Andariel

Background

Andariel is a North Korean threat actor operating under the Reconnaissance General Bureau's Bureau 121, the country's primary cyber warfare division. While sometimes classified as a subgroup of the broader Lazarus umbrella, Andariel maintains distinct operational patterns, tooling, and targeting preferences that warrant separate tracking. The group has been active since at least 2009, initially focusing on destructive attacks and espionage against South Korean targets before expanding its scope to include defense contractors, healthcare organizations, and energy companies globally.

Andariel's primary mission is intelligence collection focused on military and defense technologies, nuclear energy systems, and advanced engineering data that supports North Korea's weapons programs. The group has demonstrated a particular interest in classified defense systems, satellite technology, submarine design, and weapons procurement data. In July 2024, the US Department of Justice indicted a North Korean military intelligence operative, Rim Jong Hyok, for his role in Andariel operations targeting US healthcare providers with ransomware and using the proceeds to fund further espionage operations.

What distinguishes Andariel from other RGB units is its dual-track approach: conducting espionage against high-value defense and technology targets while simultaneously running ransomware operations against softer targets (particularly hospitals and healthcare organizations) to generate revenue. This combination of intelligence collection and financially motivated cybercrime within a single operational unit reflects the RGB's mandate to be self-funding while pursuing strategic intelligence objectives.

Notable Campaigns

DarkSeoul Attacks (March 2013)

Andariel conducted coordinated destructive attacks against major South Korean banks and broadcasting companies, deploying wiper malware that destroyed the master boot records of tens of thousands of computers. The attacks were timed to maximize disruption, hitting during business hours and affecting ATM networks, online banking services, and broadcast operations simultaneously. The campaign demonstrated North Korea's willingness to conduct destructive cyber operations against civilian infrastructure.

South Korean Defense Contractor Breaches (2016-2017)

Andariel compromised multiple South Korean defense contractors and military-related organizations, exfiltrating classified information including submarine blueprints, fighter jet wing designs, and military communications protocols. The attackers gained initial access through watering hole attacks on defense industry websites and subsequently moved laterally through connected networks. The South Korean National Intelligence Service attributed these breaches to Andariel and linked them to Bureau 121 operations.

Maui Ransomware Campaign (2021-2022)

The FBI, CISA, and the US Treasury Department jointly warned that Andariel was deploying Maui ransomware against US healthcare and public health sector organizations. Unlike typical ransomware operations, Maui appeared to be manually deployed by operators after gaining access through exploitation of internet-facing vulnerabilities, particularly in VPN appliances and web servers. The ransomware revenues were used to fund subsequent espionage operations against defense and technology targets, creating a self-sustaining cycle of cybercrime-funded espionage.

TeamCity CVE-2023-42793 Exploitation (October 2023)

Microsoft reported that Andariel (tracked as Onyx Sleet) was actively exploiting a critical vulnerability in JetBrains TeamCity servers (CVE-2023-42793) to gain initial access to software development environments. After compromising TeamCity instances, the group deployed custom backdoors and conducted reconnaissance to identify high-value targets in the defense and technology sectors. This campaign demonstrated Andariel's capability to rapidly weaponize newly disclosed vulnerabilities.

US Defense and Aerospace Espionage (2022-2024)

As detailed in the July 2024 DOJ indictment, Andariel conducted sustained espionage operations against US defense contractors and aerospace companies, targeting information related to fighter aircraft, missile defense systems, satellites, and nuclear materials. The group compromised NASA's Office of Inspector General network and exfiltrated data from multiple defense contractors. The operation was funded through Maui ransomware attacks against healthcare providers, with cryptocurrency ransoms laundered through Chinese facilitators.

Tactics, Techniques & Procedures

Initial Access: Andariel primarily exploits internet-facing servers and appliances (T1190), demonstrating rapid adoption of newly disclosed vulnerabilities. The group has exploited Log4Shell (CVE-2021-44228), MOVEit Transfer vulnerabilities, TeamCity flaws, and various VPN appliance vulnerabilities. They also use spear-phishing with weaponized HWP and Office documents, and conduct watering hole attacks against industry-specific websites. Credential abuse through compromised VPN and remote access credentials (T1078, T1133) is another common entry vector.

