The biggest robbery in history: The story behind the North Korean hacker group Lazarus Group

Source: Wikipedia

Compiled by: Yobo, Foresight News

The following content is translated from the text of the Wikipedia entry "Lazarus Group":

The Lazarus Group (also known as the "Guardians" or "Peace or Whois Team") is a hacker group of unknown personnel, allegedly under the control of the North Korean government. While people have limited knowledge of the organization, researchers have blamed them for multiple cyber attacks since 2010.

The organization was originally a criminal gang and has now been identified as a senior persistent threat organization for its intention to attack, the threats it posed, and the various means used in operation. Cybersecurity agencies have given them many nicknames, such as "Hidden Cobra" (using this name to refer to malicious cyber activities initiated by the North Korean government), and "ZINC" or "Diamond Sleet" (Microsoft's name is Law). According to Kim Kuk-song, the country's defector, the organization is known as the "414 Liaison Office" in North Korea.

The Lazarus Group is closely linked to North Korea. The U.S. Department of Justice declared that the organization is part of the North Korean government's strategy to "undermine global cybersecurity... and obtain illegal income in violation of sanctions." North Korea can gain many benefits through cyber operations, and just maintaining a very capable small team can pose a "global" asymmetric threat (especially against South Korea).

Development history

The earliest known attack by the organization was Operation Troy from 2009 to 2012. It is a cyber espionage campaign that targets the Seoul-based government with a non-complex distributed denial of service attack (DDoS) technology. In 2011 and 2013, they also launched attacks. Although it is not certain, it is also possible that an attack on South Korea in 2007 was their cause. A well-known attack by the group took place in 2014 and targeted Sony Film and Television. The attack uses more complex techniques and also shows that the organization has become more mature over time.

In 2015, Lazarus Group reportedly stole $12 million from Ecuador's Ostro Bank and $1 million from Vietnam's Pioneer Bank. They also targeted banks in Poland and Mexico. In a bank theft case in 2016, they launched an attack on a bank and successfully stole $81 million, a case that was also believed to be the cause of the organization. In 2017, it was reported that Lazarus Group stole $60 million from Taiwan's Far East International Commercial Bank, but the actual amount of the stolen money is not clear, and most of the funds have been recovered.

It is not clear who is the real mastermind behind the group, but media reports point out that the group is closely related to North Korea. In 2017, Kaspersky Lab reported that Lazarus Group tends to focus on espionage and infiltration cyberattacks, while a sub-organization Kaspersky called "Bluenoroff" specializes in financial cyberattacks. Kaspersky has discovered multiple attacks around the world and found that Bluenoroff has a direct IP address association with the country.

However, Kaspersky also admitted that reuse of code may be a "fake flag operation" to mislead investigators and make North Korea take the blame. After all, the global "want to cry" worm cyber attack plagiarizes the US national security The technology of the bureau. This ransomware exploits the NSA's "Eternal Blue" vulnerability, which was made public in April 2017 by a hacker group called "Shadow Broker". In 2017, Symantec reported that the "WannaCry" attack was most likely done by Lazarus Group.

Operation Troy 2009

The first major hacking incident of Lazarus Group took place on July 4, 2009, marking the beginning of Operation Troy. This attack uses "My Doomsday" and "Buldozer" malware to launch large-scale but not complex DDoS attacks on websites in the United States and South Korea. The attack targets about 36 websites and implants the text of "Independence Day" in the main guide record (MBR).

2013 South Korea Cyber ​​Attack ( "Operation 1"/"Operation Dark Seoul")

Over time, the organization's attack methods have become more complex; their technology and tools have become more mature and effective. The March 2011 "Ten Day Rain" attack targeted South Korea's media, finance and critical infrastructure, using more complex DDoS attacks originated from hacked computers in South Korea. On March 20, 2013, Operation Dark Seoul launched, an attack on erasing data, targeting three South Korean broadcasters, financial institutions and an Internet service provider. At that time, two other organizations that claimed to be the "New Roman Cyber ​​Corps" and the "WhoIs Team" claimed responsibility for the attack, but researchers did not know that the mastermind was the Lazarus Group. Today, researchers know that the Lazarus Group is the leader in these destructive attacks.

Late 2014: Sony Film and Television is invaded

On November 24, 2014, the Lazarus Group's attack reached its climax. On the same day, a post appeared on Reddit saying that Sony Film and Television was invaded by unknown means, and the attacker called himself "Peace Defender". A large amount of data was stolen and gradually leaked in the days after the attack. A man who claimed to be a member of the group said in an interview that they had been stealing Sony's data for more than a year.

Hackers have access to unreleased movies, some movie scripts, future movie plans, company executive salaries information, emails, and personal information of about 4,000 employees.

Early 2016 Investigation: "Operation Blockbuster"

With the code name "Operation Blockbuster", a coalition of several security companies led by Novetta is formed to analyze samples of malware found in different cybersecurity incidents. Using this data, the team analyzed the hackers' methods of committing crimes. They associate Lazarus Group with multiple attacks through code reuse mode. For example, they used a little-known encryption algorithm on the Internet - the "Caracas" cryptography algorithm.

A bank 's cyber theft case in 2016

A bank theft occurred in February 2016. Security hackers issued 35 fraudulent orders through the Global Banking Financial Telecommunications Association (SWIFT) network, attempting to illegally transfer nearly $1 billion from a central bank account in the Federal Reserve Bank of New York. Five of the 35 fraud directives successfully transferred US$101 million, of which US$20 million went to Sri Lanka and US$81 million went to the Philippines. The Federal Reserve Bank of New York has doubts about a misspelling of a directive, blocking the remaining 30 transactions involving $850 million. Cybersecurity experts say the mastermind behind the attack was the Lazarus Group from a certain country.

May 2017 "WannaCry" ransomware attack

The "WannaCry" attack is a large-scale ransomware cyber attack. On May 12, 2017, many institutions around the world were affected, from the UK's National Health Services System (NHS), to Boeing, and even some Chinese universities. The attack lasted for 7 hours and 19 minutes. Europol estimates that the attack affected nearly 200,000 computers in 150 countries, mainly affected areas including Russia, India, Ukraine and Taiwan. This is one of the earliest crypto worm attacks. Encrypted worms are a type of malware that can spread between computers over the network and can be infected without direct user operations - in this attack, it utilizes TCP port 445. When a computer is infected with the virus, there is no need to click on a malicious link. The malware can automatically spread, from one computer to a connected printer, and then to other computers nearby connected to a wireless network. The vulnerability in port 445 allows malware to spread freely across internal networks, rapidly infecting thousands of computers. The "WannaCry" attack is one of the first large-scale attacks using crypto worms.

Attack method: The virus exploits a vulnerability in the Windows operating system, then encrypts computer data, requiring payment of about $300 worth of Bitcoin to obtain the decryption key. To prompt victims to pay, the ransom doubles in three days, and if not paid within a week, the malware deletes the encrypted data file. The malware uses a legal software developed by Microsoft called "Windows Crypto" to encrypt files. After encryption is completed, the file name will be suffixed with "Wincry", which is the origin of the name "WannaCry". "Wincry" is the basis of encryption, but the malware also exploits two other vulnerabilities, "EternalBlue" and "DoublePulsar", making it an encryption worm. "Eternal Blue" can automatically spread viruses through the Internet, while "Double Pulsar" triggers the virus to be activated on the victim's computer. That is, "Eternal Blue" spreads the infected link to your computer, and "Double Pulsar" clicks on it for you.

After receiving samples from friends at a security research firm, security researcher Marcus Hutchins found that the virus was hardcoded with an "antivirus switch", thus ending the attack. The malware periodically checks whether a specific domain name is registered and will continue to encrypt it only if the domain name does not exist. Hutchins discovered this inspection mechanism and then registered the relevant domain name at 3:03 pm Coordination Time. The malware immediately stops spreading and infects new devices. This situation is interesting and provides clues for tracking virus makers. Normally, blocking malware requires months of repeated battles between hackers and security experts, and it is unexpected to win so easily. Another unusual thing about this attack is that the documents cannot be recovered after the ransom is paid: the hackers received only $160,000 in ransom, which made many people think that their purpose is not money.

The "antivirus switch" is easily cracked and the ransom returns are meager, which makes many people believe that the attack is supported by the state; its motivation is not economic compensation, but creates chaos. After the attack, security experts tracked and found that the "double pulsar" vulnerability originated from the National Security Agency, which was originally developed as a cyber weapon. Later, the "Shadow Broker" hacker group stole the vulnerability, first attempting to auction it, but failed, and finally made it public for free. The NSA then informed Microsoft of the vulnerability information, which released an update on March 14, 2017, less than a month after the attack occurred. But that wasn't enough, as the update was not mandatory to install, by May 12, most computers with the vulnerability were still unfixed, causing the attack to cause amazing damage.

Follow-up impact: The US Department of Justice and British authorities later determined that the "WannaCry" attack was done by the North Korean hacker group Lazarus Group.

Cryptocurrency Attacks in 2017

In 2018, Recorded Future released a report saying that the Lazarus Group was linked to attacks on users of cryptocurrencies Bitcoin and Monero, mainly targeting South Korean users. These attacks are reportedly similar to previous attacks using "want to cry" ransomware and attacks against Sony Film and Television. One of the methods used by the Lazarus Group hackers is to exploit a vulnerability in the Korean word processing software Hangul (developed by Hancom). Another method is to send spear phishing bait containing malware, targeting Korean students and users of cryptocurrency trading platforms such as Coinlink.

