Trusted Design

Andariel

アクターID: G0138

· MITRE Pageへのリンク

脅威アクターの詳細

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.(Citation: FSI Andariel Campaign Rifle July 2017)(Citation: IssueMakersLab Andariel GoldenAxe May 2017)(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: TrendMicro New Andariel Tactics July 2018)(Citation: CrowdStrike Silent Chollima Adversary September 2021)

Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.(Citation: Treasury North Korean Cyber Groups September 2019)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

脅威アクターの別名・別称

Andariel
Silent Chollima
PLUTONIUM
Onyx Sleet

利用した攻撃手法

• T1171 - LLMNR/NBT-NS Poisoning and Relay
• T1087.002 - Domain Account
• T1598.003 - Spearphishing Link
• T1584.003 - Virtual Private Server
• T1136.002 - Domain Account
• T1055.004 - Asynchronous Procedure Call
• T1583.006 - Web Services
• T1187 - Forced Authentication
• T1218.010 - Regsvr32
• T1562.011 - Spoof Security Alerting
• T1059.012 - Hypervisor CLI
• T1547.013 - XDG Autostart Entries

関連するCVE (攻撃手法に関連)

• CVE-2014-4114 (T1218.010)
• CVE-2015-1770 (T1218.010)
• CVE-2015-2545 (T1562.011)
• CVE-2017-0199 (T1218.010)
• CVE-2012-0158 (T1218.010)
• CVE-2013-3906 (T1218.010)
• CVE-2014-6352 (T1562.011)
• CVE-2015-0016 (T1218.010)
• CVE-2010-3333 (T1218.010)
• CVE-2010-0188 (T1087.002)
• CVE-2010-2884 (T1087.002)
• CVE-2013-0640 (T1087.002)
• CVE-2011-0611 (T1218.010)
• CVE-2010-1553 (T1598.003)
• CVE-2014-1761 (T1218.010)
• CVE-2015-2853 (T1218.010)
• CVE-2017-16929 (T1598.003)
• CVE-2012-1876 (T1218.010)
• CVE-2012-2539 (T1218.010)
• CVE-2013-3660 (T1055.004)
• CVE-2013-7331 (T1187)
• CVE-2009-3129 (T1598.003)
• CVE-2013-5990 (T1218.010)
• CVE-2015-5749 (T1136.002)
• CVE-2015-6034 (T1055.004)
• CVE-2016-1287 (T1055.004)
• CVE-2016-2342 (T1055.004)
• CVE-2017-0261 (T1055.004)
• CVE-2017-0262 (T1055.004)
• CVE-2025-55182 (T1055.004)
• CVE-2012-0056 (T1055.004)
• CVE-2012-1258 (T1055.004)
• CVE-2015-3636 (T1055.004)
• CVE-2014-3393 (T1055.004)
• CVE-2012-6422 (T1055.004)
• CVE-2012-0611 (T1059.012)
• CVE-2025-13928 (T1055.004)
• CVE-2025-34026 (T1218.010)
• CVE-2025-55184 (T1055.004)
• CVE-2008-1436 (T1583.006)
• CVE-2015-1641 (T1187)
• CVE-2015-8286 (T1187)
• CVE-2016-9495 (T1218.010)
• CVE-2015-5119 (T1218.010)
• CVE-2015-5122 (T1218.010)
• CVE-2012-1856 (T1218.010)
• CVE-2014-6332 (T1218.010)
• CVE-2015-7645 (T1218.010)
• CVE-2015-3043 (T1218.010)
• CVE-2015-3090 (T1218.010)
• CVE-2015-3113 (T1218.010)
• CVE-2015-4495 (T1059.012)
• CVE-2015-2502 (T1059.012)
• CVE-2014-6271 (T1218.010)
• CVE-2015-7808 (T1218.010)
• CVE-2016-1010 (T1218.010)
• CVE-2016-1001 (T1218.010)
• CVE-2016-0998 (T1218.010)
• CVE-2015-0313 (T1218.010)
• CVE-2015-0359 (T1218.010)
• CVE-2015-3628 (T1218.010)
• CVE-2015-2852 (T1218.010)
• CVE-2015-2854 (T1218.010)
• CVE-2015-7755 (T1218.010)
• CVE-2012-4969 (T1218.010)
• CVE-2015-8287 (T1218.010)
• CVE-2015-0311 (T1218.010)
• CVE-2012-3213 (T1218.010)
• CVE-2012-4792 (T1547.013)
• CVE-2014-0322 (T1059.012)
• CVE-2015-0336 (T1218.010)
• CVE-2014-3153 (T1218.010)
• CVE-2015-3105 (T1218.010)
• CVE-2014-0497 (T1218.010)
• CVE-2014-8361 (T1218.010)
• CVE-2013-0074 (T1218.010)
• CVE-2013-2551 (T1059.012)
• CVE-2014-0515 (T1218.010)
• CVE-2015-0310 (T1218.010)
• CVE-2014-1776 (T1218.010)
• CVE-2015-0071 (T1059.012)
• CVE-2014-9163 (T1218.010)
• CVE-2010-0806 (T1547.013)
• CVE-2014-7247 (T1218.010)
• CVE-2010-0232 (T1218.010)
• CVE-2011-1255 (T1218.010)
• CVE-2015-2419 (T1059.012)
• CVE-2016-0189 (T1059.012)
• CVE-2016-4117 (T1218.010)
• CVE-2017-0143 (T1218.010)
• CVE-2025-24893 (T1218.010)
• CVE-2014-3897 (T1059.012)

Actor – Pulse グラフ

---

← 脅威アクター一覧に戻る