Lateral Movement and Discovery: After initial compromise, Andariel conducts extensive network reconnaissance using built-in Windows tools (net, nltest, systeminfo) and custom scanning utilities. The group uses RDP (T1021.001) for lateral movement and deploys credential-harvesting tools including modified versions of Mimikatz and ProcDump to extract credentials from memory (T1003). They target Active Directory servers to obtain domain-wide access and identify high-value assets.

Persistence and Defense Evasion: Andariel achieves persistence through DLL side-loading (T1574.002), scheduled tasks, and Windows services. The group uses legitimate remote administration tools alongside custom backdoors, making detection more difficult. They frequently clear Windows event logs (T1070) and use timestomping to cover their tracks. In some campaigns, the group has used rootkit-level techniques to hide their presence from security tools.

Exfiltration and Impact: For espionage operations, data is staged in compressed archives and exfiltrated through custom C2 channels or repurposed cloud services. For ransomware operations, Andariel manually deploys Maui ransomware after ensuring backup systems are compromised, maximizing the pressure on victims to pay. The group uses cryptocurrency mixing services and over-the-counter brokers to launder ransom payments.

Tools & Malware

• DTrack: A sophisticated spyware tool shared across multiple North Korean groups, featuring keylogging, browser history harvesting, running process enumeration, and file collection. Multiple variants have been observed with evolving obfuscation techniques.
• Maui Ransomware: A manually operated ransomware that uses a combination of AES, RSA, and XOR encryption. Unlike commodity ransomware, Maui lacks automated spreading capabilities and is deliberately deployed by operators against pre-selected targets.
• TigerRAT: A backdoor supporting command execution, file transfer, screen capture, and keylogging. Communicates over HTTP with custom encoding and has been observed in operations against defense and technology targets.
• EarlyRAT: A relatively simple RAT deployed through Log4Shell exploitation, providing basic command execution and system reconnaissance capabilities. Serves as a first-stage implant before deploying more capable tools.
• Dora RAT: A lightweight Go-based RAT with reverse shell and file transfer capabilities, observed in operations against South Korean organizations. Its simplicity and cross-platform nature make it versatile for diverse target environments.
• NukeSped: A family of backdoors shared with other Lazarus-affiliated groups, providing full remote access capabilities including file management, process control, and command execution.
• Joanap: A peer-to-peer botnet infrastructure used for C2 communications, leveraging compromised systems as relay nodes to obscure the true C2 servers.
• Black RAT: A Go-based backdoor deployed in recent campaigns, supporting command execution via cmd.exe, file enumeration, and file download/upload operations.
• Rifdoor: A backdoor that communicates using a custom binary protocol over TCP, supporting file operations, process management, and shell command execution.

Indicators & Detection

Vulnerability Management:

• Prioritize patching internet-facing servers, particularly VPN appliances, web servers, and development tools like TeamCity. Andariel's initial access strategy relies heavily on exploiting known vulnerabilities, often within days of public disclosure.
• Monitor for exploitation attempts against Log4j, MOVEit, TeamCity, and other commonly targeted enterprise software.

Network-Based Detection:

• Monitor for beaconing patterns consistent with DTrack and TigerRAT, which typically communicate over HTTP/HTTPS with fixed intervals.
• Watch for RDP connections from unexpected source IPs, particularly from servers or systems that don't normally initiate RDP sessions.
• Detect Joanap peer-to-peer communications by monitoring for unusual SMB traffic patterns between workstations.

Host-Based Detection:

• Monitor for suspicious use of Windows administration tools (net.exe, nltest.exe, wmic.exe) in rapid succession, which may indicate Andariel's network reconnaissance phase.
• Watch for DLL side-loading, particularly legitimate executables running from user-writable directories.
• Detect Maui ransomware activity by monitoring for rapid file system changes combined with the creation of files with .maui extensions.
• Alert on credential dumping indicators including unusual access to LSASS process memory and SAM database files.

Healthcare and Defense Sector Guidance:

• Healthcare organizations should implement network segmentation between clinical systems and administrative networks, and ensure offline backups are maintained and regularly tested.
• Defense contractors should implement strict access controls on systems containing classified or export-controlled data, with enhanced monitoring for unauthorized data staging and exfiltration.
• Both sectors should report suspected compromises to the FBI and CISA for correlation with known Andariel infrastructure.