Andariel
Executive Profile (BLUF)
Andariel is a North Korea state-sponsored cyber group operating under the Reconnaissance General Bureau (RGB) 3rd Bureau (Lab 110, reorganized from Bureau 121). It is a sub-component of the broader Lazarus Group cluster and operates a defining dual-track model: state-directed espionage against defense, aerospace, nuclear, and engineering targets to advance DPRK military and nuclear programs, combined with healthcare-sector ransomware operations (primarily against US targets) that generate operational funding for the espionage track. This makes Andariel the first publicly documented case of a state cyber actor systematically using ransomware to self-fund its own intelligence collection.
Andariel is tracked under multiple aliases across the vendor ecosystem — APT45 (Mandiant/Google Cloud), Silent Chollima (CrowdStrike), Onyx Sleet (Microsoft), PLUTONIUM (Microsoft legacy), and DarkSeoul (legacy 2013 campaigns). Mandiant estimates approximately 1,600 members. The US Treasury (OFAC) designated Andariel on 13 September 2019 (action SM774). The 25 July 2024 joint CISA advisory (AA24-207A), co-signed by FBI, CNMF, NSA, DC3, ROK NIS, ROK NPA, and UK NCSC, represents the highest-level public attribution to date — explicitly naming Lab 110 / RGB 3rd Bureau and confirming the dual-track espionage-plus-cybercrime model.
Organizational Structure
- Parent organization: Reconnaissance General Bureau (RGB), 3rd Bureau — operational designation Lab 110, the unit reorganized from the legacy Bureau 121.
- Position within DPRK cyber ecosystem: One of several specialized sub-elements under the broader Lazarus Group umbrella, parallel to APT38 — Bluenoroff (financial crime / cryptocurrency theft), Kimsuky (political and policy espionage), and APT37 — ScarCruft (defector tracking, domestic security).
- Estimated personnel: Approximately 1,600 operators (Mandiant/Google Cloud APT45 assessment, “North Korea’s Digital Military Machine”).
- Sanctions status: OFAC-designated 13 September 2019 (SDN entry SM774), alongside Lazarus Group and Bluenoroff as part of a coordinated Treasury action against DPRK cyber units.
- Continuity: Operational and technical continuity with the 2013 DarkSeoul attacks against South Korean banking and media sector; same RGB 3rd Bureau infrastructure indicators persist across more than a decade of activity.
Mission & Dual-Track Operations
Andariel’s defining analytical feature is the explicit pairing of two operational tracks under a single unit:
Track 1 — State Espionage (primary mission) Defense, aerospace, nuclear, and engineering sector targeting to steal classified technical information and intellectual property. The collection requirements are tied directly to DPRK military and nuclear program development needs. CISA AA24-207A states: “The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs.”
Track 2 — Self-Funding Ransomware (revenue mission) Healthcare-sector ransomware operations (primarily against US targets) generate operational funding. The CISA advisory confirms: “Andariel also conducts cybercrime to fund its espionage activities.” This is the first publicly documented case of a DPRK state cyber group using ransomware revenue to underwrite its own intelligence collection. The model effectively decouples Andariel’s espionage operations from centralized DPRK hard-currency allocation, providing operational autonomy and a built-in incentive to maintain ransomware tempo.
The dual-track design is consequential for Advanced Persistent Threats taxonomy: Andariel breaks the conventional analytic separation between state espionage units and financially motivated criminal groups, because both functions are vertically integrated inside a single RGB element.
Capabilities & TTPs
Initial access
- Spearphishing with defense-industry and aerospace-themed lures
- Exploitation of public-facing applications (n-day and select 0-day exploitation against unpatched perimeter systems)
- Watering hole attacks against defense-industry forums and engineering community sites
Custom malware families
- TigerRAT — primary RAT for defense-sector intrusions
- Dtrack — modular backdoor, long-running in the toolkit
- MagicRAT — Qt-framework RAT linked to Andariel intrusions
- YamaBot — Go-based backdoor used against ROK and Japan targets
- Maui ransomware — custom ransomware purpose-built for manual, operator-driven deployment against healthcare targets
Post-compromise tradecraft
- Living-off-the-Land (LotL) techniques using legitimate system administration tools for lateral movement
- Credential harvesting and Active Directory enumeration
- Selective data staging and exfiltration prioritizing technical documentation, schematics, and source code
- Manual ransomware deployment (Maui) — operator interactively selects files for encryption, distinguishing Andariel’s ransomware from fully automated commodity strains
Operational discipline Andariel operations show characteristic DPRK tradecraft: long dwell times, careful staging, infrastructure reuse across campaigns (an analytic strength for attribution but reflecting resource constraints), and tight integration between target selection and DPRK collection requirements.
