Google-owned cybersecurity firm Mandiant released a report detailing activities of a long-running threat actor it tracks as APT45. Also known as Andariel, Onyx Sleet, Stonefly, and Silent Chollima, the group has been active since at least 2009, gradually shifting its focus from cyberespionage to financially-motivated operations and ransomware campaigns.

Mandiant believes that APT45 supports the interests of the Democratic People's Republic of Korea (DPRK). The threat actor has been observed targeting critical infrastructure more frequently than other North Korean threat actors. In 2019, the group targeted nuclear research facilities and nuclear power plants, including the Kudankulam Nuclear Power Plant in India, marking one of the few publicly known instances of North Korean cyber operations against critical infrastructure.

The financial sector has also been a significant target for APT45. In 2016, the group leveraged a tool called RIFLE to attack a South Korean financial organization.

APT45 has also engaged in intellectual property theft to address domestic deficiencies. In September 2020, the group targeted the crop science division of a multinational corporation, likely due to deteriorating agricultural production following border closures related to COVID-19.

During a suspected COVID-19 outbreak in North Korea in 2021, multiple North Korea-nexus operators, including APT45, focused on the healthcare and pharmaceutical sectors. Activity observed from APT45 in 2023 indicates a continued interest in health-related research, suggesting an ongoing mandate to collect related information.

Mandiant said it tracks several activity clusters where APT45 is suspected, but not confirmed, to be involved. Public reports suggest these clusters have used ransomware, possibly to fund operations or generate revenue for the regime. In 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) reported on North Korean state-sponsored actors' use of MAUI ransomware to target the healthcare and public health sectors.

In 2021, security researchers identified ransomware called SHATTEREDGLASS, which has been used by suspected APT45 clusters.

APT45 employs a mix of publicly available tools, such as 3PROXY, and malware modified from publicly available sources, like ROGUEEYE, alongside custom malware families.