Uncovering the Lazarus Group: North Korea’s hacker group’s shocking robberies and cyber conspiracies

avatar
Foresight News
9 hours ago
This article is approximately 3262 words,and reading the entire article takes about 5 minutes
As the instigator of the largest robbery in the history of Web3, this notorious hacker team has left a heavy mark in the history of encryption and even the entire financial market.

Original source: Wikipedia

Original translation: Yobo, Foresight News

The following content is translated from the Wikipedia entry Lazarus Group:

The Lazarus Group (also known as the Guardians or Peace or Whois Team) is a hacker group of unknown number of individuals that is believed to be controlled by the North Korean government. Although little is known about the group, researchers have attributed several cyberattacks to them since 2010.

Originally a criminal gang, the group has been designated an advanced persistent threat group for its intent, the threats it poses, and the variety of methods it uses to operate. Cybersecurity agencies have given them nicknames such as “Hidden Cobra” (the name used by the U.S. Department of Homeland Security to refer to malicious cyber activities launched by the North Korean government), “ZINC” or “Diamond Sleet” (Microsoft’s name). According to Kim Kuk-song, a defector from the country, the group is known as the “414 Liaison Office” in North Korea.

The Lazarus Group is closely linked to North Korea. The U.S. Department of Justice claims that the organization is part of the North Korean governments strategy to undermine global cybersecurity... and obtain illicit revenue in violation of sanctions. North Korea has many benefits from conducting cyber operations, and only needs to maintain a very small team to pose a global asymmetric threat (especially against South Korea).

Development History

The groups earliest known attacks were Operation Troy from 2009 to 2012. This was a cyberespionage campaign that used unsophisticated distributed denial of service (DDoS) techniques to target the South Korean government in Seoul. They also launched attacks in 2011 and 2013. Although it is not certain, an attack against South Korea in 2007 may also be their responsibility. A notable attack by the group took place in 2014, targeting Sony Pictures. This attack used more sophisticated techniques and showed that the group has become more sophisticated over time.

In 2015, the Lazarus Group reportedly stole $12 million from Banco Ostello in Ecuador and $1 million from Pioneer Bank in Vietnam. They have also targeted banks in Poland and Mexico. A 2016 bank heist in which they stole $81 million was also attributed to the group. In 2017, it was reported that the Lazarus Group stole $60 million from Far Eastern International Commercial Bank in Taiwan, although the actual amount stolen is unclear and most of the funds have been recovered.

It is not clear who is really behind the group, but media reports indicate that the group has close ties to North Korea. In 2017, Kaspersky Lab reported that the Lazarus Group tends to focus on espionage and infiltration cyberattacks, while a sub-group within it, called Bluenoroff by Kaspersky, specializes in financial cyberattacks. Kaspersky discovered multiple attacks around the world and found that Bluenoroff had a direct IP address connection with the country.

However, Kaspersky also admitted that the reuse of code may be a false flag operation to mislead investigators and make North Korea take the blame. After all, the global WannaCry worm network attack copied the technology of the US National Security Agency. This ransomware exploited the EternalBlue vulnerability of the US National Security Agency, which was made public by a hacker group called Shadow Brokers in April 2017. In 2017, Symantec reported that the WannaCry attack was most likely the work of the Lazarus Group.

2009 Operation Troy

The first major hacking incident of the Lazarus Group took place on July 4, 2009, marking the beginning of Operation Troy. This attack used the MyDoomsday and Bulldozer malware to launch a large-scale but unsophisticated DDoS attack on websites in the United States and South Korea. This wave of attacks targeted about 36 websites and implanted the text Independence Day in the master boot record (MBR).

2013 South Korean Cyberattacks (Operation 1/Dark Seoul)

Over time, the group’s attacks became more sophisticated; their techniques and tools became more sophisticated and effective. The March 2011 “Ten Days of Rain” attack, which targeted South Korea’s media, financial, and critical infrastructure, used more sophisticated DDoS attacks that originated from compromised computers inside South Korea. On March 20, 2013, “Dark Seoul” was launched, a data-wiping attack that targeted three broadcasters, financial institutions, and an Internet service provider in South Korea. At the time, two other groups calling themselves “New Rome Cyber Legion” and “WhoIs Team” claimed responsibility for the attack, but researchers did not know at the time that the Lazarus Group was behind it. Today, researchers know that the Lazarus Group is the lead in these destructive attacks.

Late 2014: Sony Pictures hacked

On November 24, 2014, the Lazarus Groups attacks reached a climax. On that day, a post appeared on Reddit, saying that Sony Pictures was hacked by unknown means, and the attackers called themselves Guardians of Peace. A large amount of data was stolen and gradually leaked in the days after the attack. A person claiming to be a member of the organization said in an interview that they had been stealing Sonys data for more than a year.

