I was reading about the Lazarus Group last week because two new alarms were received from the Ariolo SIEM: The Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties alarm and the Lazarus targeting banks in Russia alarm. However, I wanted to read more and more about the Lazarus Group to know the attacks they are responsible for. I’m going to write about the mainly cyberattacks which have been attributed to them over the last decade.
One of the first cyberattack attributed to Lazarus Group is the Operation Troy in 2009. There were actually three waves of attacks on July against US and South Korean websites. The hackers utilized the Mydoom and Dozer malware to launch a DDoS attack against government websites. The attacks continued, later on, against South Korea. The Operation DarkSeoul in 2013 targeted three South Korean broadcast companies, financial institutes, and an ISP. These attacks damaged 32.000 computers and servers by malicious code.
|Operation Troy and Dark Seoul|
I think one of the most known attack is the Sony breach in 2014. They took more than 100 terabytes of data from Sony such as personal information of employees and their families, e-mails, information about executive salaries, copies of unreleased Sony films and other information. The attackers used a SMB worm tool as well as listening implant, backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool. Little by little, they had been siphoning Sony’s data for over months or years.
If you want to know more about the Lazarus Group is highly recommended to read the Operation Blockbuster. This is a research led by Novetta in 2016 where they have analised malware samples found in different cyber-security incidents. They were able to link the Lazarus Group to a number of attacks through a pattern of code re-usage. For instance, they found six user-agents reused over and over that included the same misspelling of “Mozillar”.
Another really known attack is the WannaCry attack which was released in 2017. Initially, this attack was attributed to China, Hong Kong, Taiwan or Singapore, finally, this attack was attributed to the Lazarus Group from North Korea. The WannaCry attack used an exploit of Windows SMB protocol and a backdoor tool. The exploit, named EternalBlue, was used to spread out laterally to random computers and the backdoor, named DoublePulsar, was used to grant cybercriminals a high level of control over the computer system. Tihs ransomware malware demanded a payment of around US$300 in bitcoin within three days, or US$600 within seven days.
|Information about the file encryption|
To sum up, the Lazarus Group is a really dangerous cybercrime group who has attacked many companies over the last decade. Lately, the target is the banking sector, where they get money. For instance, Lazarus Group has stolen $49 million from an institution in Kuwait last year and United Nations investigators estimate they have already stolen $2 billion.
Thanks my friends!! Did you know this hacking group?