North Korean State-Sponsored Cyber Attack: Unveiling the Intricacies of Threat Actor Group Andariel

In this threat research report, we shed light on a significant cyber attack attributed to North Korean state-sponsored actors known as Andariel, emphasizing the critical role that South Korea plays both as a target and a source of infrastructure for these threat actors.

South Korean Defense Contractor Targeted: Based on details that South Korean authorities revealed in December 2023, SecurityScorecard researchers determined that one likely victim was South Korean defence contractor Hanwha Corporation. South Korean military and defence organizations are top targets for state-sponsored North Korean cyber espionage due to the decades-long hostility and military tensions between the two occupants of the divided Korean Peninsula.

Use of South Korean infrastructure: Further research by SecurityScorecard threat hunters indicated that the actors likely used servers rented from South Korean IT service provider Daou Technology. North Korean actors often use compromised or illicitly obtained South Korean infrastructure, either in the hopes of blending in with their South Korean targets or to avoid revealing themselves as North Koreans by using infrastructure from a neighbouring country that speaks the same language.