Lazarus Group

Lazarus Group (also known by other monikers such as Guardians of Peace or Whois Team

) is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra (used by the United States Department of Homeland Security to refer to malicious cyber activity by the North Korean government in general) and Zinc (by Microsoft).

The Lazarus Group has strong links to North Korea. The United States Federal Bureau of Investigation says that the Lazarus Group is a North Korean "state-sponsored hacking organization". According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office. North Korea benefits from conducting cyber operations because it can present an asymmetric threat with a small group of operators, especially to South Korea.

History

The earliest known attack that the group is responsible for is known as "Operation Troy", which took place from 2009 to 2012. This was a cyber-espionage campaign that utilized unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul. They were also responsible for attacks in 2011 and 2013. It is possible that they were also behind a 2007 attack targeting South Korea, but that is still uncertain. A notable attack that the group is known for is the 2014 attack on Sony Pictures. The Sony attack used more sophisticated techniques and highlighted how advanced the group has become over time.

The Lazarus Group were reported to have stolen US$12 million from the Banco del Austro in Ecuador and US$1 million from Vietnam's Tien Phong Bank in 2015. They have also targeted banks in Poland and Mexico. The 2016 bank heist included an attack on the Bangladesh Bank, successfully stealing US$81 million and was attributed to the group. In 2017, the Lazarus group was reported to have stolen US$60 million from the Far Eastern International Bank of Taiwan although the actual amount stolen was unclear, and most of the funds were recovered.

It is not clear who is really behind the group, but media reports have suggested the group has links to North Korea. Kaspersky Lab reported in 2017 that Lazarus tended to concentrate on spying and infiltration cyberattacks whereas a sub-group within their organisation, which Kaspersky called Bluenoroff, specialised in financial cyberattacks. Kaspersky found multiple attacks worldwide and a direct link (IP address) between Bluenoroff and North Korea.

However, Kaspersky also acknowledged that the repetition of the code could be a “false flag” meant to mislead investigators and pin the attack on North Korea, given that the worldwide WannaCry worm cyber attack copied techniques from the NSA as well. This ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public in April 2017.
Symantec reported in 2017 that it was "highly likely" that Lazarus was behind the WannaCry attack.

2009 Operation Troy

The next incident took place on July 4, 2009 and sparked the beginning of "Operation Troy". This attack utilized the Mydoom and Dozer malware to launch a large-scale, but quite unsophisticated, DDoS attack against US and South Korean websites. The volley of attacks struck about three dozen websites and placed the text "Memory of Independence Day" in the master boot record (MBR).

2013 South Korea Cyberattack (Operation 1Mission/ DarkSeoul)

Over time, attacks from this group have grown more sophisticated; their techniques and tools have become better developed and more effective. The March 2011 attack known as "Ten Days of Rain" targeted South Korean media, financial, and critical infrastructure, and consisted of more sophisticated DDoS attacks that originated from compromised computers within South Korea. The attacks continued on March 20, 2013 with DarkSeoul, a wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP. At the time, two other groups going by the personas ″NewRomanic Cyber Army Team and WhoIs Team″, took credit for that attack but researchers did not know the Lazarus Group was behind it at the time. Researchers today know the Lazarus Group as a supergroup behind the disruptive attacks.

Late 2014: Sony breach

The Lazarus Group attacks culminated on November 24, 2014. On that day, a Reddit post appeared stating that Sony Pictures had been hacked via unknown means; the perpetrators identified themselves as the "Guardians of Peace". Large amounts of data were stolen and slowly leaked in the days following the attack. An interview with someone claiming to be part of the group stated that they had been siphoning Sony's data for over a year.

The hackers were able to access previously unreleased films, emails, and the personal information of around 4,000 employees.

Early 2016 Investigation: Operation Blockbuster

Under the name ″Operation Blockbuster″, a coalition of security companies, led by Novetta, was able to analyse malware samples found in different cyber-security incidents. Using that data, the team was able to analyse the methods used by the hackers. They linked the Lazarus Group to a number of attacks through a pattern of code re-usage.

