Mandiant Warns of North Korean Threat Actors Targeting Healthcare
Mandiant has announced that the North Korean Threat group Andariel (UNC614) has been designated an Advanced Persistent Threat (APT) actor, now tracked as APT45. The threat actor is moderately sophisticated and has been operating since at least 2009, and is known to target businesses, government agencies, financial services infrastructure, private corporations, and the defense industry as part of North Korea’s cyber defensive operations, primarily targeting military and government personnel.
The group is also known to engage in cybercrime to provide additional income to fund its operations, including attacks on hospitals using its own ransomware variant, MAUI. Mandiant has observed the group expanding its financially motivated activities, which they believe is to generate additional revenue to support broader cyber campaigns and potentially provide funds to the DPRK regime. The increase in attacks has led to Mandiant elevating the threat actor to an APT and warning about the significant and escalating threat posed by the group.
Since the start of the pandemic, several hacking groups linked with the Democratic People’s Republic of Korea (DPRK) have conducted attacks on targets in the healthcare and pharmaceutical industries; however, APT45 has continued to attack these targets for longer than other DPRK threat actors. Mandiant believes that APT45 is operating under a mandate to collect data from healthcare and pharmaceutical companies, in particular, related to health-related research, as well as conducting attacks to fund its operations.
The group also appears to be engaged in developing ransomware, making it distinct from other DPRK-nexus groups. While Mandiant has been unable to definitely attribute several clusters of ransomware activity to APT45, such as the use of MAUI ransomware in attacks on healthcare organizations in 2022, Mandiant believes that it is plausible that APT45 has employed diverse schemes to raise money.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Mandiant has been working with multiple U.S. government agencies to track the activities of APT45 and gather intelligence and has shared critical insights such as malware signatures and in-depth analyses of the group’s activities. Mandiant is providing indicators of Compromise to registered users.
“Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defense organizations around the world. When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him,” said Michael Barnhart, Mandiant Principal Analyst, Google Cloud. “APT45 isn’t bound by ethical considerations and have demonstrated they’re willing and agile enough to target any entity to achieve their objectives, including hospitals. A coordinated global effort involving both public and private sectors is necessary to counter this persistent and evolving threat.”
Today, the Federal Bureau of Investigation (FBI), U.S. Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Defense Cyber Crime Center (DC3), U.S. National Security Agency (NSA), United Kingdom’s National Cyber Security Centre (NCSC), and other partners released a joint cybersecurity advisory about APT45 that shares technical details about the group’s activities along with indicators of compromise (IoCs) and recommended detection procedures.
