Unraveling the Mysteries of Andariel: An APT from North Korea

An ever-evolving digital world is not without its perils, one of them being cyber threats.

Among these, the ‘Advanced Persistent Threats’ (APTs) are a significant concern due to their stealthy and continuous computer hacking processes.

One such APT group that has caught the attention of cybersecurity professionals worldwide is ‘Andariel,’ originating from North Korea.

This blog will delve into what Andariel is, its modus operandi, and ways to protect against such threats.

Who is Andariel?

Andariel, also known as Silent Chollima or Dark Seoul, is a suspected North Korean hacker group. It came into the global limelight around 2016, but it’s believed to have been operational since at least 2009.

The group is infamous for its targeted cyber-attacks on South Korean government, defense industry, and financial organizations. However, over the years, their activities have expanded to include global targets.

How Does Andariel Operate?

The primary weapon of choice for Andariel is spear-phishing emails laced with malicious attachments or links. Victims are typically tricked into clicking these, leading to the installation of malware on their systems.

These malware strains allow Andariel to steal sensitive information, disrupt operations, or even gain control of the infected systems.

Andariel has also demonstrated aptitude in exploiting zero-day vulnerabilities, which are previously unknown software bugs that hackers can exploit before they’re patched. They’re often used to infiltrate systems without detection, making them a potent tool for APT groups.

One of the unique aspects of Andariel’s operations is its focus on financial theft.

The group has been linked to attacks on ATMs, where they’ve reportedly been able to compromise the machines to dispense cash at will. They’ve also targeted online poker and gambling sites, stealing millions of dollars in the process.

Understanding the Motivation of Andariel

Although it’s challenging to definitively state Andariel’s motivations, several factors suggest their primary goals:

  1. Political Espionage: Like many state-sponsored cyber groups, Andariel is suspected of performing espionage to gain strategic advantage. They reportedly target South Korean government and military networks to gather intelligence.
  2. Economic Gain: The group is also known for its focus on financial institutions. They have targeted banks and credit card companies, likely aiming to steal money to support their operations or the North Korean economy.
  3. Disruption and Propaganda: Some of Andariel’s attacks seem designed to cause disruption or spread propaganda. For instance, they were linked to the 2013 DarkSeoul incident, which wiped data from South Korean banks and broadcasters’ computers while displaying messages supportive of North Korea.
  4. Cyber Warfare Capability: By launching sophisticated cyber-attacks, Andariel demonstrates and enhances its cyber warfare capabilities. This could serve as a deterrent to potential adversaries or as a means to project power internationally.

It’s important to note that these motivations are inferred based on the group’s observed activities and targets, as well as the general geopolitical context. The group itself has not publicly stated its goals.


In July 2017, the Financial Security Institute (FSI), a South Korean organization specializing in financial security, compiled a comprehensive profile of Andariel, a North Korean cyber threat group that was largely unknown until then.

As an offshoot of the infamous Lazarus Group, also known as HIDDEN COBRA, Andariel focuses its cyberattacks primarily on South Korean government bodies and businesses.

Andariel’s operations are notably concentrated on South Korea, earning it the moniker Silent Chollima, a reference to both the mythical horse in East Asian mythology known for its swift and stealthy movements, mirroring the stealthy operations of this subgroup.

The potential victims of Andariel are not limited to any specific sector within South Korea; they range from government organizations and defense sectors to symbols of economic significance.

A report by the U.S. Army in 2020 estimated that Andariel comprises approximately 1,600 members. Their primary tasks involve reconnaissance, identifying network vulnerabilities, and mapping out enemy networks for potential cyberattacks.

While their activities are centered around South Korea, they also target other governments, infrastructure, and businesses across the globe.

Their attack methodologies encompass a wide range of techniques including exploiting ActiveX vulnerabilities, leveraging weaknesses in South Korean software, initiating watering hole attacks, spear phishing with macros, exploiting IT management products like antivirus systems and PMS, and manipulating supply chains through installers and updaters.

The group is known to deploy various malware strains, including but not limited to Aryan, Gh0st RAT, Rifdoor, Phandoor, and Andarat.

Defending Against Andariel

Defending against an APT like Andariel requires a multi-faceted approach. Here are some steps to consider:

  1. Education and Awareness: Given that spear-phishing is one of their main attack vectors, educating employees about the dangers of unsolicited emails and the signs of phishing attempts is crucial.
  2. Regular Patching and Updates: As Andariel has shown prowess in exploiting zero-day vulnerabilities, keeping all software and systems up-to-date is essential. Regular patching can help close these vulnerabilities and make it harder for the group to gain access to your systems.
  3. Implementing Advanced Security Measures: Employing advanced threat detection and response solutions can help identify and neutralize threats before they can cause significant damage. These might include intrusion detection systems (IDS), firewalls, and anti-malware tools.
  4. Regular Backups: Regularly backing up important data can help reduce the impact of a successful attack. In the event of a system compromise, having up-to-date backups allows you to restore your systems with minimal downtime.
  5. Incident Response Plan: Having a robust incident response plan in place helps organizations react quickly and effectively when a breach is detected.

The threat posed by groups like Andariel is real and evolving. However, by understanding their tactics and implementing robust security measures, we can significantly reduce their ability to succeed. The key lies in staying vigilant, educated, and prepared.

Indicators of Compromise (IoCs)

The Indicators of Compromise (IoCs) for Andariel provide a roadmap for detecting its cyber activities. These include specific IP and port combinations ans URLs related to the group’s activities.

IPv4 Port Combinations:

The group has been known to use the following IP addresses in combination with specified ports:, 8080, 8443, 443, 4443, 8080, 8081, 8443


Certain URLs have also been associated with Andariel’s operations:

These IoCs can be used to detect Andariel’s activities within a network or on specific devices, and are crucial for incident response and threat hunting processes.


Andariel, an Advanced Persistent Threat (APT) from North Korea, presents a significant and complex cybersecurity challenge.

The group’s intricate tactics, techniques, and procedures (TTPs) demonstrate a high level of sophistication and adaptability.

This APT exemplifies the evolving nature of cyber threats in our increasingly interconnected digital landscape.

The indicators of compromise we’ve discussed can help organizations detect Andariel’s activities, but they’re just one piece of the puzzle.

To effectively counter such threats, a comprehensive, proactive security strategy is essential. This includes regular network monitoring, robust employee training, and the deployment of advanced threat detection and response tools.

As Andariel continues to evolve, it’s vital that we remain aware of its strategies and continue to unravel its mysteries. By doing so, we can better protect our networks and sensitive data from this and other sophisticated cyber threats.

In the end, understanding our adversaries is one of the most powerful tools we have in the ongoing fight against cybercrime.