Google Cloud’s Mandiant cyber researchers have identified a North Korean cyber threat group known as APT45, previously tracked under various aliases such as Andariel, Onyx Sleet, Plutonium, and Silent Chollima. This group has been officially designated as an advanced persistent threat (APT) group and is focused on acquiring atomic secrets and technology to support North Korea’s nuclear weapons program.
Operating since 2009, APT45 is believed to have connections to the Lazarus hacking operation and is controlled by North Korea’s Reconnaissance General Bureau (RGB) 3rd Bureau. Initially motivated by financial gain, the group has evolved to target various industries including crop science, healthcare, pharmaceuticals, and military technology. Mandiant’s principal analyst, Michael Barnhart, highlighted APT45’s role in advancing North Korea’s military capabilities through espionage efforts against governments and defense organizations worldwide.
The group utilizes a mix of publicly available hacking tools and custom malware strains, with a focus on stealing defense and research intelligence. Recent efforts by Mandiant, in collaboration with the FBI and other US agencies, have revealed APT45’s targeting of defense-related technologies globally. APT45 has also been observed targeting uranium enrichment and nuclear facilities, posing a significant threat to critical infrastructure organizations worldwide.
The UK’s National Cyber Security Centre (NCSC), along with allied agencies, issued a warning about APT45’s ongoing cyber espionage operations and advised network defenders to implement strong protections to prevent malicious activity. The advisory includes indicators of compromise (IOCs) to help organizations identify potential threats.