APT Profile: Who is Lazarus Group?

By SOCRadar Research

Nation-state threat actors are cyber threat groups operating in states’ interests. They sabotage, engage in espionage, and steal sensitive information to supply strategic and economic information to their home countries for political or national security reasons. While financial gain is among their motivations, it is not usually at the top of the list. Lazarus group, apart from the majority of other nation-state threat actors, is an Advanced Persistent Threat (APT) actor that prioritizes financial gain as well as political objectives.

Lazarus Group 101

The Lazarus Group is known by many names, including Hidden Cobra, Zinc, APT-C-26, Guardians of Peace, Group 77, Who Is Hacking Team, Stardust Chollima, and Nickel Academy, among other titles. The Lazarus Group is attributed to the Reconnaissance General Bureau (RGB) of the Democratic People’s Republic of Korea (DPRK). In 2017, the U.S. government issued a joint technical alert (TA17-164A), based on analysis by the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS), that identified Hidden Cobra as a “North Korean state-sponsored malicious cyber organization.”

Lazarus group was first identified and named in the ‘Operation BlockBuster’ report (2016) published by a consortium of security firms led by Novetta to investigate the Sony Pictures Entertainment attack in 2014. During the investigation, various malware was found associated with the malware used in the Sony Pictures attack. By tracking the malware and the attackers’ modus operandi, researchers could identify the activities of the Lazarus group as far back as 2009 (possibly 2007).

Because North Korean threat actors tend to share their infrastructure, code, and resources, defining the Lazarus group’s boundaries is challenging. Uncertainties exist over the Lazarus group’s composition due to clusters like “Bluenoroff” and “Andariel,” which are classified as sub-groups, “TEMP.Hermit,” with which it shares code, and “Kimsuky,” with which its operations overlap.

Lazarus group’s activities are aligned with North Korea’s political interests. Therefore, South Korea and the U.S. are the main focus. Other countries among its targets are Afghanistan, Australia, Austria, Bangladesh, Belgium, Brazil, Brazil, Canada, China, France, Germany, Guatemala, Hong Kong, India, Italy, Japan, Mexico, Netherlands, New Zealand, Poland, Russian Federation, Saudi Arabia, Spain, Switzerland, Thailand, Türkiye and the United Kingdom.

Lazarus group has a broader range of operations than other nation-state threat actors. Its primary objectives include information theft, money extortion, espionage, sabotage, and disruption. In addition to bank robberies, cryptocurrency theft, and ransomware attacks for financial gain, it carries out attacks against precisely selected targets in areas where it can obtain strategically important intelligence, such as energy, aviation, and defense.

• Justice, Public Order, and Safety Activities
• Space Research and Technology
• National Security and International Affairs
• Finance and Insurance
• Educational Services
• Health Care and Social Assistance
• Public Administration
• Computer and Electronic Product Manufacturing
• Commodity Contracts Intermediation (CryptoCurrency & NFT Market)
• Publishing Industries (except Internet)
• Utilities
• Manufacturing

They also target journalists, human rights organizations, North Korean defectors, and any group that might criticize the DPRK.

How Does the Lazarus Group Attack

Lazarus group has evolved its strategy over time since its first attacks, which consisted of DDoS operations against various organizations in different industries. Attacks became more destructive due to an ever-evolving arsenal of malware and TTPs.

Lazarus group’s attack pattern can vary depending on the specific attacks, although they generally follow similar steps.

• Lazarus group plans sophisticated and focused attacks against potential victims. The group determines potential targets and gathers information about their infrastructure, security posture, and employees. They observe the targets’ activities and find the best attack time.
• They use various technics, including spear phishing, supply-chain attacks, waterhole attacks, and zero-day vulnerability exploitation. To access targeted networks, exfiltrate sensitive data, and maintain persistence, they also use a range of custom-built malware, such as remote access trojans (RATs), backdoors, and botnets.