2016 Bangladesh Bank cyber heist

Bangladesh Bank cyber heist, was a theft that took place in February 2016. Thirty-five fraudulent instructions were issued by security hackers via the SWIFT network to illegally transfer close to US$1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank, the central bank of Bangladesh. Five of the thirty-five fraudulent instructions were successful in transferring US$101 million, with US$20 million traced to Sri Lanka and US$81 million to the Philippines. The Federal Reserve Bank of New York blocked the remaining thirty transactions, amounting to US$850 million, due to suspicions raised by a misspelled instruction. Cybersecurity experts claimed that the North Korea-based Lazarus Group was behind the attack.

May 2017 WannaCry ransomware attack

The WannaCry attack was a massive ransomware cyberattack that hit institutions across the globe ranging all the way from the NHS in Britain, to Boeing, and even to Universities in China on the 12th of May, 2017. The attack lasted 7 hours and 19 minutes. Europol estimates it affected nearly 200,000 computers in 150 countries, primarily affecting Russia, India, Ukraine, and Taiwan. This was one of the first attacks to travel via a cryptoworm. Cryptoworms are a recent form of computer virus that can travel between computers using networks, exploiting TCP port 445). To be infected, there is no need to click on a bad link - the malware can spread autonomously, from a computer to a connected printer, and then beyond to adjacent computers, perhaps connected to the wifi, etc. The port 445 vulnerability allowed the malware to move freely across intranets, and infect thousands of computers rapidly. The Wannacry attack was one of the first large scale uses of a cryptoworm.

Attack

The virus exploited a vulnerability in the Windows operating system, then encrypted the computer's data in return for a sum of Bitcoin worth roughly $300 to get the key. In order to encourage payment, the ransom demand doubled after three days, and if not paid in a week, the malware deletes the encrypted data files. The malware used a legitimate piece of software called Windows Crypto, made by Microsoft to scramble the files. Once the encryption is completed, the filename has "Wincry" appended, which is the root of the Wannacry name. Wincry was the base of the encryption, but two additional exploits, ''EternalBlue'' and ''DoublePulsar'', were used by the malware to make it a cryptoworm. ''EternalBlue'' automatically spreads the virus through networks, while ''DoublePulsar'' triggered it to activate on a victim's computer. In other words, ''EternalBlue'' got the infected link to your computer, and ''DoublePulsar'' clicked it for you.

Marcus Hutchins brought the attack to an end, when he received a copy of the virus from a friend at a security research company and discovered a ''kill switch'' hardcoded into the virus. The malware included a periodic check to see if a specific website was running, and would only proceed with encryption if that website didn't exist. Hutchins identified this check, then promptly registered the relevant domain at 3:03 pm UTC. The malware immediately stopped propagating itself and infecting new machines. This was very interesting, and is a clue as to who created the virus. Usually stopping malware takes months of back and forth fighting between the hackers and security experts, so this easy win was unexpected. Another very interesting and unusual aspect of the attack was that the files were not recoverable after paying the ransom: only $160,000 was collected, leading many to believe that the hackers weren't after the money.

The easy kill switch and lack of revenue led many to believe that the attack was state-sponsored; the motive was not financial compensation, but just to cause chaos. After the attack security experts traced the ''DoublePulsar'' exploit back to the United States NSA where the exploit had been developed as a cyberweapon. The exploit was then stolen by a Russian backed hacking group, ''Shadowbrokers'', who first tried to auction it off, but after failing to do that simply gave it away for free. The NSA subsequently revealed the vulnerability to Microsoft who issued an update on March 14, 2017,a little under a month before the attack occurred. It wasn't enough. The update wasn't mandatory and the majority of computers with the vulnerability had not resolved the issue by the time May 12 rolled around, leading to the astonishing effectiveness of the attack.

Aftermath

The US Department of Justice and British authorities later attributed the WannaCry attack on the North Korean hacking gang, the Lazarus group.

