THREAT ACTOR: APT45 ('Onyx Sleet')
Onyx Sleet, also known by aliases such as Andariel, Plutonium, and Silent Chollima, is a North Korean cyber threat actor involved in cyber espionage and targeting critical sectors, including nuclear technology.
APT45 (Onyx Sleet, Andariel, PLUTONIUM, DarkSeoul, Silent Chollima, Stonefly/Clasiopa) is a sophisticated North Korean cyber operator known for its advanced persistent threats (APTs). This analysis is crucial for understanding their methodologies, tools, and targets, which can aid law enforcement and cybersecurity professionals in developing effective countermeasures.
The research involved gathering information from credible sources, including Microsoft, Mandiant, and other cybersecurity blogs. The findings reveal that Onyx Sleet employs a variety of tactics, techniques, and procedures (TTPs) to achieve its objectives, which include espionage and financial gain. The group has been active since 2009 and is linked to North Korea's Reconnaissance General Bureau (RGB).
Assessment Rating
Rating: HIGH
The assessment rating is HIGH due to the significant threat posed by APT45. The group has a long history of cyber espionage and financially motivated attacks, including ransomware. Their activities target critical infrastructure and sensitive industries, posing a substantial risk to national security and economic stability.
Findings
- Long-Running Operations: APT45 has been active since at least 2009, initially focusing on cyber espionage against government agencies and defense industries.
- Financially Motivated Activities: The group has expanded its operations to include financially motivated activities, such as ransomware attacks.
- Targeting Critical Infrastructure: APT45 has targeted critical infrastructure, including nuclear research facilities and power plants.
- Healthcare and Pharmaceutical Targeting: The group has shown a continued interest in healthcare and pharmaceutical sectors, especially during the COVID-19 pandemic.
- Distinct Malware Families: APT45 uses a mix of publicly available tools, modified malware, and custom malware families, exhibiting distinct characteristics over time.
- Attribution: APT45 is assessed to be a state-sponsored cyber operator supporting the interests of the North Korean regime, specifically linked to the Reconnaissance General Bureau (RGB).
Recommendations, Actions and Next Steps
- Network Segmentation: Implement strict network segmentation to limit the lateral movement of attackers within the network. Isolate critical infrastructure and sensitive data from other parts of the network.
- Regular Patch Management: Ensure all systems and software are regularly updated with the latest security patches to mitigate vulnerabilities that APT45 could exploit.
- Advanced Threat Detection: Deploy advanced threat detection systems, such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), to identify and block malicious activities associated with APT45.
- Employee Training: Conduct regular cybersecurity training for employees to recognize phishing attempts and other social engineering tactics used by APT45.
- Incident Response Plan: Develop and regularly update an incident response plan to quickly and effectively respond to potential breaches by APT45.
- Threat Intelligence Sharing: Participate in threat intelligence sharing communities to stay informed about the latest tactics, techniques, and procedures (TTPs) used by APT45 and other threat actors.
References and Citations
- Google Cloud Blog: APT45: North Korea's Digital Military Machine
- The CyberWire: North Korea's APT45 conducts espionage alongside financially motivated attacks
- Computer Weekly: North Korean cyber APT targeting nuclear secrets
- Microsoft Security Blog: North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware
- Microsoft Security Blog: Onyx Sleet uses array of malware to gather intelligence for North Korea
- Microsoft Security Blog: Moonstone Sleet emerges as new North Korean threat actor
- NSA: North Korea Cyber Espionage Campaign
APPENDIX
Mitre ATTACK TTPs
- Initial Access: Spearphishing Attachment
- Execution: Command and Scripting Interpreter
- Persistence: Registry Run Keys / Startup Folder
- Privilege Escalation: Exploitation for Privilege Escalation
- Defense Evasion: Obfuscated Files or Information
- Credential Access: Credential Dumping
- Discovery: System Information Discovery
- Lateral Movement: Remote Services
- Collection: Data from Local System
- Exfiltration: Exfiltration Over C2 Channel
- Impact: Data Encrypted for Impact
Mitre ATTACK Mitigations
- Network Segmentation: M1030
- User Training: M1017
- Application Isolation and Sandboxing: M1048
- Privileged Account Management: M1026
- Restrict Web-Based Content: M1021
- Update Software: M1051
Get questions like this? Does it take a chunks out of your day? Would you rather be working on more interesting intelligence tasks? Would you like help with the research?
This baseline report was thoughtfully researched and took 5 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst. We just did the grunt work..
Did this help you? Forward it to a friend!
(c) 2024 CSIRT Gadgets, LLC
License - CC BY-SA 4.0