To hide their tracks and prevent detection, they delete logs and data and infect the victim with malware or ransomware. Once detected, acting swiftly, they try to avoid forensic investigations by immediately repackaging malware and switching encryption keys and algorithms.

Which Tools and Vulnerabilities Does Lazarus Group Use

Over the years, the Lazarus group has carried out several activities, mostly involving disruption, sabotage, financial theft, and espionage. It has a reputation for employing aggressive strategies, such as disk-wiping malware, to damage its targets as much as possible.

Lazarus group is known for creating custom malware for operations and quickly modifying, upgrading, and developing existing malware. Lazarus Group has utilized a variety of tools in the attacks, some of which are:

• Backdoors: Appleseed, HardRain, BadCall, Hidden Cobra, Destroyer, and Duuzer
• Remote Access Trojans (RATs): Fallchill, Joanap, Brambul, and
• Ransomware: Wannacry

Lazarus group has used many zero-day vulnerabilities they purchased or discovered. They also use several known vulnerabilities in their attacks, including:

• Adobe Flash Player vulnerabilities
• Microsoft Office vulnerabilities
• Vulnerabilities in local software of South Korea (Exp. Hangul Word Processor (HWP))
• Vulnerabilities in the SWIFT (The Society for Worldwide Interbank Financial Telecommunication) software

Notable Attacks of the Lazarus Group 

In 2016, after being identified and named, the retrospective activities of the Lazarus group were tracked. Large-scale DDoS attacks against the U.S. and South Korea (2009), espionage attacks against U.S. and South Korean websites “Operation Troy” (2009-2013), “Ten Days of Rain,” which included DDoS attacks against South Korean media and financial institutions and U.S. military facilities (2011), “Operation 1Million/Dark Seoul” attack against a South Korean bank and broadcast organization (2013) were all attributed to the Lazarus group.

The “Operation Flame” (2007), which was eventually connected to the “Dark Seoul” attack (2013), can qualify as the group’s first attack.

The 2014 Sony Picture Entertainment attack and a series of SWIFT-targeted campaigns in 2015-2016 (especially the 2016 Bangladesh Bank heist) are among the significant attacks linked to the Lazarus group.

The ‘Wannacry’ ransomware attack in 2017—the biggest ransomware attack to date—affected 300,000 systems across 150 countries.

The “Operation AppleJeus” attack was discovered in 2018 but has been ongoing since at least 2017, targeting cryptocurrency users. Another financially motivated attack is the “FastCash” operation, founded in 2018 but has been ongoing since at least 2016. “FastCash” is a series of attacks targeting (Automated Teller Machines) ATMs of various banks in several countries.

Lazarus group conducted several campaigns in 2020, including attacks on pharmaceutical companies, “Operation ThreatNeddle” against the defense and security sector, “Operation In(ter)ception” against military and aerospace firms, particularly in Europe, and “Operation Dreamjob” against multiple individuals globally in the defense industry and various governmental organizations using social media.

In 2022, the Lazarus group targeted energy providers around the world. The campaign involved the exploitation of the vulnerability in VMware Horizon to gain initial access. 2022 cryptocurrency attacks also drew attention.

Recent Attacks of the Lazarus Group

As the concern of the entire world, the Covid-19 pandemic has also been on the Lazarus group’s agenda, and they targeted pharmaceutical corporations. In 2020, the group attacked pharmaceutical companies and research facilities working on Covid-19 vaccines. Lazarus group members attempted to steal crucial information about the vaccine development process by posing as medical professionals and contacting pharmaceutical business personnel with messages that contained malicious attachments.

The “Dream Job” operation from 2020 reappeared in 2022. The group specifically used social media attacks with fraudulent job offers for researchers working for chemical and information security companies.

Another recurring campaign was “Operation AppleJeus.” The U.S. government published an advisory attributing the cryptocurrency stealing campaign “AppleJeus” to the Lazarus Group (AA21-048A) in 2021. In 2022, cryptocurrency attacks continued to increase. The group targeted organizations in the finance industry with phishing emails containing malware that was used to steal cryptocurrency.

