This week several cybersecurity portals (see
thehackernews,
darkreading,
news.softpedia,
channelasia.tech and
securelist) confirmed that North Korea
has built a campaign of cyberattacks targeting South Korea. Its
goal? Spy on high-profile government
officials, financial institutions, banking organizations, and government
administrative offices of the highest level such as the Korea Internet
and Security Agency (KISA), the South Korean Ministry of Foreign
Affairs, the South Korean Embassy of Sri Lanka, the Deputy Consul
General at Korean Consulate General in Hong Kong, educational centers
such as Seoul National University, the country’s largest university and
one of the Top 50 universities worldwide (according to QS
ranking). They have even targeted global
organizations such as the International Atomic Energy Agency and the
Nuclear Security Officer.

The FBI has
acknowledged the link that North Korean hacking groups have had with
conspiracy campaigns orchestrated by that Government. In addition, the
U.S. Department of the Treasury has
identified these groups as state-sponsored. But who are these groups?
Who are their victims, and why? Are they a global threat?

Lazarus

One of the most famous North Korean criminal gangs is Lazarus. It
has been operating since at least 2009.
However, the U.S. Department of the Treasury
insists it was created by the North Korean
government in 2007 and is run by the country’s security service, the
Reconnaissance General Bureau (RGB). The RGB is in charge of the
country’s cyber activities and is “involved in the trade of North
Korean arms.”

It was recently confirmed that WannaCry, a
malware used to extort money, was used
against Japanese multinational company Sony in an attack that costed
more than $1B in 2014. Apparently, the attack
was retaliation for Sony’s film The
Interview, a comedy that ridiculed dictator
Kim Jong Un. The attack perpetrated by
Lazarus, in any case, was not limited to Sony
but also targeted international banks and cryptocurrency companies.

In 2017, the same malware infected more than 300
thousand computers and impacted at least 150
countries worldwide, including the United States, Australia, Canada, New
Zealand and the United Kingdom. The attack was particularly striking for
having reached the “hospital systems in the
United Kingdom, Russia’s interior ministry, FedEx in the U.S., Germany’s
rail network, a Spanish telecommunications operator and major companies
in Asia.” It was undoubtedly a media attack because of its impact and
the variety of companies and organizations affected. Yet, we had to wait
two years after the attack until the U.S. Department of the Treasury
confirmed that “Lazarus Group was involved in
the destructive WannaCry 2.0 ransomware attack” aforementioned.

Organization

In the white paper that
Lexfo, a recognized french technical
expertise firm in computer security, presented on Lazarus, it was
concluded that they are not a single group. Instead, the cybercriminal
gang has subdivisions in charge of attacking from different fronts: “the
Lazarus ‘core’ aiming at disrupting activities and causing damage,
Andariel, hacking for profit and intelligence, and Bluenoroff,
motivated by financial gains” (my emphasis). Andariel has been the most
prominent part of Lazarus dedicated to targeting South Korean entities
with malware attacks.

As a case study, Lazarus is quite particular because it is directly
controlled by a North Korean government
entity. This is astonishing because there are not many cases of public
relationships between cybercriminal gangs and governments. Perhaps
Russian groups are the most famous cases, but we still don’t have
official communication from the Russian government that publicly accepts
they work together. In this way, Lazarus operations make it a peculiar
state-owned company, which resorts to cybercrime to commit its misdeeds.
Yet, it has little autonomy to carry out its criminal activities. But
how can we explain this unusual formation of a criminal group?

The North Korean case

For many years now, North Korea has been subject to several economic
sanctions. Since 2006, the United
Nations has
unanimously condemned the nuclear tests being executed by the Democratic
Republic of Korea. For this reason, dozens of economic
sanctions were carried out, orchestrated
primarily by the United States, as North Korea is seen as posing a
threat to U.S. national
security. These economic
pressures are intended to constrain the Asian nation from
denuclearizing. Unfortunately, denuclearization has not been
achieved, and the North Korean nuclear arsenal has been
strengthened recently.

Given this background, it is not hard to think that North Korea has
implemented methods to secure capital in ‘unorthodox’ ways. Hence, the
relationship that the RGB has with Lazarus is not strange. Therefore,
“North Korea has been behind an increasingly orchestrated effort aimed
at infiltrating computers of financial
institutions” to perform cryptocurrency
heists or ransomware attacks. Specifically,
with WannaCry, their goal is to use malware to steal data and spy on
competitors. In particular, Andariel has been responsible
for “attempting to steal bank card information
by hacking into ATMs to withdraw cash or sell customer information on
the black market.”

Go round in circles?

This is a vicious circle. Instead of making the Asian country less and
less threatening to the international community, what economic blockades
do is push the government to finance itself in illegal ways that risk
the finances, cybersecurity and privacy of other nations. That, in turn,
leads to increasingly strong sanctions on the part of the international
community. One of the highest points of Lazarus’ criminal shots was the
ambitious Bangladesh Central Bank attack in 2016. The Korean gang
attempted to steal more than $850M. The
action was almost entirely thwarted but cost the Bangladeshi institution
$81M, a figure reduced to $63M after $18M
were recovered.

That same year the administration of then-President Barack Obama
announced its Executive Order 13722 of
March 15, 2016. President Obama established
that, due to North Korea’s persistence in developing its nuclear and
missile programs, the U.S. government recognizes the Asian country as a
national priority. That decision was supported considering the rise of
North Korean cybercriminal activities that targeted European, American,
and Asian countries. As a result, it prohibited any direct or indirect
commercial exchange with every type of North Korean company.

Given these circumstances, it is not surprising that North Korea is
focused on financing groups whose objective is to steal, defraud, and
procure large amounts of money illegally. Hence statements such as
Seongsu Park, Kaspersky Senior Security
Researcher, make sense: “The Andariel group […​] have underlined their
place as a financially motivated state-sponsored actor.” The case of
Andariel, or what in practical terms is the same, Lazarus, is much more
problematic than that of RaaS
organizations such as REvil, or criminal
gangs like DarkSide or
Spectre because they are being funded by the Korean
government itself. One more reason to be prepared and to take
cybersecurity with the attention it deserves. You
don’t have to wait for these types of attacks to occur in order to
realize that it’s necessary to protect your systems.

At Fluid Attacks we are specialized in cybersecurity through
Pentesting and Ethical
Hacking.
For more information, don’t hesitate to contact
us!

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Zárate. Read the original post at: https://fluidattacks.com/blog/lazarus-malware-cyberattack/