Lazarus Hacker Group

[Chapin Ratte]

LazarusGroup (also known as Guardians of Peace or Whois Team[1][2][3]) is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra (used by the United States Department of Homeland Security to refer to malicious cyber activity by the North Korean government in general)[4][5] and ZINC or Diamond Sleet[6] (by Microsoft).[7][8][9] According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.[10]

The Lazarus Group has strong links to North Korea.[11][12] The United States Department of Justice has claimed the group is part of the North Korean government's strategy to "undermine global cybersecurity ... and generate illicit revenue in violation of ... sanctions".[13] North Korea benefits from conducting cyber operations because it can present an asymmetric threat with a small group of operators, especially to South Korea.[14]

The earliest known attack that the group is responsible for is known as "Operation Troy", which took place from 2009 to 2012. This was a cyber-espionage campaign that utilized unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul. They were also responsible for attacks in 2011 and 2013. It is possible that they were also behind a 2007 attack targeting South Korea, but that is still uncertain.[15] A notable attack that the group is known for is the 2014 attack on Sony Pictures. The Sony attack used more sophisticated techniques and highlighted how advanced the group has become over time.

The Lazarus Group were reported to have stolen US$12 million from the Banco del Austro in Ecuador and US$1 million from Vietnam's Tien Phong Bank in 2015.[16] They have also targeted banks in Poland and Mexico.[17] The 2016 bank heist[18] included an attack on the Bangladesh Bank, successfully stealing US$81 million and was attributed to the group. In 2017, the Lazarus group was reported to have stolen US$60 million from the Far Eastern International Bank of Taiwan although the actual amount stolen was unclear, and most of the funds were recovered.[17]

It is not clear who is really behind the group, but media reports have suggested the group has links to North Korea.[19][20][17] Kaspersky Lab reported in 2017 that Lazarus tended to concentrate on spying and infiltration cyberattacks whereas a sub-group within their organisation, which Kaspersky called Bluenoroff, specialised in financial cyberattacks. Kaspersky found multiple attacks worldwide and a direct link (IP address) between Bluenoroff and North Korea.[21]

The Lazarus Group's first major hacking incident took place on July 4, 2009, and sparked the beginning of "Operation Troy". This attack utilized the Mydoom and Dozer malware to launch a large-scale, but quite unsophisticated, DDoS attack against US and South Korean websites. The volley of attacks struck about three dozen websites and placed the text "Memory of Independence Day" in the master boot record (MBR).

The Lazarus Group attacks culminated on November 24, 2014. On that day, a Reddit post appeared stating that Sony Pictures had been hacked via unknown means; the perpetrators identified themselves as the "Guardians of Peace". Large amounts of data were stolen and slowly leaked in the days following the attack. An interview with someone claiming to be part of the group stated that they had been siphoning Sony's data for over a year.[25]

The hackers were able to access previously unreleased films, scripts for certain films, plans for future films, information about executive salaries at the company, emails, and the personal information of around 4,000 employees.[26]

Bangladesh Bank cyber heist, was a theft that took place in February 2016. Thirty-five fraudulent instructions were issued by security hackers via the SWIFT network to illegally transfer close to US$1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank, the central bank of Bangladesh. Five of the thirty-five fraudulent instructions were successful in transferring US$101 million, with US$20 million traced to Sri Lanka and US$81 million to the Philippines. The Federal Reserve Bank of New York blocked the remaining thirty transactions, amounting to US$850 million, due to suspicions raised by a misspelled instruction.[30][31] Cybersecurity experts claimed that the North Korea-based Lazarus Group was behind the attack.[32][33]

The virus exploited a vulnerability in the Windows operating system, then encrypted the computer's data in return for a sum of Bitcoin worth roughly $300 to get the key. In order to encourage payment, the ransom demand doubled after three days, and if not paid in a week, the malware deletes the encrypted data files. The malware used a legitimate piece of software called Windows Crypto, made by Microsoft to scramble the files. Once the encryption is completed, the filename has "Wincry" appended, which is the root of the Wannacry name. Wincry was the base of the encryption, but two additional exploits, EternalBlue and DoublePulsar, were used by the malware to make it a cryptoworm. EternalBlue automatically spreads the virus through networks, while DoublePulsar triggered it to activate on a victim's computer. In other words, EternalBlue got the infected link to your computer, and DoublePulsar clicked it for you.[36]