The hackers were able to access unreleased films, some movie scripts, future film plans, company executive salary information, emails, and personal information of about 4,000 employees.

Early 2016 Investigation: Operation Blockbuster

Under the code name Operation Blockbuster, a coalition of security companies led by Novetta analyzed malware samples found in different cybersecurity incidents. Using this data, the team analyzed the hackers modus operandi. They linked the Lazarus Group to multiple attacks through code reuse patterns. For example, they used an encryption algorithm that is little known on the Internet - the Karacas cryptographic algorithm.

A bank cyber theft case in 2016

A bank heist occurred in February 2016. Security hackers sent 35 fraudulent instructions through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network, attempting to illegally transfer nearly $1 billion from a countrys central banks account at the Federal Reserve Bank of New York. Five of the 35 fraudulent instructions successfully transferred $101 million, including $20 million to Sri Lanka and $81 million to the Philippines. The Federal Reserve Bank of New York became suspicious due to a spelling error in one instruction and blocked the remaining 30 transactions involving $850 million. Cybersecurity experts said that the mastermind behind the attack was the Lazarus Group from a certain country.

May 2017 “WannaCry” ransomware attack

The WannaCry attack was a massive ransomware cyberattack that affected institutions around the world, from the UKs National Health Service (NHS) to Boeing and even some universities in China, on May 12, 2017. The attack lasted 7 hours and 19 minutes. Europol estimates that the attack affected nearly 200,000 computers in 150 countries, with the main affected regions including Russia, India, Ukraine and Taiwan. It was one of the earliest cryptoworm attacks. Cryptoworms are a type of malware that can spread from computer to computer over a network without direct user action to infect - in this case, it exploited TCP port 445. Computers do not need to click on malicious links to be infected with the virus. The malware can spread automatically, from one computer to a connected printer, and then to other nearby computers connected to the wireless network. The vulnerability of port 445 allowed the malware to spread freely within the internal network and quickly infect thousands of computers. The WannaCry attack was one of the first large-scale attacks using cryptoworms.

How it attacks: The virus exploits a vulnerability in the Windows operating system, then encrypts computer data and demands a payment of about $300 in Bitcoin for a decryption key. To encourage victims to pay, the ransom doubles after three days, and if it is not paid within a week, the malware deletes the encrypted data files. The malware uses a legitimate software developed by Microsoft called Windows Crypto to encrypt files. After encryption is complete, the file name is suffixed with Wincry, which is the origin of the name WannaCry. Wincry is the basis of encryption, but the malware also exploits two other vulnerabilities, EternalBlue and DoublePulsar, making it a crypto-worm. EternalBlue can automatically spread the virus over the network, and DoublePulsar triggers the virus to activate on the victims computer. In other words, EternalBlue spreads the infected link to your computer, and DoublePulsar clicks it for you.

After receiving a sample of the virus from a friend at a security research firm, security researcher Marcus Hutchins discovered a hard-coded “kill switch” in the virus that stopped the attack. The malware would periodically check if a specific domain name was already registered, and would only proceed with the encryption operation if the domain name did not exist. Hutchins discovered this check mechanism and then registered the relevant domain name at 3:03 pm UTC. The malware immediately stopped spreading and infecting new devices. This situation is worth pondering and also provides clues to track down the virus creator. Usually, it takes hackers and security experts to fight back and forth for months to stop malware, and such an easy victory was unexpected. Another unusual thing about this attack is that the files cannot be recovered after the ransom is paid: the hackers only received a ransom of $160,000, which made many people believe that their purpose was not money.

The ease with which the “kill switch” could be cracked and the meager ransom proceeds led many to believe that the attack was state-sponsored; its motive was not financial compensation but to create chaos. After the attack, security experts traced the “Double Pulsar” vulnerability to the NSA, which was originally developed as a cyber weapon. Later, the “Shadow Brokers” hacker group stole the vulnerability, first trying to auction it, but failed, and finally making it public for free. The NSA then informed Microsoft of the vulnerability, and Microsoft released an update on March 14, 2017, less than a month after the attack. But that wasn’t enough, because the update wasn’t mandatory, and by May 12, most computers with the vulnerability had not been patched, causing the attack to cause astonishing damage.

Fallout: The U.S. Justice Department and British authorities later determined that the WannaCry attack was the work of the North Korean hacker group Lazarus Group.

