Threat actor · all actors
AndarielG0138 state
🇰🇵 KP · RGB
aka Andariel, Silent Chollima, PLUTONIUM, Onyx Sleet
Last updated: 2026-07-03
About this actor
[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. [Andariel](https://attack.mitre.org/groups/G0138)'s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.(Citation: FSI Andariel Campaign Rifle July 2017)(Citation: IssueMakersLab Andariel GoldenAxe May 2017)(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: TrendMicro New Andariel Tactics July 2018)(Citation: CrowdStrike Silent Chollima Adversary September 2021) [Andariel](https://attack.mitre.org/groups/G0138) is considered a sub-set of [Lazarus Group](https://attack.mitre.org/groups/G0032), and has been attributed to North Korea's Reconnaissance General Bureau.(Citation: Treasury North Korean Cyber Groups September 2019) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.
Source: MITRE ATT&CK
Activity timeline
- 2022 — 7 CVE published
- 2021 — 2 CVE published
- 2019 — 1 CVE published
- 2018 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2021-3018 | 8.0 | 9.8 | 0.7933 | 2021-01-05 | see CVE |
CVE-2021-44142 | 8.0 | 8.8 | 0.7404 | 2022-02-21 | see CVE |
CVE-2021-45837 | 8.0 | 9.8 | 0.8108 | 2022-04-25 | see CVE |
CVE-2021-40684 | 7.0 | 9.1 | 0.0115 | 2021-09-22 | see CVE |
CVE-2022-24663 | 7.0 | 9.9 | 0.0210 | 2022-02-16 | see CVE |
CVE-2022-24664 | 7.0 | 9.9 | 0.0159 | 2022-02-16 | see CVE |
CVE-2022-24665 | 7.0 | 9.9 | 0.0244 | 2022-02-16 | see CVE |
CVE-2019-15637 | 6.0 | 8.1 | 0.2273 | 2019-08-26 | see CVE |
CVE-2022-22005 | 6.0 | 8.8 | 0.1721 | 2022-02-09 | see CVE |
CVE-2017-4946 | 5.5 | 7.8 | 0.0051 | 2018-01-05 | see CVE |
CVE-2022-24785 | 5.5 | 7.5 | 0.0566 | 2022-04-04 | see CVE |
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-3 | 9 / 18 | 50% |
SI-4 | 9 / 18 | 50% |
AC-4 | 7 / 18 | 39% |
CA-7 | 7 / 18 | 39% |
CM-2 | 7 / 18 | 39% |
CM-6 | 7 / 18 | 39% |
SC-7 | 7 / 18 | 39% |
SI-2 | 6 / 18 | 33% |
SC-44 | 5 / 18 | 28% |
SI-7 | 5 / 18 | 28% |
CM-7 | 4 / 18 | 22% |
SI-8 | 4 / 18 | 22% |
AC-6 | 3 / 18 | 17% |
AC-3 | 2 / 18 | 11% |
CM-8 | 2 / 18 | 11% |
Co-occurring actors
- Lazarus Group 11 shared CVEs
- Maui ransomware 11 shared CVEs
- Storm-0530 11 shared CVEs
Similar actors
Similar TTPs
- Elderwood 0.36
- The White Company 0.25
- IndigoZebra 0.25
- TA459 0.24
- Operation Spalax 0.24
Overlapping CVEs
- Storm-0530 1.00
- Maui ransomware 1.00
- Lazarus Group 0.92
Active in same years
- Lazarus Group 4.00
- Storm-0530 4.00
- Maui ransomware 4.00
- APT29 2.00
- C0018 1.00
Same nation-state
- Operation Dream Job 1.00
- 3CX Supply Chain Attack 1.00
- Lazarus Group 1.00
- APT37 1.00
- APT38 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00