FBI, Mandiant designate advanced North Korean hackers stealing US defense secrets

The FBI and Google-owned Mandiant are actively engaged in efforts to track down and thwart a sophisticated North Korean hacking group that’s stealing U.S. intelligence and defense secrets. 

The Pyongyang-backed entity was elevated to an Advanced Persistent Threat, a high level of classification used to designate hacking groups deemed skilled and resourceful enough to persistently infiltrate systems and steal data, the FBI and the cybersecurity firm said Thursday.

Now designated APT45, the group, previously dubbed Andariel, has been carrying out espionage campaigns around the world since at least 2009. In recent years, it’s expanded its operations into the realm of ransomware, where the hackers deploy malware that steals victims’ sensitive data and holds it hostage in exchange for a ransom payment.

Their ransomware attacks have targeted mainly healthcare providers, financial institutions and energy companies, Mandiant said in a new analysis that cites 2022 findings from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. But their past activity targeting U.S. government agencies and its defense industrial base has run deep, the FBI and other intelligence partners say.

APT45 has targeted information stored in government nuclear facilities and research institutes, as well as data in uranium processing and enrichment, nuclear power plants, radar systems and several other sectors being used to shore up North Korea’s military apparatus and nuclear missile program.

Mandiant is sharing threat information with the FBI and other unnamed U.S. government agencies to help the U.S. track the collective, a company spokesperson said. Defense information, including data on submarines, tanks, fighter aircraft, shipbuilding and machining technologies have also been sought after by the hackers.

“When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him,” Mandiant principal analyst Michael Barnhart said in a statement.

North Korea’s munitions directorate is linked to its ballistic missile research program, according to declassified U.S. intelligence made public in past indictments targeting DPRK operatives. The nation has deployed shadow operatives across the globe who pose as legitimate technology workers, planting themselves inside firms to carry out long-haul schemes that fund Pyongyang’s nuclear weapons research. The enterprise has paid for some 50% of the DPRK’s missile projects, according to U.S. assessments.

But APT45 is most likely a unit working under Kim Jong-Un’s Korean People’s Army, serving as an espionage and now financially motivated cyber operator that answers to the nation’s Reconnaissance General Bureau, Mandiant assesses. 

“Financially motivated activity occurring alongside intelligence collection has become a defining characteristic of North Korean cyber operations, and we expect APT45 to continue both missions,” the company’s analysis says.

Over the past decade, North Korea has thoroughly augmented its cyber capabilities for espionage. A separate North Korean APT group dubbed Kimsuky, believed to be housed in the Reconnaissance General Bureau, has been leveraging poorly configured email security settings to deploy phishing emails to academic institutions, think tanks, journalists and nonprofits, the U.S. warned in May.

The Treasury Department in November sanctioned eight North Korean agents that enabled revenue generation for the nation’s nuclear missile activities, as well as Kimsuky, on grounds that the group carried out intelligence-gathering activities in support of Pyongyang’s national interests.

The nation’s cyber forces have matured and will “continue its ongoing cyber campaign, particularly cryptocurrency heists; seek a broad variety of approaches to launder and cash out stolen cryptocurrency; and maintain a program of IT workers serving abroad to earn additional funds,” a February U.S. intelligence assessment says.