On April 12, 2022, the U.S. Treasury Department accused the Lazarus group of carrying out the “Ronin Bridge” attack, the largest cryptocurrency attack ever, and held them responsible for a $620 million Ethereum heist.

On April 18, 2022, The FBI, CISA, and the Department of the Treasury published a joint Cybersecurity Advisory highlighting the cyber threat associated with bitcoin thefts and techniques utilized by Lazarus group as a North Korean state-sponsored advanced persistent threat (AA22-108A). In addition, the FBI, in its statement on February 6, 2023, claimed the Lazarus group was responsible for “Harmony’s Horizon Bridge Currency Theft” and $100M heist.

How Can SOCRadar Help?

Lazarus group has been active for over a decade and has launched attacks in various industries. In their attacks, they have shown high proficiency and flexibility, utilizing custom-built and publicly accessible tools and exploiting various vulnerabilities to achieve their goals. Due to its capabilities and operations, the group is currently one of the most powerful North Korean threat actors.

Reviewing the cases reveals that the group typically uses phishing attacks to gain initial access. In particular, spear phishing attacks against the defense and aerospace sector and ‘dreamjob’ attacks against security researchers, which include fake job offers, make it necessary for companies in these sectors to be sensitive about the cybersecurity awareness of their employees. 

SOC Tools on SOCRadar XTI Labs provide a free analysis of suspicious emails.

Lazarus group effectively exploits some well-known system vulnerabilities in their numerous attacks. SOCRadar Extended Threat Intelligence provides an Attack Surface Management (ASM) solution for continuous discovery, inventory, classification, and prioritization with real-time monitoring to help gain comprehensive visibility into external-facing digital assets. Security teams can keep track of the vulnerabilities in the network using the SOCRadar XTI ASM solution. Understanding which vulnerabilities exist in the company can help to minimize the attack surface that nation-state threat actors may exploit.

Lazarus group frequently uses supply-chain attacks. SOCRadar XTI provides organizations 360-degree visibility across the entire digital ecosystem by including third-party/supply chain partners in their digital footprint.

Appendixes

Appendix 1.

MITRE ATT&CK Techniques

Appendix 2.

Lazarus Group crypto Ethereum address:

0x098B716B8Aaf21512996dC57EB0615e2383E2f96

0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B

0x3Cffd56B47B7b41c56258D9C7731ABaDc360E073

0x53b6936513e738f44FB50d2b9476730C0Ab3Bfc1

Appendix 3.

IoCs of Wannacry

IP Addresses and Domains 

IPv4 197(.)231.221.211

IPv4 128(.)31.0.39

IPv4 149(.)202.160.69

IPv4 46(.)101.166.19

IPv4 91(.)121.65.179

URL hxxp://www(.)btcfrog(.)com/qr/bitcoinpng(.)php?address

URL hxxp://www(.)rentasyventas(.)com/incluir/rk/imagenes(.)html

URL hxxp://www(.)rentasyventas(.)com/incluir/rk/imagenes(.)html?retencion=081525418

URL hxxp://gx7ekbenv2riucmf(.)onion

URL hxxp://57g7spgrzlojinas(.)onion

URL hxxp://xxlvbrloxvriy2c5(.)onion

URL hxxp://76jdd2ir2embyv47(.)onion

URL hxxp://cwwnhwhlz52maqm7(.)onion

URL hxxp://197.231.221(.)211 Port:9001

URL hxxp://128.31.0(.)39 Port:9191

URL hxxp://149.202.160(.)69 Port:9001

URL hxxp://46.101.166(.)19 Port:9090

URL hxxp://91.121.65(.)179 Port:9001

Hashes

https://gist.github.com/Blevene/42bed05ecb51c1ca0edf846c0153974a

Appendix 4.

IoCs of BADCALL

Appendix 5.

IoCs of FastCash