2017 cryptocurrency attacks

In 2018, Recorded Future issued a report linking the Lazarus Group to attacks on cryptocurrency Bitcoin and Monero users mostly in South Korea. These attacks were reported to be technically similar to previous attacks using the WannaCry ransomware and the attacks on Sony Pictures. One of the tactics used by Lazarus hackers was to exploit vulnerabilities in Hancom's Hangul, a South Korean word processing software. Another tactic was to use spear-phishing lures containing malware and which were sent to South Korean students and users of cryptocurrency exchanges like Coinlink. If the user opened the malware it stole email addresses and passwords. Coinlink denied their site or users emails and passwords had been hacked. The report concluded that “This late-2017 campaign is a continuation of North Korea’s interest in cryptocurrency, which we now know encompasses a broad range of activities including mining, ransomware, and outright theft...” The report also said that North Korea was using these cryptocurrency attacks to avoid international financial sanctions. North Korean hackers stole US$7 million from Bithumb, a South Korean exchange in February 2017. Youbit, another South Korean Bitcoin exchange company, filed for bankruptcy in December 2017 after 17% of its assets were stolen by cyberattacks following an earlier attack in April 2017. Lazarus and North Korean hackers were blamed for the attacks. Nicehash, a cryptocurrency cloud mining marketplace lost over 4,500 Bitcoin in December 2017. An update about the investigations claimed that the attack is linked to Lazarus Group.

September 2019 attacks

In mid-September 2019, the USA issued a public alert about a new version of malware dubbed '' ELECTRICFISH''. Since the beginning of 2019, North Korean agents have attempted five major cyber-thefts world-wide, including a successful $49 million theft from an institution in Kuwait.

Late 2020 pharmaceutical company attacks

Due to the ongoing COVID-19 pandemic, pharmaceutical companies became major targets for the Lazarus Group. Using spear-phishing techniques, Lazarus Group members posed as health officials and contacted pharmaceutical company employees with malicious links. It is thought that multiple major pharma organizations were targeted, but the only one that has been confirmed was the Angloswedish-owned AstraZeneca. According to a report by Reuters, a wide range of employees were targeted, including many involved in COVID-19 vaccine research. It is unknown what the Lazarus Group's goal was in these attacks, but the likely possibilities include:

* Stealing sensitive information to be sold for profit.
* Extortion schemes.
* Giving foreign regimes access to proprietary COVID-19 research.

AstraZeneca has not commented on the incident and experts do not believe any sensitive data has been compromised as of yet.

March 2022 online game Axie Infinity attack

The FBI said "Through our investigations we were able to confirm Lazarus Group and APT38, cyber actors associated with orth Korea are responsible for the theft".

U.S. Sanctions

On 14 April 2022, the US Treasury's OFAC placed Lazarus on the SDN List under North Korea Sanctions Regulations section 510.214.

Education

North Korean hackers are sent vocationally to Shenyang, China for special training. They are trained to deploy malware of all types onto computers, computer networks, and servers. Education domestically includes the Kim Chaek University of Technology, Kim Il-sung University and Moranbong University, which picks the brightest students from across the country and puts them through six years of special education.

Units

Lazarus is believed to have two units.

BlueNorOff

BlueNorOff (also known as: APT38, Stardust Chollima, BeagleBoyz, NICKEL GLADSTONE) is a financially motivated group that is responsible for the illegal transfers of money via forging orders from SWIFT. BlueNorOff is also called APT38 (by Mandiant) and Stardust Chollima (by Crowdstrike).

According to a 2020 report by the U.S. Army, Bluenoroff has about 1,700 members carrying out financial cybercrime by concentrating on long-term assessment and exploiting enemy network vulnerabilities and systems for financial gain for the regime or to take control of the system. They target financial institutions and cryptocurrency exchanges, including over 16 organizations in at least 13 countries between 2014 and 2021 Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam. The revenue is believed to go towards the development of missile and nuclear technology.

