Andariel

Executive Profile (BLUF)

Andariel is a North Korea state-sponsored cyber group operating under the Reconnaissance General Bureau (RGB) 3rd Bureau (Lab 110, reorganized from Bureau 121). It is a sub-component of the broader Lazarus Group cluster and operates a defining dual-track model: state-directed espionage against defense, aerospace, nuclear, and engineering targets to advance DPRK military and nuclear programs, combined with healthcare-sector ransomware operations (primarily against US targets) that generate operational funding for the espionage track. This makes Andariel the first publicly documented case of a state cyber actor systematically using ransomware to self-fund its own intelligence collection.

Andariel is tracked under multiple aliases across the vendor ecosystem — APT45 (Mandiant/Google Cloud), Silent Chollima (CrowdStrike), Onyx Sleet (Microsoft), PLUTONIUM (Microsoft legacy), and DarkSeoul (legacy 2013 campaigns). Mandiant estimates approximately 1,600 members. The US Treasury (OFAC) designated Andariel on 13 September 2019 (action SM774). The 25 July 2024 joint CISA advisory (AA24-207A), co-signed by FBI, CNMF, NSA, DC3, ROK NIS, ROK NPA, and UK NCSC, represents the highest-level public attribution to date — explicitly naming Lab 110 / RGB 3rd Bureau and confirming the dual-track espionage-plus-cybercrime model.

Organizational Structure

  • Parent organization: Reconnaissance General Bureau (RGB), 3rd Bureau — operational designation Lab 110, the unit reorganized from the legacy Bureau 121.
  • Position within DPRK cyber ecosystem: One of several specialized sub-elements under the broader Lazarus Group umbrella, parallel to APT38 — Bluenoroff (financial crime / cryptocurrency theft), Kimsuky (political and policy espionage), and APT37 — ScarCruft (defector tracking, domestic security).
  • Estimated personnel: Approximately 1,600 operators (Mandiant/Google Cloud APT45 assessment, “North Korea’s Digital Military Machine”).
  • Sanctions status: OFAC-designated 13 September 2019 (SDN entry SM774), alongside Lazarus Group and Bluenoroff as part of a coordinated Treasury action against DPRK cyber units.
  • Continuity: Operational and technical continuity with the 2013 DarkSeoul attacks against South Korean banking and media sector; same RGB 3rd Bureau infrastructure indicators persist across more than a decade of activity.

Mission & Dual-Track Operations

Andariel’s defining analytical feature is the explicit pairing of two operational tracks under a single unit:

Track 1 — State Espionage (primary mission) Defense, aerospace, nuclear, and engineering sector targeting to steal classified technical information and intellectual property. The collection requirements are tied directly to DPRK military and nuclear program development needs. CISA AA24-207A states: “The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs.”

Track 2 — Self-Funding Ransomware (revenue mission) Healthcare-sector ransomware operations (primarily against US targets) generate operational funding. The CISA advisory confirms: “Andariel also conducts cybercrime to fund its espionage activities.” This is the first publicly documented case of a DPRK state cyber group using ransomware revenue to underwrite its own intelligence collection. The model effectively decouples Andariel’s espionage operations from centralized DPRK hard-currency allocation, providing operational autonomy and a built-in incentive to maintain ransomware tempo.

The dual-track design is consequential for Advanced Persistent Threats taxonomy: Andariel breaks the conventional analytic separation between state espionage units and financially motivated criminal groups, because both functions are vertically integrated inside a single RGB element.

Capabilities & TTPs

Initial access

  • Spearphishing with defense-industry and aerospace-themed lures
  • Exploitation of public-facing applications (n-day and select 0-day exploitation against unpatched perimeter systems)
  • Watering hole attacks against defense-industry forums and engineering community sites

Custom malware families

  • TigerRAT — primary RAT for defense-sector intrusions
  • Dtrack — modular backdoor, long-running in the toolkit
  • MagicRAT — Qt-framework RAT linked to Andariel intrusions
  • YamaBot — Go-based backdoor used against ROK and Japan targets
  • Maui ransomware — custom ransomware purpose-built for manual, operator-driven deployment against healthcare targets

Post-compromise tradecraft

  • Living-off-the-Land (LotL) techniques using legitimate system administration tools for lateral movement
  • Credential harvesting and Active Directory enumeration
  • Selective data staging and exfiltration prioritizing technical documentation, schematics, and source code
  • Manual ransomware deployment (Maui) — operator interactively selects files for encryption, distinguishing Andariel’s ransomware from fully automated commodity strains

Operational discipline Andariel operations show characteristic DPRK tradecraft: long dwell times, careful staging, infrastructure reuse across campaigns (an analytic strength for attribution but reflecting resource constraints), and tight integration between target selection and DPRK collection requirements.