Cryptocurrency attacks in 2017

In 2018, Recorded Future reported that the Lazarus Group was linked to attacks against users of the cryptocurrencies Bitcoin and Monero, primarily targeting South Korean users. The attacks were reportedly technically similar to previous attacks using the WannaCry ransomware and attacks against Sony Pictures. One of the methods used by the Lazarus Group hackers was to exploit a vulnerability in the Korean word processing software Hangul (developed by Hancom). Another method was to send spear-phishing lures containing malware, targeting South Korean students and users of cryptocurrency trading platforms such as Coinlink.

If users open the malware, their email addresses and passwords are stolen. Coinlink denies that its website or its users’ email addresses and passwords have been hacked. The report concludes: “This series of attacks in late 2017 demonstrates the nation’s continued interest in cryptocurrencies, which we now know to encompass a wide range of activities including mining, ransomware attacks, and outright theft…” The report also states that the nation used these cryptocurrency attacks to circumvent international financial sanctions.

In February 2017, hackers from a certain country stole $7 million from the South Korean cryptocurrency exchange Bithumb. Another South Korean Bitcoin exchange, Youbit, suffered an attack in April 2017 and had to file for bankruptcy in December of the same year after 17% of its assets were stolen. Lazarus Group and hackers from a certain country were accused of being behind these attacks. In December 2017, the cryptocurrency cloud mining market Nicehash lost more than 4,500 bitcoins. An investigation update showed that the attack was related to Lazarus Group.

September 2019 attacks

In mid-September 2019, the United States issued a public alert about the discovery of a new malware called ElectricFish. Since the beginning of 2019, agents of a certain country have carried out five major cyber thefts around the world, including successfully stealing $49 million from an institution in Kuwait.

Pharmaceutical company attacks in late 2020

As the COVID-19 pandemic continues to spread, pharmaceutical companies have become a major target of the Lazarus Group. Using spear-phishing techniques, Lazarus Group members posed as health officials and sent malicious links to employees of pharmaceutical companies. Several large pharmaceutical companies are believed to have been targeted, but only the Anglo-Swedish company AstraZeneca has been confirmed. According to Reuters, many employees were targeted, many of whom were involved in the development of the COVID-19 vaccine. It is not clear what the Lazarus Groups purpose for launching these attacks is, but it may include: stealing sensitive information for profit, carrying out extortion schemes, and allowing foreign regimes to obtain proprietary research results related to the new coronavirus. AstraZeneca has not yet commented on the incident, and experts believe that no sensitive data has been leaked.

Attacks on Cybersecurity Researchers in January 2021

In January 2021, both Google and Microsoft publicly reported that a group of hackers from a certain country launched an attack on cybersecurity researchers through social engineering means. Microsoft clearly pointed out that the attack was carried out by the Lazarus Group.

Hackers create multiple user profiles on platforms such as Twitter, GitHub, and LinkedIn, posing as legitimate software vulnerability researchers, and interact with posts and content posted by others in the security research community. They then contact specific security researchers directly, luring victims to download files containing malware or visit blog posts on websites controlled by the hackers under the pretext of collaborative research.

Some victims who visited the blog post said their computers were compromised despite using fully patched versions of the Google Chrome browser, suggesting that hackers may have exploited a previously unknown Chrome zero-day vulnerability; however, Google said at the time of the report that it could not determine the specific method of compromise.

Axie Infinity attack in March 2022

In March 2022, the Lazarus Group was accused of stealing $620 million worth of cryptocurrency from the Ronin network used by the Axie Infinity game. The FBI said: Through our investigation, we determined that the Lazarus Group and APT 38 (cyber actors associated with North Korea) were behind this theft.

Horizon Bridge attack in June 2022

The FBI has confirmed that the North Korean malicious cyber actor group Lazarus Group, also known as APT 38, was behind the theft of $100 million in virtual currency from Harmony’s Horizon Bridge, reported on June 24, 2022.

Other related cryptocurrency attacks in 2023

A report released by blockchain security platform Immunefi stated that Lazarus Group caused more than $300 million in losses in cryptocurrency hacking attacks in 2023, accounting for 17.6% of the total losses that year.

June 2023 Atomic Wallet attack: In June 2023, over $100 million worth of cryptocurrency was stolen from users of the Atomic Wallet service, an incident later confirmed by the FBI.

September 2023 Stake.com hack: In September 2023, the FBI confirmed that $41 million worth of cryptocurrency was stolen from online casino and gambling platform Stake.com, and the perpetrator was Lazarus Group.

US Sanctions

On April 14, 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) added the Lazarus Group to the Specially Designated Nationals List (SDN List) pursuant to Section 510.214 of a country’s sanctions regulations.

