North Korea's internet downed by suspected DDoS attacks
North Korea's internet downed by suspected DDoS attacks

Several multistage attacks that use cryptocurrency-related lures to infect victims with sophisticated backdoors and reconnaissance malware that have been attributed to the North Korea- sponsored Lazarus Group have been uncovered by Proofpoint researchers.

The conclusions are similar to those of Dell's Secureworks as reported on in SC earlier this week.


Victims of interest are infected with additional malware to steal credentials for cryptocurrency wallets and exchanges, enabling the Lazarus Group to conduct lucrative operations stealing Bitcoin and other cryptocurrencies.

It was also discovered by ProofPoint in what it says it believes to be the first publicly documented instance of a nation-state targeting a point-of-sale related framework for the theft of credit card data in a related set of attacks. The financial losses due to the attacks happening around Christmas shopping season are very considerable.

The Lazarus Group has continued to be ranked as one of the most disruptive and successful nation-state sponsored groups, especially considering that it has data going back to 2009. The group mainly focusses on attacks for financial motivation and seem to be capitalising on the increasing interest and price of cryptocurrencies.

The amount of tools available to the Lazarus Group is extensive, including bringing in DDoS botnets, using wiper malware to temporarily incapacitate a company and using sophisticated malware to steal millions of pounds.

Patrick Wheeler, director of threat intelligence, Proofpoint commented: “The Lazarus Group is a sophisticated, state-sponsored APT group with a long history of successful destructive, disruptive, and costly attacks on worldwide targets. State-sponsored groups are generally focused on espionage and disruption. However, our findings on their recent activities relate to the financially motivated arm of Lazarus, the operations of which are peculiar to the North Korean group. These actions, including the targeting of cryptocurrency exchange credentials and point-of-sale infrastructure, are significant for a number of reasons:

  • This appears to be the first publicly documented instance of a state-sponsored actor attacking point-of-sale infrastructure for financial gain.

  • Cryptocurrencies are nothing new to threat actors, state-sponsored or otherwise. However, in this case we were able to extensively document the custom-built tools and procedures that Lazarus group is using to perform cryptocurrency theft.

  • This group now appears to be targeting individuals rather than just organisations: individuals are softer targets, often lacking resources and knowledge to defend themselves and providing new avenues of monetisation for a state-sponsored threat actor's toolkit. Bringing the tools and resources of a state-sponsored attack group to bear against individuals and infrastructure used by large numbers of private citizens raises the stakes considerably when assessing potential impact.

  • We were able to differentiate the actions of the financially motivated team within Lazarus from those of their espionage and disruption groups that have recently grabbed headlines, providing better insight into their operations and the worldwide threat represented by Lazarus.”