Major Operations

DateOperationTargetMethodImpactConfidence
2013-03DarkSeoulROK banks, broadcasters (KBS, MBC, YTN, Shinhan, NongHyup)Wiper malware via supply-chain compromiseTens of thousands of workstations wiped; ROK banking and broadcast operations disruptedHigh (joint ROK/US attribution; technical continuity into Andariel toolkit)
2017–2019ROK defense and financial sector campaignsROK defense contractors, ATMs, cryptocurrency exchangesSpearphishing, Dtrack variantsTheft of defense-related IP; ATM-related financial lossesHigh (ROK NIS, FireEye/Mandiant)
2021–2022TigerRAT / MagicRAT campaignsEnergy and defense sector globally (US, EU, ROK, India, Japan)VMware Horizon Log4Shell exploitation, MagicRAT deploymentLong-dwell access to defense and energy networksHigh (Cisco Talos, Kaspersky)
2022-07Maui ransomware against US healthcareUS healthcare and public health sector entitiesMaui ransomware, manual deploymentDisruption of healthcare services; ransom payments funding subsequent espionageHigh (FBI/CISA AA22-187A, July 2022)
2023–2024Defense and aerospace IP theft campaignsUS, UK, ROK, Japan, India defense / aerospace / nuclear / engineering firmsSpearphishing, public-facing app exploitation, custom RATsTheft of classified technical data feeding DPRK military/nuclear programsHigh (CISA AA24-207A, July 2024, 7-agency joint advisory)
2024-07CISA AA24-207A public attributionN/A — disclosure eventJoint advisoryPublic confirmation of Lab 110 / RGB 3rd Bureau attribution and dual-track modelHigh (multi-agency consensus across US, ROK, UK)

Healthcare Ransomware — The Self-Funding Model

The most analytically distinctive feature of Andariel is the institutionalization of ransomware as a self-funding mechanism for state espionage.

FBI/CISA advisory AA22-187A (July 2022) formally warned the US healthcare and public health sector about Maui ransomware attributed to DPRK state-sponsored actors — subsequently confirmed as Andariel in the 2024 joint advisory. The targeting logic is deliberate:

  1. Healthcare is operationally fragile — hospitals, clinics, and public-health entities face acute pressure to restore systems quickly, increasing ransom payment probability.
  2. Healthcare is politically sensitive — disruption generates immediate public pressure for resolution, again raising payment likelihood.
  3. Healthcare cybersecurity maturity is uneven — many target networks present low-cost intrusion opportunities for sophisticated state-grade tooling.
  4. Maui is manual — operators select files for encryption, allowing Andariel to maximize disruption while leaving forensic artefacts that maintain attribution ambiguity within the broader DPRK cluster.

Revenue generated from Maui operations is then redirected to fund Andariel’s primary mission: defense, aerospace, nuclear, and engineering sector espionage. This creates a closed loop in which US healthcare ransom payments directly subsidize collection against US, ROK, and allied defense industrial base targets — a strategic feedback loop that should be central to any policy assessment of DPRK cyber sanctions and healthcare-sector defense.

The Maui model has since been studied as a template for how cash-constrained state actors might integrate criminal revenue streams with strategic collection — a pattern with potential read-across to other sanctioned state cyber programs.

Attribution Basis

Attribution to DPRK / RGB 3rd Bureau / Lab 110 rests on converging evidence:

  • Joint AA24-207A advisory (25 July 2024) — FBI, CISA, CNMF, NSA, DC3, ROK NIS, ROK NPA, UK NCSC. Seven-agency cross-jurisdictional consensus is the strongest public attribution standard available for a non-state cyber actor.
  • OFAC designation (13 September 2019) — formal US Treasury sanctions naming Andariel as a DPRK state-controlled entity, alongside Lazarus and Bluenoroff.
  • Technical continuity — toolchain overlap (Dtrack, TigerRAT, MagicRAT, YamaBot) across campaigns from 2013 DarkSeoul through 2024 advisories; infrastructure reuse consistent with RGB resource constraints.
  • Vendor cross-confirmation — independent tracking by Mandiant (APT45), CrowdStrike (Silent Chollima), Microsoft (Onyx Sleet / legacy PLUTONIUM), Cisco Talos, and Kaspersky converging on a coherent actor profile.
  • Target profile coherence — collection requirements (DPRK military/nuclear program priorities) align consistently with documented victim sets.

Geopolitical Context

Andariel operates as one instrument within DPRK’s broader strategy of using cyber operations to simultaneously generate revenue under heavy sanctions and acquire technology denied to Pyongyang through conventional procurement channels. The 2017 UN Security Council sanctions regime (Resolutions 2371, 2375, 2397) closed most legitimate hard-currency channels for DPRK; cyber operations — across the Lazarus Group cluster — have since become a central pillar of regime financing and technology acquisition.

Within this strategy, Andariel occupies a specific niche:

  • Lazarus Group core — broad strategic operations, destructive attacks
  • APT38 — Bluenoroff — financial-system theft, SWIFT, cryptocurrency
  • Kimsuky — political, policy, and diplomatic espionage
  • APT37 — ScarCruft — defector tracking and domestic security operations
  • Andariel — military-technical IP theft, with ransomware-funded operational autonomy

See DPRK Cyber Warfare — Revenue, Espionage, and Geopolitical Weaponization for the integrated ecosystem analysis.

The dual-track model also has implications for sanctions policy. Conventional sanctions targeting state-controlled financial flows have limited effect on Andariel because its operational budget is generated externally through ransom payments routed via cryptocurrency. Disrupting Andariel therefore requires coordinated action across healthcare sector defense, cryptocurrency mixing services, and the criminal-monetization layer — a wider attack surface than traditional state-actor counter-cyber operations.

Gaps

  • Internal organizational structure of Lab 110 — public reporting names Lab 110 / RGB 3rd Bureau but does not disclose internal team structure, sub-cell composition, or command relationships between Andariel and parallel Lab 110 elements.
  • Personnel attribution — no individual Andariel operators have been publicly indicted, in contrast to the 2018 Park Jin Hyok indictment for Lazarus and the 2021 indictment of three DPRK operators for broader Lazarus activity. The absence of named-individual indictments specific to Andariel is an open intelligence question.
  • Maui revenue accounting — total revenue generated by Maui ransomware operations and the proportion redirected to espionage tooling/infrastructure is not publicly quantified.
  • Operational tempo budget allocation — the ratio of operator-hours spent on Track 1 (espionage) versus Track 2 (ransomware) is not disclosed in open sources.
  • Relationship to DPRK IT-worker scheme — open question whether Andariel benefits from or coordinates with the parallel DPRK overseas IT-worker revenue program; both fall under broader RGB-adjacent revenue generation.
  • Bureau 121 → Lab 110 transition — the precise reorganization sequence and any continuity/discontinuity in personnel is incompletely documented.

Strategic Implications

  1. The dual-track model breaks conventional cyber-threat taxonomy. Analytic frameworks that separate “state espionage” from “cybercriminal” actors fail to capture Andariel. Western defenders must treat ransomware-capable state actors as a distinct category with implications for both healthcare-sector defense and defense-industrial-base defense.

  2. US healthcare-sector breaches have a direct national-security dimension. A Maui infection at a regional hospital is not an isolated criminal event — it is a revenue node in a closed loop that subsidizes collection against US defense contractors. Healthcare-sector cybersecurity should be treated as a national-security equity, not solely a sectoral concern.

  3. Sanctions efficacy is structurally constrained. Because Andariel generates its operational budget externally through cryptocurrency-denominated ransom payments, traditional sanctions targeting state-controlled financial flows are partially circumvented by design. Effective disruption requires action against cryptocurrency mixers, ransom-payment intermediaries, and the broader monetization layer.

  4. The model is potentially exportable. Other sanctioned states with mature cyber programs (Iran, Russia) face similar revenue constraints and may study or adopt elements of Andariel’s self-funding architecture. Analysts should watch for IRGC- or GRU-linked clusters adopting analogous ransomware-for-espionage structures.

  5. Attribution clarity does not equal deterrence. Despite a seven-agency joint advisory naming Lab 110 directly, Andariel’s operational tempo through 2024 shows no observable deterrent effect from public attribution alone. Policy responses must extend beyond naming-and-shaming to operationally meaningful disruption.

  6. Defense industrial base needs ransomware-aware threat models. Andariel demonstrates that the same actor compromising a regional hospital this quarter may be inside a defense contractor’s network next quarter. Sector-siloed defense postures miss the integration.

Sources

Tier 1 — Government / Official (high confidence)

  • CISA / FBI / NSA / CNMF / DC3 / ROK NIS / ROK NPA / UK NCSC, Joint Cybersecurity Advisory AA24-207A: North Korea State-Sponsored Cyber Group Conducts Espionage and Generates Revenue Worldwide, 25 July 2024 — primary public attribution document, names Lab 110 / RGB 3rd Bureau, confirms dual-track model. [primary, authoritative]
  • FBI / CISA / Treasury, Joint Cybersecurity Advisory AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector, July 2022 — first government-level Maui attribution. [primary, authoritative]
  • US Department of the Treasury, OFAC SDN designation SM774, 13 September 2019 — formal sanctions naming. [primary, authoritative]
  • UN Panel of Experts on DPRK, annual reports — context on DPRK cyber revenue generation under sanctions regime. [primary, authoritative]

Tier 2 — Vendor / Industry (high to high-medium confidence)

  • Mandiant / Google Cloud, APT45: North Korea’s Digital Military Machine, 2024 — APT45 designation, ~1,600 personnel estimate, dual-track documentation. [high confidence — vendor]
  • Microsoft Threat Intelligence — Onyx Sleet / PLUTONIUM tracking and reporting. [high confidence — vendor]
  • CrowdStrike — Silent Chollima profile and intrusion reporting. [high confidence — vendor]
  • Cisco Talos — MagicRAT, TigerRAT technical analysis, including Log4Shell exploitation campaigns. [high confidence — vendor]
  • Kaspersky GReAT — Dtrack, YamaBot analysis and Andariel campaign tracking. [high confidence — vendor]

Tier 3 — Academic and Independent (medium confidence)

  • Recorded Future / Insikt Group — recurring DPRK cyber ecosystem analysis. [medium-high — analytic]
  • ROK academic and think-tank reporting on DPRK cyber organization (Korea University, Institute for National Security Strategy). [medium-high — analytic]

Cross-references