Major Operations
| Date | Operation | Target | Method | Impact | Confidence |
|---|---|---|---|---|---|
| 2013-03 | DarkSeoul | ROK banks, broadcasters (KBS, MBC, YTN, Shinhan, NongHyup) | Wiper malware via supply-chain compromise | Tens of thousands of workstations wiped; ROK banking and broadcast operations disrupted | High (joint ROK/US attribution; technical continuity into Andariel toolkit) |
| 2017–2019 | ROK defense and financial sector campaigns | ROK defense contractors, ATMs, cryptocurrency exchanges | Spearphishing, Dtrack variants | Theft of defense-related IP; ATM-related financial losses | High (ROK NIS, FireEye/Mandiant) |
| 2021–2022 | TigerRAT / MagicRAT campaigns | Energy and defense sector globally (US, EU, ROK, India, Japan) | VMware Horizon Log4Shell exploitation, MagicRAT deployment | Long-dwell access to defense and energy networks | High (Cisco Talos, Kaspersky) |
| 2022-07 | Maui ransomware against US healthcare | US healthcare and public health sector entities | Maui ransomware, manual deployment | Disruption of healthcare services; ransom payments funding subsequent espionage | High (FBI/CISA AA22-187A, July 2022) |
| 2023–2024 | Defense and aerospace IP theft campaigns | US, UK, ROK, Japan, India defense / aerospace / nuclear / engineering firms | Spearphishing, public-facing app exploitation, custom RATs | Theft of classified technical data feeding DPRK military/nuclear programs | High (CISA AA24-207A, July 2024, 7-agency joint advisory) |
| 2024-07 | CISA AA24-207A public attribution | N/A — disclosure event | Joint advisory | Public confirmation of Lab 110 / RGB 3rd Bureau attribution and dual-track model | High (multi-agency consensus across US, ROK, UK) |
Healthcare Ransomware — The Self-Funding Model
The most analytically distinctive feature of Andariel is the institutionalization of ransomware as a self-funding mechanism for state espionage.
FBI/CISA advisory AA22-187A (July 2022) formally warned the US healthcare and public health sector about Maui ransomware attributed to DPRK state-sponsored actors — subsequently confirmed as Andariel in the 2024 joint advisory. The targeting logic is deliberate:
- Healthcare is operationally fragile — hospitals, clinics, and public-health entities face acute pressure to restore systems quickly, increasing ransom payment probability.
- Healthcare is politically sensitive — disruption generates immediate public pressure for resolution, again raising payment likelihood.
- Healthcare cybersecurity maturity is uneven — many target networks present low-cost intrusion opportunities for sophisticated state-grade tooling.
- Maui is manual — operators select files for encryption, allowing Andariel to maximize disruption while leaving forensic artefacts that maintain attribution ambiguity within the broader DPRK cluster.
Revenue generated from Maui operations is then redirected to fund Andariel’s primary mission: defense, aerospace, nuclear, and engineering sector espionage. This creates a closed loop in which US healthcare ransom payments directly subsidize collection against US, ROK, and allied defense industrial base targets — a strategic feedback loop that should be central to any policy assessment of DPRK cyber sanctions and healthcare-sector defense.
The Maui model has since been studied as a template for how cash-constrained state actors might integrate criminal revenue streams with strategic collection — a pattern with potential read-across to other sanctioned state cyber programs.
Attribution Basis
Attribution to DPRK / RGB 3rd Bureau / Lab 110 rests on converging evidence:
- Joint AA24-207A advisory (25 July 2024) — FBI, CISA, CNMF, NSA, DC3, ROK NIS, ROK NPA, UK NCSC. Seven-agency cross-jurisdictional consensus is the strongest public attribution standard available for a non-state cyber actor.
- OFAC designation (13 September 2019) — formal US Treasury sanctions naming Andariel as a DPRK state-controlled entity, alongside Lazarus and Bluenoroff.
- Technical continuity — toolchain overlap (Dtrack, TigerRAT, MagicRAT, YamaBot) across campaigns from 2013 DarkSeoul through 2024 advisories; infrastructure reuse consistent with RGB resource constraints.
- Vendor cross-confirmation — independent tracking by Mandiant (APT45), CrowdStrike (Silent Chollima), Microsoft (Onyx Sleet / legacy PLUTONIUM), Cisco Talos, and Kaspersky converging on a coherent actor profile.
- Target profile coherence — collection requirements (DPRK military/nuclear program priorities) align consistently with documented victim sets.
Geopolitical Context
Andariel operates as one instrument within DPRK’s broader strategy of using cyber operations to simultaneously generate revenue under heavy sanctions and acquire technology denied to Pyongyang through conventional procurement channels. The 2017 UN Security Council sanctions regime (Resolutions 2371, 2375, 2397) closed most legitimate hard-currency channels for DPRK; cyber operations — across the Lazarus Group cluster — have since become a central pillar of regime financing and technology acquisition.
Within this strategy, Andariel occupies a specific niche:
- Lazarus Group core — broad strategic operations, destructive attacks
- APT38 — Bluenoroff — financial-system theft, SWIFT, cryptocurrency
- Kimsuky — political, policy, and diplomatic espionage
- APT37 — ScarCruft — defector tracking and domestic security operations
- Andariel — military-technical IP theft, with ransomware-funded operational autonomy
See DPRK Cyber Warfare — Revenue, Espionage, and Geopolitical Weaponization for the integrated ecosystem analysis.
The dual-track model also has implications for sanctions policy. Conventional sanctions targeting state-controlled financial flows have limited effect on Andariel because its operational budget is generated externally through ransom payments routed via cryptocurrency. Disrupting Andariel therefore requires coordinated action across healthcare sector defense, cryptocurrency mixing services, and the criminal-monetization layer — a wider attack surface than traditional state-actor counter-cyber operations.
Gaps
- Internal organizational structure of Lab 110 — public reporting names Lab 110 / RGB 3rd Bureau but does not disclose internal team structure, sub-cell composition, or command relationships between Andariel and parallel Lab 110 elements.
- Personnel attribution — no individual Andariel operators have been publicly indicted, in contrast to the 2018 Park Jin Hyok indictment for Lazarus and the 2021 indictment of three DPRK operators for broader Lazarus activity. The absence of named-individual indictments specific to Andariel is an open intelligence question.
- Maui revenue accounting — total revenue generated by Maui ransomware operations and the proportion redirected to espionage tooling/infrastructure is not publicly quantified.
- Operational tempo budget allocation — the ratio of operator-hours spent on Track 1 (espionage) versus Track 2 (ransomware) is not disclosed in open sources.
- Relationship to DPRK IT-worker scheme — open question whether Andariel benefits from or coordinates with the parallel DPRK overseas IT-worker revenue program; both fall under broader RGB-adjacent revenue generation.
- Bureau 121 → Lab 110 transition — the precise reorganization sequence and any continuity/discontinuity in personnel is incompletely documented.
Strategic Implications
-
The dual-track model breaks conventional cyber-threat taxonomy. Analytic frameworks that separate “state espionage” from “cybercriminal” actors fail to capture Andariel. Western defenders must treat ransomware-capable state actors as a distinct category with implications for both healthcare-sector defense and defense-industrial-base defense.
-
US healthcare-sector breaches have a direct national-security dimension. A Maui infection at a regional hospital is not an isolated criminal event — it is a revenue node in a closed loop that subsidizes collection against US defense contractors. Healthcare-sector cybersecurity should be treated as a national-security equity, not solely a sectoral concern.
-
Sanctions efficacy is structurally constrained. Because Andariel generates its operational budget externally through cryptocurrency-denominated ransom payments, traditional sanctions targeting state-controlled financial flows are partially circumvented by design. Effective disruption requires action against cryptocurrency mixers, ransom-payment intermediaries, and the broader monetization layer.
-
The model is potentially exportable. Other sanctioned states with mature cyber programs (Iran, Russia) face similar revenue constraints and may study or adopt elements of Andariel’s self-funding architecture. Analysts should watch for IRGC- or GRU-linked clusters adopting analogous ransomware-for-espionage structures.
-
Attribution clarity does not equal deterrence. Despite a seven-agency joint advisory naming Lab 110 directly, Andariel’s operational tempo through 2024 shows no observable deterrent effect from public attribution alone. Policy responses must extend beyond naming-and-shaming to operationally meaningful disruption.
-
Defense industrial base needs ransomware-aware threat models. Andariel demonstrates that the same actor compromising a regional hospital this quarter may be inside a defense contractor’s network next quarter. Sector-siloed defense postures miss the integration.
Sources
Tier 1 — Government / Official (high confidence)
- CISA / FBI / NSA / CNMF / DC3 / ROK NIS / ROK NPA / UK NCSC, Joint Cybersecurity Advisory AA24-207A: North Korea State-Sponsored Cyber Group Conducts Espionage and Generates Revenue Worldwide, 25 July 2024 — primary public attribution document, names Lab 110 / RGB 3rd Bureau, confirms dual-track model. [primary, authoritative]
- FBI / CISA / Treasury, Joint Cybersecurity Advisory AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector, July 2022 — first government-level Maui attribution. [primary, authoritative]
- US Department of the Treasury, OFAC SDN designation SM774, 13 September 2019 — formal sanctions naming. [primary, authoritative]
- UN Panel of Experts on DPRK, annual reports — context on DPRK cyber revenue generation under sanctions regime. [primary, authoritative]
Tier 2 — Vendor / Industry (high to high-medium confidence)
- Mandiant / Google Cloud, APT45: North Korea’s Digital Military Machine, 2024 — APT45 designation, ~1,600 personnel estimate, dual-track documentation. [high confidence — vendor]
- Microsoft Threat Intelligence — Onyx Sleet / PLUTONIUM tracking and reporting. [high confidence — vendor]
- CrowdStrike — Silent Chollima profile and intrusion reporting. [high confidence — vendor]
- Cisco Talos — MagicRAT, TigerRAT technical analysis, including Log4Shell exploitation campaigns. [high confidence — vendor]
- Kaspersky GReAT — Dtrack, YamaBot analysis and Andariel campaign tracking. [high confidence — vendor]
Tier 3 — Academic and Independent (medium confidence)
- Recorded Future / Insikt Group — recurring DPRK cyber ecosystem analysis. [medium-high — analytic]
- ROK academic and think-tank reporting on DPRK cyber organization (Korea University, Institute for National Security Strategy). [medium-high — analytic]
Cross-references