A North Korea-linked threat actor known for its cyber espionage operations has gradually expanded into financially-motivated attacks that involve the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country.
Google-owned Mandiant is tracking the activity cluster under a new moniker APT45, which overlaps with names such as Andariel, Nickel Hyatt, Onyx Sleet, Stonefly, and Silent Chollima.
“APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009,” researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart said. “APT45 has been the most frequently observed targeting critical infrastructure.”
It’s worth mentioning that APT45, along with APT38 (aka BlueNoroff), APT43 (aka Kimsuky), and Lazarus Group (aka TEMP.Hermit), are elements within North Korea’s Reconnaissance General Bureau (RGB), the nation’s premier military intelligence organization.
APT45 is notably linked to the deployment of ransomware families tracked as SHATTEREDGLASS and Maui targeting entities in South Korea, Japan, and the U.S. in 2021 and 2022. Details of SHATTEREDGLASS were documented by Kaspersky in June 2021.
“It is possible that APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to generate funds for other North Korean state priorities,” Mandiant said.
Another notable malware in its arsenal is a backdoor dubbed Dtrack (aka Valefor and Preft), which was first used in a cyber attack aimed at the Kudankulam Nuclear Power Plant in India in 2019, marking one of the few publicly known instances of North Korean actors striking critical infrastructure.
“APT45 is one of North Korea’s longest running cyber operators, and the group’s activity mirrors the regime’s geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science,” Mandiant said.
“As the country has become reliant on its cyber operations as an instrument of national power, the operations carried out by APT45 and other North Korean cyber operators may reflect the changing priorities of the country’s leadership.”
The findings come as security awareness training firm KnowBe4 said it was tricked into hiring an IT worker from North Korea as a software engineer, who used a stolen identity of a U.S. citizen and enhanced their picture using artificial intelligence (AI).
“This was a skillful North Korean IT worker, supported by a state-backed criminal infrastructure, using the stolen identity of a U.S. citizen participating in several rounds of video interviews and circumvented background check processes commonly used by companies,” the company said.
The IT worker army, assessed to be part of the Workers’ Party of Korea’s Munitions Industry Department, has a history of seeking employment in U.S.-based firms by pretending to be located in the country when they are actually in China and Russia and logging-in remotely through company-issued laptops delivered to a “laptop farm.”
KnowBe4 said it detected suspicious activities on the Mac workstation sent to the individual on July 15, 2024, at 9:55 p.m. EST that consisted of manipulating session history files, transferring potentially harmful files, and executing harmful software. The malware was downloaded using a Raspberry Pi.
Twenty-five minutes later, the Florida-based cybersecurity company said it contained the employee’s device. There is no evidence that the attacker gained unauthorized access to sensitive data or systems.
“The scam is that they are actually doing the work, getting paid well, and giving a large amount to North Korea to fund their illegal programs,” KnowBe4’s chief executive Stu Sjouwerman said.
“This case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats.”