BlueNorOff's most infamous attack was the 2016 Bangladesh Bank robbery in which they tried to use the SWIFT network to illegally transfer close to US$1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank, the central bank of Bangladesh. After several of the transactions went through (US$20 million traced to Sri Lanka and US$81 million to the Philippines), The Federal Reserve Bank of New York blocked the remaining transactions, due to suspicions raised by a misspelling.

Malware associated with BlueNorOff include: " DarkComet, Mimikatz, Net, NESTEGG, MACKTRUCK, WANNACRY, WHITEOUT, QUICKCAFE, RAWHIDE, SMOOTHRIDE, TightVNC, SORRYBRUTE, KEYLIME, SNAPSHOT, MAPMAKER, net.exe, sysmon, BOOTWRECK, CLEANTOAD, CLOSESHAVE, DYEPACK, Hermes, TwoPence, ELECTRICFISH, PowerRatankba, PowerSpritz"

Tactics commonly used by BlueNorOff include: phishing, backdoors, Drive-by compromise, Watering hole attack, exploitation of insecure out-of-date versions of Apache Struts 2 to execute code on a system, strategic web compromise, and accessing Linux servers. It's reported that they sometimes work together with criminal hackers.

AndAriel

AndAriel (also spelled Andarial, and also known as: Silent Chollima, Dark Seoul, Rifle, and Wassonite) is logistically characterized by its targeting of South Korea. AndAriel's alternative name is called Silent Chollima due to the stealthy nature of the subgroup. Any organization in South Korea is vulnerable to AndAriel. Targets include government, defense, and any economic symbol.

According to a 2020 report by the U.S. Army, Andarial has about 1,600 members whose mission reconnaissance, assessment of the network vulnerabilities, and mapping the enemy network for potential attack. In addition to South Korea, they also target other governments, infrastructure, and businesses. Attack vectors include: ActiveX, vulnerabilities in South Korean software, watering hole attacks, spear phishing (macro), IT management products (antivirus, PMS), and supply chain (installers and updaters). Malware used include: Aryan, Gh0st RAT, Rifdoor, Phandoor, and Andarat.

Indictments

In February 2021, the US Department of Justice indicted three members of the Reconnaissance General Bureau, a North Korean military intelligence agency, for having participated in several Lazarus hacking campaigns: Jin Hyok, Jon Chang Hyok and Kim Il. Park Jin Hyok had already been indicted earlier in September 2018. The individuals are not in U.S. custody. A Canadian and two Chinese individuals have also been charged with having acted as money mules and money launderers for the Lazarus group.

Coverage

The group was the subject of a BBC World Service podcast ''The Lazarus Heist'' broadcast in 2021. The second season is coming out in mid 2022.

See also

* North Korea–United States relations
* Ricochet Chollima
* Kimsuky
* Park Jin Hyok
* unit 121

Notes

References

Sources

* Virus News (2016). "Kaspersky Lab Helps to Disrupt the Activity of the Lazarus Group Responsible for Multiple Devastating Cyber-Attacks", ''Kaspersky Lab''.
* RBS (2014). "A Breakdown and Analysis of the December 2014 Sony Hack". ''RiskBased Security.''
* Cameron, Dell (2016). "Security Researchers Say Mysterious 'Lazarus Group' Hacked Sony in 2014", ''The Daily Dot.''
* Zetter, Kim (2014). "Sony Got Hacked Hard: What We Know and Don't Know So Far", ''Wired.''
* Zetter, Kim (2016). "Sony Hackers Were Causing Mayhem Years Before They Hit The Company", ''Wired.''

External links

Indictment of Park Jin Hyok, September 2018

Indictment of Park Jin Hyok, Jon Chang Hyok and Kim Il, January 2020
*
The Lazarus Heist
' 10 part podcast from BBC World Service.

{{Hacking in the 2010s

Cyberattacks
North Korean advanced persistent threat groups
Hacking in the 2000s
Hacking in the 2010s
Cyberattack gangs
North Korean entities subject to the U.S. Department of the Treasury sanctions
Cybercrime in India
Specially Designated Nationals and Blocked Persons List