A North Korean hacker group, sanctioned by the U.S. government, targeted at least three U.S. organizations in August, continuing its cybercriminal activities despite legal and diplomatic pressures. The group, known as APT45—also referred to as Andariel or Stonefly—attempted to breach the organizations just a month after the U.S. Department of Justice indicted one of its members.
In July, the Justice Department issued an arrest warrant for Rim Jong Hyok, a suspected member of Andariel, for his involvement in ransomware attacks against U.S. hospitals and healthcare companies. Rim is believed to be part of North Korea’s Reconnaissance General Bureau (RGB), the country’s main intelligence agency. Andariel was sanctioned by the U.S. Treasury in 2019, yet the group continues its operations, including these recent incidents.
According to cybersecurity researchers at Symantec, APT45’s attacks in August were financially motivated, targeting private companies with no apparent intelligence value. While the hackers did not succeed in deploying ransomware in these cases, their use of custom malware—unique to APT45—helped researchers trace the intrusions back to the group. Several indicators of compromise, including a fake Tableau certificate documented by Microsoft and other unique certificates, further confirmed their involvement.
Symantec noted that APT45 has evolved significantly since it first appeared in 2009. Initially, the group specialized in distributed denial-of-service (DDoS) attacks against South Korean and U.S. government and financial websites. In recent years, its focus has shifted to espionage, targeting organizations with highly sensitive or classified information, particularly in defense, aerospace, and nuclear sectors. This shift suggests a growing level of sophistication, with operations often aimed at advancing North Korea’s military and nuclear ambitions.
Despite Rim Jong Hyok’s indictment and increased scrutiny, APT45 remains active. North Korean cybercrime operations, such as those conducted by Andariel, have been linked to financial motivations as the regime continues to use cyber activities to evade Western sanctions. Symantec emphasized that while some North Korean groups are primarily focused on raising foreign currency, APT45 has historically concentrated on espionage. However, the group appears to have expanded into financially motivated attacks in recent years.
The FBI and other agencies have consistently warned of APT45’s threat, noting that the group has targeted a range of high-value organizations, including U.S. Air Force bases, a NASA office, and companies in Taiwan, South Korea, and China. Their goal is often to steal sensitive technical information or intellectual property that can advance North Korea’s military capabilities.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
