APT45 is a long-running North Korean cyber operator that has evolved from espionage into financially motivated operations, including potential ransomware, while maintaining a focus on critical infrastructure, healthcare, and nuclear-related targets. The group shows a distinct malware ecosystem and is linked by attribution to the RGB, with ties to broader Lazarus-linked activity; Mandiant expects APT45 to continue pursuing both intelligence collection and revenue-generating operations for DPRK priorities. #APT45 #LazarusGroup #SHATTEREDGLASS #ROGUEEYE #MAUI #3PROXY #RIFLE #KudankulamNuclearPowerPlant #Healthcare #SouthAsianBank
Keypoints
- APT45 is a North Korea–nexus operator active since at least 2009, described as moderately sophisticated.
- The group expanded from government/defense espionage into financially motivated operations and possible ransomware development.
- A distinct malware genealogy exists for APT45, setting it apart from TEMP.Hermit and APT43, with attribution links to Lazarus-associated activity.
- Among DPRK-linked groups, APT45 is frequently observed targeting critical infrastructure, including nuclear-related entities.
- Financial sector targeting occurred (e.g., 2016 RIFLE usage and 2021 spear-phishing of a South Asian bank).
- The malware ecosystem blends public tools (3PROXY), modified public malware (ROGUEEYE), and custom families with reused code and unique encoding.
- Public reports cite possible ransomware usage (MAUI in healthcare, SHATTEREDGLASS clusters) though attribution remains incomplete.
MITRE Techniques
- [T1071] Initial Access – Spear-phishing to gain initial access to targeted organizations, particularly in the financial sector. [‘APT45 has been observed using spear-phishing to gain initial access to targeted organizations, particularly in the financial sector.’]
- [T1203] Execution – Utilization of malware such as ROGUEEYE and other custom malware to execute malicious payloads on compromised systems. [‘Utilization of malware such as ROGUEEYE and other custom malware to execute malicious payloads on compromised systems.’]
- [T1547] Persistence – APT45 employs techniques to maintain access to compromised systems, potentially through the use of modified publicly available tools. [‘APT45 employs techniques to maintain access to compromised systems, potentially through the use of modified publicly available tools.’]
- [T1068] Privilege Escalation – Exploitation of vulnerabilities in software to gain elevated privileges on targeted systems. [‘Exploitation of vulnerabilities in software to gain elevated privileges on targeted systems.’]
- [T1027] Defense Evasion – APT45 utilizes unique custom encoding and passwords to obfuscate their malware and evade detection. [‘APT45 utilizes unique custom encoding and passwords to obfuscate their malware and evade detection.’]
- [T1003] Credential Access – Potential use of credential dumping techniques to harvest user credentials from compromised systems. [‘Potential use of credential dumping techniques to harvest user credentials from compromised systems.’]
- [T1083] Discovery – APT45 conducts reconnaissance on networks to identify critical infrastructure and sensitive information. [‘APT45 conducts reconnaissance on networks to identify critical infrastructure and sensitive information.’]
- [T1005] Collection – Targeting of intellectual property and sensitive data, particularly in the healthcare and crop science sectors. [‘Targeting of intellectual property and sensitive data, particularly in the healthcare and crop science sectors.’]
- [T1041] Exfiltration – APT45 may utilize various methods to exfiltrate data from compromised networks, including the use of encrypted channels. [‘APT45 may utilize various methods to exfiltrate data from compromised networks, including the use of encrypted channels.’]
- [T1499] Impact – Suspected involvement in ransomware operations to generate revenue for North Korean state priorities. [‘Suspected involvement in ransomware operations to generate revenue for North Korean state priorities.’]
Indicators of Compromise
- [Malware] – Context: Malware used or associated with APT45 clusters includes ROGUEEYE, MAUI, SHATTEREDGLASS; cited in discussion of the group’s tooling. example1: ROGUEEYE, example2: MAUI, and other clusters
- [Alias/Attribution] – Context: Attribution names used in public reporting for APT45 include Andariel, Onyx Sleet, Stonefly, Silent Chollima, and Lazarus Group. example1: Andariel, example2: Onyx Sleet
Read more: https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine/