Source: Wikipedia
Compiled by: Yobo, Foresight News
The following content is translated from the Wikipedia article "Lazarus Group":
The Lazarus Group (also known as "Guardians" or "Peace or Whois Team") is a hacker group of unknown size, allegedly controlled by the North Korean government. While little is known about the group, researchers have attributed multiple cyber attacks to them since 2010.
The group started as a criminal enterprise, but is now considered an advanced persistent threat organization due to its malicious intent, the threats it poses, and the various tactics it employs. Cybersecurity firms have given them several nicknames, such as "Hidden Cobra" (used by the U.S. Department of Homeland Security to refer to malicious cyber activity by the North Korean government) and "ZINC" or "Diamond Sleet" (Microsoft's terms). According to North Korean defector Kim Kuk-song, the group is known as the "414 Liaison Office" within North Korea.
The Lazarus Group is closely linked to North Korea. The U.S. Department of Justice has stated that the group is part of North Korea's strategic objectives "to disrupt the global cyber security landscape... and generate illicit revenue in violation of sanctions." North Korea can derive many benefits from its cyber operations, maintaining a very lean team to pose a "global" asymmetric threat (especially against South Korea).
History
The group's earliest known attacks were the "Trojan Horse" operations from 2009 to 2012, a cyber espionage campaign targeting the South Korean government in Seoul using relatively simple distributed denial-of-service (DDoS) techniques. They also carried out attacks in 2011 and 2013, and a 2007 attack on South Korea may also have been their work, though this is unconfirmed. A notable attack by the group occurred in 2014, targeting Sony Pictures Entertainment, which demonstrated more sophisticated techniques and the group's increasing maturity over time.
In 2015, the Lazarus Group reportedly stole $12 million from Banco del Austro in Ecuador and $1 million from Tien Phong Bank in Vietnam. They also targeted banks in Poland and Mexico. In a 2016 bank heist, they attacked a bank and successfully stole $81 million, which is believed to be their work. In 2017, it was reported that the Lazarus Group stole $60 million from the Far Eastern International Bank in Taiwan, though the exact amount stolen is unclear, and most of the funds were recovered.
The true masterminds behind the group remain unclear, but media reports indicate close ties to North Korea. In 2017, Kaspersky Lab reported that the Lazarus Group tends to focus on espionage and infiltration-style cyber attacks, while a subgroup called "Bluenoroff" specializes in financial cyber attacks. Kaspersky found multiple attack incidents globally and discovered a direct IP address association between Bluenoroff and North Korea.
However, Kaspersky also acknowledged that code reuse could be a "false flag" operation to mislead investigators and frame North Korea, as the global "WannaCry" ransomware attack that exploited the U.S. National Security Agency's "EternalBlue" vulnerability was also copied. In 2017, Symantec reported that the "WannaCry" attack was most likely the work of the Lazarus Group.
2009 "Trojan Horse" Operations
The Lazarus Group's first major hacking incident occurred on July 4, 2009, marking the start of the "Trojan Horse" operations. This attack used the "My Doom" and "Dozer" malware to launch large-scale but relatively unsophisticated DDoS attacks on websites in the U.S. and South Korea. The attack targeted around 36 websites and planted the text "Happy Independence Day" in the master boot record (MBR).
2013 South Korean Cyber Attacks ("Operation 1" / "Dark Seoul" Operations)
Over time, the group's attack methods became more complex; their techniques and tools also grew more mature and effective. The "Ten Days of Rain" attack in March 2011, targeting South Korean media, financial, and critical infrastructure, used more sophisticated DDoS attacks originating from compromised computers within South Korea. On March 20, 2013, the "Dark Seoul" operation was launched, a data-wiping attack targeting three South Korean broadcasters, financial institutions, and an internet service provider. At the time, two other groups claiming to be the "New Romanic Cyber Army Team" and the "WhoIs Team" took responsibility for this attack, but researchers did not know the Lazarus Group was the mastermind behind it.
Late 2014: Sony Pictures Infiltration
On November 24, 2014, the Lazarus Group's attacks reached a peak. A post appeared on Reddit claiming that Sony Pictures had been infiltrated by unknown means, with the attackers identifying themselves as the "Guardians of Peace." Vast amounts of data were stolen and gradually leaked over the following days. A person claiming to be a member of the group stated they had been accessing Sony's data for over a year.
The hackers gained access to unreleased films, partial film scripts, future film plans, executive salary information, emails, and personal information of about 4,000 employees.
Early 2016 Investigation: "Blockbuster" Operation
Codenamed "Blockbuster," a coalition of security companies led by Novetta analyzed malware samples found in various cyber security incidents. Using code reuse patterns, the team was able to link the Lazarus Group to multiple attacks, such as the use of the obscure "Cantopee" encryption algorithm.
2016 Bank Heist
In February 2016, a bank heist occurred. Hackers used the SWIFT network to issue 35 fraudulent transfer instructions, attempting to illegally move nearly $1 billion from the central bank's account at the Federal Reserve Bank of New York. 5 of the 35 instructions succeeded, transferring $101 million, with $20 million going to Sri Lanka and $81 million to the Philippines. The New York Fed became suspicious of a misspelled word in one instruction and blocked the remaining 30 transactions worth $850 million. Cybersecurity experts attributed this attack to the Lazarus Group from North Korea.
Foresight News
The 'WannaCry' ransomware attack in May 2017: The 'WannaCry' attack was a large-scale ransomware cyber attack that affected numerous institutions globally, from the UK's National Health Service (NHS) to Boeing and even some universities in China, on May 12, 2017. The attack lasted for 7 hours and 19 minutes. Europol estimated that the attack affected nearly 200,000 computers in 150 countries, with the most affected regions being Russia, India, Ukraine, and Taiwan. This was one of the earliest crypto-worm attacks. The crypto-worm is a type of malware that can spread between computers over a network without direct user interaction - in this case, it exploited the TCP port 445. Computers could be infected without clicking on a malicious link, as the malware could self-propagate from one infected computer to connected printers and then to other nearby computers connected to the wireless network. The vulnerability in port 445 allowed the malware to freely spread within internal networks, quickly infecting thousands of computers.
Attack method: The virus exploited vulnerabilities in the Windows operating system, encrypting computer data and demanding payment of around $300 worth of Bit to obtain the decryption key. To compel victims to pay, the ransom doubled after three days, and the malware would delete the encrypted data files if not paid within a week. The malware used a legitimate Microsoft-developed software called 'Windows Crypto' to encrypt the files. After encryption, the files were given the 'Wincry' extension, hence the name 'WannaCry'. 'Wincry' was the basis for the encryption, but the malware also leveraged two other vulnerabilities, 'EternalBlue' and 'DoublePulsar', to become a crypto-worm. 'EternalBlue' allowed the virus to spread automatically over the network, and 'DoublePulsar' triggered the virus to activate on the victim's computer.
Security researcher Marcus Hutchins, who received a sample of the virus from a friend at a security research company, discovered a 'kill switch' hardcoded into the malware, which halted the attack. The malware periodically checked if a specific domain had been registered, and only continued the encryption process if the domain did not exist. Hutchins found this check mechanism and registered the relevant domain on the afternoon of May 12th UTC, causing the malware to immediately stop spreading and infecting new devices. This unexpected victory was remarkable, as typically stopping malware requires months of back-and-forth between hackers and security experts. Another unusual aspect was that even after paying the ransom, the files could not be recovered - the hackers only received $130,000 in ransom, leading many to believe their motive was not financial gain but rather to sow chaos.
The ease with which the 'kill switch' was discovered and the meager ransom earnings led many to believe this attack was state-sponsored, with the motive being disruption rather than financial compensation. After the attack, security experts traced the 'DoublePulsar' vulnerability to the US National Security Agency, which had originally developed it as a cyber weapon. The 'Shadow Brokers' hacker group had later stolen this vulnerability and unsuccessfully tried to auction it before eventually releasing it for free. Microsoft had patched the vulnerability in March 2017, less than a month before the attack, but the update was not mandatory, leaving many vulnerable computers unpatched by May 12th, enabling the devastating attack.
Aftermath: The US Department of Justice and UK authorities later attributed the 'WannaCry' attack to the North Korean hacker group Lazarus.
Cryptocurrency attacks in 2017
In 2018, Recorded Future reported that the Lazarus Group was linked to attacks targeting Bit and Monero cryptocurrency users, primarily in South Korea. These attacks were said to be technically similar to the previous 'WannaCry' ransomware attack and the attack on Sony Pictures. One of the Lazarus Group's tactics was exploiting vulnerabilities in the Korean word processing software Hangul, developed by Hancom. Another tactic was sending phishing emails with malware to targets such as South Korean students and users of the Coinlink cryptocurrency exchange platform.
If users opened the malicious software, their email addresses and passwords would be stolen. Coinlink denied that its website or user email addresses and passwords had been hacked. The report concluded that "the series of attacks towards the end of 2017 indicates that a nation-state's interest in cryptocurrency has only grown, and we now know this interest spans a wide range of activities including mining, ransomware attacks, and direct theft... These cryptocurrency attacks may also be used to circumvent international financial sanctions."
In February 2017, hackers from a certain nation stole $7 million from the South Korean cryptocurrency exchange Bithumb. Another South Korean Bit trading company, Youbit, was attacked in April 2017 and then again in December 2017, losing 17% of its assets, leading it to file for bankruptcy. The Lazarus Group and hackers from a certain nation were implicated in these attacks. In December 2017, the cryptocurrency cloud mining market Nicehash lost over 4,700 Bit. An investigation update showed this attack was linked to the Lazarus Group.
September 2019 attack
In mid-September 2019, the US issued a public alert about a new malware strain called 'ElectricFish'. Since early 2019, agents from a certain nation have carried out five major cyber thefts globally, including successfully stealing $49 million from an institution in Kuwait.
Late 2020 attack on pharmaceutical companies
As the COVID-19 pandemic continued to spread, pharmaceutical companies became a primary target for the Lazarus Group. Lazarus Group members used phishing techniques, posing as health officials, to send malicious links to pharmaceutical company employees. Multiple large pharmaceutical firms are believed to have been targeted, with the AstraZeneca joint venture confirmed as a victim. Many employees involved in COVID-19 vaccine development were targeted, according to Reuters. The motives behind these attacks are unclear but may include stealing sensitive information for profit, implementing extortion schemes, and enabling a foreign government to acquire proprietary COVID-19 research results. AstraZeneca has not commented on the incident, and experts believe no sensitive data has been leaked so far.
January 2021 attack on cybersecurity researchers
In January 2021, Google and Microsoft both publicly reported that a group of hackers from a certain nation had launched attacks against cybersecurity researchers through social engineering tactics. Microsoft specifically attributed the attack to the Lazarus Group.
The hackers created multiple user profiles on platforms like Twitter, GitHub, and LinkedIn, posing as legitimate software vulnerability researchers, and interacted with content posted by others in the security research community. They then directly contacted specific security researchers, claiming to want to collaborate on research, in order to trick victims into downloading files containing malware or visiting blogs controlled by the hackers.
Some victims who accessed the blog posts reported that their computers were compromised even though they were using fully patched Google Chrome browsers, suggesting the hackers may have exploited a previously unknown Chrome zero-day vulnerability. However, Google stated in its report that the exact method of intrusion could not be determined.
Foresight News on the Axie Infinity Hack Incident in March 2022
In March 2022, the Lazarus Group was accused of stealing $620 million worth of cryptocurrency from the Ronin network used by the Axie Infinity game. The FBI stated: "Through the investigation, we have confirmed that the Lazarus Group and APT38 (a North Korea-associated cyber actor) were behind this theft."
Horizon Bridge Attack Incident in June 2022
The FBI confirmed that the North Korean malicious cyber actor group Lazarus Group (also known as APT38) was behind the theft of $100 million in virtual currency from Harmony's Horizon bridge reported on June 24, 2022.
Other Cryptocurrency Attack Incidents in 2023
A report by the blockchain security platform Immunefi stated that the Lazarus Group was responsible for over $300 million in cryptocurrency hacking incidents in 2023, accounting for 17.6% of the total losses that year.
Atomic Wallet Attack Incident in June 2023: In June 2023, the FBI confirmed that the Atomic Wallet service's users had over $100 million in cryptocurrency stolen.
Stake.com Hack Incident in September 2023: In September 2023, the FBI confirmed that $41 million worth of cryptocurrency was stolen from the online casino and gambling platform Stake.com, with the Lazarus Group as the perpetrator.
U.S. Sanctions Measures
On April 14, 2022, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) listed the Lazarus Group on the Specially Designated Nationals (SDN) List under a certain country's sanctions regulations.
Cryptocurrency Attack Incident in 2024
According to Indian media reports, a local cryptocurrency exchange called WazirX was attacked by the organization, with $234.9 million worth of cryptocurrency assets stolen.
Personnel Training
It is rumored that some North Korean hackers are sent to Shenyang, China for professional training, learning how to implant various malware into computers, computer networks, and servers. Within North Korea, Kim Chaek University of Technology, Kim Il Sung University, and Mangyongdae University are responsible for related education, selecting the best students nationwide for six years of special education. In addition to university education, "some of the best programmers... are sent to Mangyongdae University or the Mirim Academy for further study."
Organizational Branches
The Lazarus Group is believed to have two branches.
BlueNorOff
BlueNorOff (also known as APT38, "Chollima", "BeagleBoyz", "NICKEL GLADSTONE") is a profit-driven organization that engages in illegal fund transfers by forging SWIFT instructions. Mandiant refers to it as APT38, while Crowdstrike calls it "Chollima".
According to a 2020 U.S. Army report, BlueNorOff has around 1,700 members who focus on long-term assessment and exploitation of enemy network vulnerabilities and systems for financial cybercrime activities to generate economic benefits or control relevant systems for the regime. Between 2014 and 2021, they targeted at least 16 institutions in 13 countries, including Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, and Vietnam. It is believed that these illicit proceeds were used for the development of the country's missile and nuclear technology.
BlueNorOff's most notorious attack was a 2016 bank heist, where they attempted to illegally transfer nearly $1 billion from the central bank's account at the Federal Reserve Bank of New York through the SWIFT network. Some transactions were successful ($20 million went to Sri Lanka, $81 million went to the Philippines), but the Federal Reserve Bank of New York became suspicious due to a misspelled instruction and prevented the remaining transactions.
Malware associated with BlueNorOff includes: "DarkComet", "Mimikatz", "Nestegg", "Macktruck", "Wanna Cry", "Whiteout", "Quickcafe", "Rawhide", "Smoothride", "TightVNC", "Sorrybrute", "Keylime", "Snapshot", "Mapmaker", "net.exe", "sysmon", "Bootwreck", "Cleantoad", "Closeshave", "Dyepack", "Hermes", "Twopence", "Electricfish", "Powerratankba", and "Powerspritz".
BlueNorOff's common tactics include: phishing, backdoor setup, vulnerability exploitation, watering hole attacks, executing code on systems by exploiting outdated and insecure Apache Struts 2 versions, strategically compromising websites, and accessing Linux servers. There are reports that they sometimes collaborate with criminal hackers.
AndAriel
AndAriel, also spelled Andarial, has other aliases: "Silent Chollima", "Dark Seoul", "Rifle", and "Wassonite". Logically, its distinctive feature is targeting South Korea. The alias "Silent Chollima" for AndAriel comes from the organization's secretive nature.
According to a 2020 U.S. Army report, the AndAriel group has around 1,600 members whose mission is to conduct reconnaissance, assess network vulnerabilities, and map enemy networks for potential attacks. In addition to South Korea, they have also targeted the governments, infrastructure, and enterprises of other countries. Their attack methods include: exploiting ActiveX controls, South Korean software vulnerabilities, watering hole attacks, spear-phishing (via macro viruses), attacking IT management products (such as antivirus software and project management software), and supply chain attacks (through installers and updates). The malware they use includes: Aryan, Gh0st RAT, Rifdoor, Phandoor, and Andarat.
Prosecution of Related Individuals
In February 2021, the U.S. Department of Justice indicted three members of the North Korean military intelligence agency Reconnaissance General Bureau - Park Jin Hyok, Jon Chang Hyok, and Kim Il Park - for their involvement in Lazarus Group (Lazarus) hacking activities. Park Jin Hyok was already indicted in September 2018. These suspects are currently not in U.S. custody. Additionally, a Canadian and two Chinese individuals were also charged as money transmitters and money launderers for the Lazarus Group.