Security researcher Marcus Hutchins brought the attack to an end when he received a copy of the virus from a friend at a security research company and discovered a kill switch hardcoded into the virus. The malware included a periodic check to see if a specific domain name was registered, and would only proceed with encryption if that domain name did not exist. Hutchins identified this check, then promptly registered the relevant domain at 3:03 pm UTC. The malware immediately stopped propagating itself and infecting new machines. This was very interesting, and is a clue as to who created the virus. Usually stopping malware takes months of back and forth fighting between the hackers and security experts, so this easy win was unexpected. Another very interesting and unusual aspect of the attack was that the files were not recoverable after paying the ransom: only $160,000 was collected, leading many to believe that the hackers weren't after the money.[36]

The easy kill switch and lack of revenue led many to believe that the attack was state-sponsored; the motive was not financial compensation, but just to cause chaos. After the attack security experts traced the DoublePulsar exploit back to the United States NSA where the exploit had been developed as a cyberweapon. The exploit was then stolen by the Shadow Brokers hacker group, who first tried to auction it off, but after failing to do that simply gave it away for free.[36] The NSA subsequently revealed the vulnerability to Microsoft who issued an update on March 14, 2017, a little under a month before the attack occurred. It wasn't enough. The update wasn't mandatory and the majority of computers with the vulnerability had not resolved the issue by the time May 12 rolled around, leading to the astonishing effectiveness of the attack.

North Korean hackers stole US$7 million from Bithumb, a South Korean exchange in February 2017.[41] Youbit, another South Korean Bitcoin exchange company, filed for bankruptcy in December 2017 after 17% of its assets were stolen by cyberattacks following an earlier attack in April 2017.[42] Lazarus and North Korean hackers were blamed for the attacks.[43][37] Nicehash, a cryptocurrency cloud mining marketplace lost over 4,500 Bitcoin in December 2017. An update about the investigations claimed that the attack is linked to Lazarus Group.[44]

In mid-September 2019, the USA issued a public alert about a new version of malware dubbed ElectricFish.[45] Since the beginning of 2019, North Korean agents have attempted five major cyber-thefts world-wide, including a successful $49 million theft from an institution in Kuwait.[45]

Due to the ongoing COVID-19 pandemic, pharmaceutical companies became major targets for the Lazarus Group. Using spear-phishing techniques, Lazarus Group members posed as health officials and contacted pharmaceutical company employees with malicious links. It is thought that multiple major pharma organizations were targeted, but the only one that has been confirmed was the Angloswedish-owned AstraZeneca. According to a report by Reuters,[46] a wide range of employees were targeted, including many involved in COVID-19 vaccine research. It is unknown what the Lazarus Group's goal was in these attacks, but the likely possibilities include:

In January 2021, Google and Microsoft both publicly reported on a group of North Korean hackers targeting cybersecurity researchers via a social engineering campaign, with Microsoft specifically attributing the campaign to Lazarus Group.[47][48][49]

The hackers created multiple user profiles on Twitter, GitHub, and LinkedIn posing as legitimate software vulnerability researchers, and used those profiles to interact with posts and content made by others in the security research community. The hackers would then target specific security researchers by contacting them directly with an offer to collaborate on research, with the goal of getting the victim to download a file containing malware, or to visit a blog post on a website controlled by the hackers.[49]

Some victims who visited the blog post reported that their computers were compromised despite using fully patched versions of the Google Chrome browser, suggesting that the hackers may have used a previously unknown zero-day vulnerability affecting Chrome for the attack;[47] however, Google stated that they were unable to confirm the exact method of compromise at the time of the report.[48]

3a8082e126