Cryptocurrency Attacks in 2024

According to Indian media reports, a local cryptocurrency exchange called WazirX was attacked by the organization and crypto assets worth $234.9 million were stolen.

Personnel training

According to rumors, some North Korean hackers will be sent to Shenyang, China for professional training to learn how to implant various types of malware into computers, computer networks and servers. In North Korea, Kim Chaek University of Technology, Kim Il Sung University and Mangyongdae University are responsible for related educational tasks. These universities select the best students from all over the country and let them receive a six-year special education. In addition to university education, some of the best programmers...will be sent to Mangyongdae University or Mirim College for further study.

Organization Branch

The Lazarus Group is believed to have two branches.

BlueNorOff

BlueNorOff (also known as APT 38, Star Maxima, BeagleBoyz, NICKEL GLADSTONE) is a financially motivated group that forges SWIFT instructions to conduct illicit fund transfers. Mandiant calls it APT 38, while Crowdstrike calls it Star Maxima.

According to a 2020 report by the U.S. Army, BlueNorOff has about 1,700 members who focus on long-term assessment and exploitation of enemy network vulnerabilities and systems, engage in financial cybercrime activities, and obtain economic benefits or control related systems for the countrys regime. Between 2014 and 2021, their targets included 16 institutions in at least 13 countries, including Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey and Vietnam. It is believed that these illegal proceeds were used for the research and development of the countrys missile and nuclear technology.

BlueNorOff’s most notorious attack was a 2016 bank heist in which they attempted to illegally transfer nearly $1 billion from a central bank’s account at the Federal Reserve Bank of New York via the SWIFT network. After some of the transactions were successfully completed ($20 million to Sri Lanka and $81 million to the Philippines), the Federal Reserve Bank of New York became suspicious due to a misspelling in an instruction and blocked the rest of the transactions.

Malware related to BlueNorOff includes: DarkComet, Mimikatz, Nestegg, Macktruck, WannaCry, Whiteout, Quickcafe, Rawhide, Smoothride, TightVNC, Sorrybrute, Keylime, Snapshot, Mapmaker, net.exe, sysmon, Bootwreck, Cleantoad, Closeshave, Dyepack, Hermes, Twopence, Electricfish, Powerratankba, Powerspritz, etc.

BlueNorOffs common tactics include: phishing, backdoors, vulnerability exploits, watering hole attacks, using outdated and insecure versions of Apache Struts 2 to execute code on systems, strategically placed compromised websites, and access to Linux servers. There are reports that they sometimes work with criminal hackers.

AndAriel

AndAriel, also spelled Andarial, has other nicknames: Silent Chollima, Dark Seoul, Rifle, and Wassonite. Logically, it targets South Korea. Andariels nickname Silent Chollima comes from the groups secretive nature. [70] Any institution in South Korea could be targeted by Andariel, including government departments, defense agencies, and various economic entities.

According to a 2020 report from the U.S. Army, the Andril group has about 1,600 members whose mission is to conduct reconnaissance, assess network vulnerabilities, and map enemy networks for potential attacks. In addition to South Korea, they have also targeted governments, infrastructure, and companies in other countries. The means of attack include: exploiting ActiveX controls, Korean software vulnerabilities, watering hole attacks, spear phishing (macro virus method), attacks on IT management products (such as antivirus software, project management software), and attacks through the supply chain (installers and updaters). The malware used are: Aryan, Gray Pigeon Remote Control Trojan (Gh 0st RAT), Rifdoor, Phandoor, and Andarat.

Prosecution of relevant persons

In February 2021, the U.S. Department of Justice indicted three members of the Reconnaissance General Bureau, a North Korean military intelligence agency, Park Jin Hyok, Jon Chang Hyok, and Kim Il Park, accusing them of participating in multiple hacking activities by the Lazarus Group (Lazarus). Park Jin Hyok had been indicted as early as September 2018. None of the suspects are currently in U.S. custody. In addition, a Canadian and two Chinese nationals have also been accused of acting as money transporters and money launderers for the Lazarus Group.

Original article, author:Foresight News。Reprint/Content Collaboration/For Reporting, Please Contact report@odaily.email;Illegal reprinting must be punished by law.

ODAILY reminds readers to establish correct monetary and investment concepts, rationally view blockchain, and effectively improve risk awareness; We can actively report and report any illegal or criminal clues discovered to relevant departments.

Safety
Foresight News

Foresight News

See More
Recommended Reading
Editor’s Picks
twitter.png
discord.png
telegram.png Group
telegram.png Channel
weibo.png
Github.png