Andariel

Also known as: Andariel, Onyx Sleet, PLUTONIUM, Silent Chollima, OperationTroy, Guardian of Peace, GOP, WHOis Team, Subgroup: Andariel

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations–which have included destructive attacks–against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel’s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle. FSI Andariel Campaign Rifle July 2017 IssueMakersLab Andariel GoldenAxe May 2017 AhnLab Andariel Subgroup of Lazarus June 2018 TrendMicro New Andariel Tactics July 2018 CrowdStrike Silent Chollima Adversary September 2021

Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea’s Reconnaissance General Bureau. Treasury North Korean Cyber Groups September 2019

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

🌍 Country North Korea
🧭 ATT&CK G0138

Introduction

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations–which have included destructive attacks–against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel’s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle. FSI Andariel Campaign Rifle July 2017 IssueMakersLab Andariel GoldenAxe May 2017 AhnLab Andariel Subgroup of Lazarus June 2018 TrendMicro New Andariel Tactics July 2018 CrowdStrike Silent Chollima Adversary September 2021 Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea’s Reconnaissance General Bureau. Treasury North Korean Cyber Groups September 2019 North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Activities and Tactics

Country of Origin: 🇰🇵 North Korea

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

Information pending cataloguing.

Attribution and Evidence

Country of Origin: North Korea Additional attribution information pending cataloguing.

References

[1] MITRE ATT&CK MITRE ATT&CK entry [2] FSI Andariel Campaign Rifle July 2017 [3] IssueMakersLab Andariel GoldenAxe May 2017 [4] AhnLab Andariel Subgroup of Lazarus June 2018 [5] TrendMicro New Andariel Tactics July 2018 [6] CrowdStrike Silent Chollima Adversary September 2021 [7] Treasury North Korean Cyber Groups September 2019

Recent News

Latest articles from security news feeds mentioning this actor.