Lifting the lid on Lazarus: report measures reach of North Korean APT

News by Max Metzger

A new report from Kaspersky Lab has undressed the group purported to be responsible for the attack on Sony.

A new report sheds  light on the mysterious Lazarus group. Kaspersky Lab collected the  results of a forensic investigation and produced Lazarus Under The Hood, a profile of the infamous group.

The group's operations span the globe, and its footprints were in many high profile attacks, perhaps most notably in the attack on Sony in 2012. Kaspersky believes Lazarus to be very large and that it works mainly on espionage and infiltration.

In Lazarus, Kaspersky found a kind of discipline and strict organisation that it feels sets the group apart from other APTs. The group is very careful not to reuse the same tools and code, indicating a rare level of sophistication.

While its main purpose appears to be espionage, it is apparently unrivalled in exploiting financial institutions. The report notes that Lazarus' “interest in financial gain is relatively new, considering the age of the group, and it seems that they have a different set of people working on the problems of invisible money theft or the generation of illegal profit”.

The report identifies a subgroup within Lazarus, which it calls Bluenoroff, which is dedicated to theft, focusing on financial institutions in smaller, poorer countries where easier prey might reside. The group's activities range from exploiting casinos and software developers for investment companies to actively spreading cryptocurrency mining malware

The report furthers the theory that Lazarus, and by extension, Bluenoroff, hails from north Korea. During Kaspersky's investigation, researchers analysed a command and control server in Europe which had connected to an IP in North Korea. The report noted, “This is the first time we have seen a direct link between Bluenoroff and North Korea. Their activity spans from backdoors to watering hole attacks, and attacks on SWIFT servers in banks of south east Asia and Bangladesh Central Bank.”

The Lazarus group has made a name for itself in recent years by perpetrating a number of high profile attacks against significant targets. Aside from a steady stream of attacks against the South Korean banking system, Lazarus poked its head up in 2012. In an apparent response to a film mocking the North Korean government, a group called the Global Guardians of Peace hacked Sony Entertainment and leaked thousands of sensitive records, personal details and embarrassing emails.

A couple of years later, malware similar to that used to lay one of the most important technology and entertainment companies in the world low was found being used in one of the biggest heists ever recorded. In 2016, $81 million (£65 million) was stolen from the Bangladesh Central Bank with fraudulent money order before being laundered out through Philippine casinos.

The robbery was quickly followed by a number of similar heists on banks in Ecuador, Vietnam and Ukraine in which the robbers made off with large amounts using the same fraudulent money orders.

It was late last month that an FBI agent working in the Philippines admitted that the group behind the heist was state-sponsored. Government officials have not yet pointed the finger in any clear direction but it is a privately held belief of many that the Lazarus group is an arm of the North Korean government.

Moreover, the theory goes, the string of robberies was an attempt to circumvent the suffocating sanctions placed on the country.

Nigel Inkster, director of future conflict at the International Institute for Strategic Studies told SC Media UK, “They are the subject of quite heavy sanctions. If anything those sanctions are set to get worse and running sophisticated ballistic missile and nuclear programmes aren't cheap.”

Those sanctions are due to get even tougher in the coming months as the US Senate is set to vote on a resolution that would return North Korea to the list of ‘state sponsors of terror'.

“It doesn't surprise me”, John Nilsson-Wright, a senior research fellow in the Asia programme at Chatham House, told SC Media UK: “It's a well known fact that embassy personnel stationed overseas are required to raise money through fair means or foul.”  That could include, as it has in the past, narcotics and synthetic amphetamine smuggling, currency counterfeiting and illegal arms trafficking.

That track record, Nilsson-Wright said, would indicate that bank robbery fits into North Korea's modus operandi.

Kaspersky released a video summarising its work.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews