ties to North Korea known for cyber espionage has gradually expanded its operations to include financially motivated attacks involving the deployment of ransomware, setting it apart from other state-sponsored hacking groups linked to the country.
Google-owned Mandiant tracks activity cluster with new name APT45which overlaps with names like Andariel, Nickel Hyatt, Onyx Sleet, Stonefly, and Silent Chollima.
“APT45 is a long-active, moderately sophisticated North Korean cyber actor with intelligence activities dating back to 2009,” said researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan and Michael Bernhardt. “APT45 has been most frequently observed targeting critical infrastructure.”
It is worth mentioning that APT45, along with APT38 (aka BlueNoroff), APT43 (aka Kimsuky), and Lazarus Group (aka TEMP.Hermit), are elements within North Korea’s top military intelligence agency, the Reconnaissance General Bureau (RGB).
APT45 has been specifically linked to the deployment of ransomware families tracked as SHATTEREDGLASS and Maui, which targeted organizations in South Korea, Japan, and the United States in 2021 and 2022. Details of SHATTEREDGLASS were documented by Kaspersky in June 2021.
“APT45 may be conducting financially motivated cybercrime activities to support its own operations as well as to raise funds for other North Korean national priorities,” Mandiant said.
Another notable North Korean malware is a backdoor called Dtrack (also known as Valefor and Preft), which was first used in a cyberattack against India’s Kudankulam Nuclear Power Plant in 2019, one of the few publicly known instances of North Korean attackers targeting critical infrastructure.
“APT45 is one of North Korea’s longest-operating cyber attack groups, and its operations reflect the regime’s geopolitical priorities, even as the group’s scope of operations has shifted from traditional cyber espionage against government and defense institutions to include healthcare and agricultural science,” Mandiant said.
“North Korea has become dependent on cyber operations as an instrument of state power, and operations conducted by APT45 and other North Korean cyber operatives may reflect shifting priorities among the country’s leadership.”
The discovery comes after security awareness training company KnowBe4 said it had been tricked into hiring IT workers from North Korea as software engineers using the stolen identities of US citizens and using artificial intelligence (AI) to edit their photos.
“This was a highly skilled North Korean IT worker supported by a state-sponsored criminal infrastructure who participated in multiple video interviews using stolen personal information of Americans, circumventing background check processes commonly used by companies,” the company said.
The IT workers, believed to be part of the Workers’ Party of Korea’s Munitions Industry Ministry, have a history of pretending to be in the United States when in fact they are in China or Russia, remotely logging in from company-issued laptops delivered to “laptop farms” and applying for jobs at U.S.-based companies.
KnowBe4 said it had detected suspicious activity, including manipulation of session history files, transfer of potentially harmful files, and execution of harmful software, on a Mac workstation sent to an individual on July 15, 2024 at 9:55 pm EST. The malware was downloaded using a Raspberry Pi.
Twenty-five minutes later, the Florida-based cybersecurity firm said it had retrieved the employee’s device and there was no evidence that the attackers had compromised any sensitive data or systems.
“The fraud is that they are actually doing the work, getting paid handsomely, and providing large amounts of money to North Korea to fund their illegal programs,” said Stu Showerman, CEO of KnowBe4.
“This case highlights the critical importance of more robust vetting processes, continuous security monitoring and increased collaboration between HR, IT and security teams to protect against advanced persistent threats.”