If a user opens malware, his email address and password will be stolen. Coinlink denies that its website or users' email addresses and passwords have been hacked. "The series of attacks in late 2017 show that a country's interest in cryptocurrencies has increased, and now we know that this interest covers a wide range of activities including mining, ransomware attacks and direct theft..." The report also pointed out that a country used these cryptocurrency attacks to circumvent international financial sanctions.

In February 2017, a hacker from a certain country stole $7 million from Bithumb, a South Korean cryptocurrency trading platform. Another South Korean Bitcoin trading company, Youbit, had to file for bankruptcy in December of the same year after being attacked in April 2017. Lazarus Group and hackers in a certain country were accused of being behind these attacks. In December 2017, Nicehash lost more than 4,500 bitcoins in the cryptocurrency cloud mining market. An investigation update shows that the attack is related to Lazarus Group.

September 2019 Attack

In mid-September 2019, the United States issued a public alert saying that a new type of malware called "ElectricFish" was discovered. Since early 2019, a national agent has carried out five major cyber thefts worldwide, including the successful stealing of $49 million from a Kuwait agency.

Pharmaceutical company attack incident at the end of 2020

As the COVID-19 pandemic continues to spread, pharmaceutical companies have become the main target of Lazarus Group. Lazarus Group members use spear phishing technology to disguise themselves as health officials and send malicious links to pharmaceutical company employees. It is believed that many large pharmaceutical companies have become targets of attack, but only the Anglo-Swiss joint venture AstraZeneca Company has been confirmed. According to Reuters, many employees have become targets of attack, many of whom have participated in the research and development of the new crown vaccine. It is unclear what the Lazarus Group launches these attacks, but may include: stealing sensitive information for profit, implementing extortion programs, and allowing foreign regimes to obtain proprietary research on the coronavirus. AstraZeneca has not commented on the incident yet, and experts believe there is no sensitive data breach yet.

An attack on cybersecurity researchers in January 2021

In January 2021, both Google and Microsoft publicly reported that a group of hackers from a certain country launched an attack on cybersecurity researchers through social engineering methods, and Microsoft clearly stated that the attack was carried out by the Lazarus Group.

Hackers create multiple user profiles on platforms such as Twitter, GitHub, and LinkedIn, disguised as legitimate software vulnerability researchers, and interact with posts and content posted by others in the security research community. They then contact specific security researchers directly to induce victims to download files containing malware, or access blog posts on websites controlled by hackers, on the grounds of collaborative research.

Some victims who visited the blog post said that despite using Google Chrome, which had been fully patched, the computer was still hacked, suggesting that hackers may have exploited previously unknown Chrome zero-day vulnerability to attack; however, Google said at the time of the report that it could not determine the specific method of intrusion.

Axie Infinity attack incident in March 2022

In March 2022, Lazarus Group was accused of stealing $620 million worth of cryptocurrency from the Ronin network used by Axie Infinity games. "Through the investigation, we confirm that Lazarus Group and APT38 (North Korea-related cyber actors) are behind the theft," the FBI said.

Horizon Bridge Attack in June 2022

The FBI confirmed that the Lazarus Group, also known as APT38, a malicious cyber actor group in North Korea, was behind the stealing of $100 million in virtual currency from Harmony's Horizon Bridge, reported on June 24, 2022.

Other related cryptocurrency attacks in 2023

A report released by blockchain security platform Immunefi said that Lazarus Group suffered losses of more than $300 million in cryptocurrency hacking incidents in 2023, accounting for 17.6% of the total losses that year.

Atomic Wallet Attack in June 2023: In June 2023, users of the Atomic Wallet service were stolen from more than $100 million worth of cryptocurrency, which the FBI later confirmed.

September 2023 Stake.com Hacker: In September 2023, the FBI confirmed that the online casino and gambling platform Stake.com had a $41 million cryptocurrency stolen and the perpetrator was Lazarus Group.

US sanctions

On April 14, 2022, the U.S. Treasury Office of Overseas Assets Control (OFAC) included the Lazarus Group on the Specially Designated National List (SDN List) in accordance with Article 510.214 of a State Sanctions Regulations.

Cryptocurrency Attacks in 2024

According to Indian media reports, a local cryptocurrency exchange called WazirX was attacked by the organization and crypto assets worth $234.9 million were stolen.

Personnel training

According to rumors, some North Korean hackers will be sent to Shenyang, China for professional training to learn how to implant various malware into computers, computer networks and servers. Within North Korea, Kim Ce Integrated Technology University, Kim Il-sung University and Mankyung University undertake relevant educational tasks, which select the best students from the country and allow them to receive a six-year special education. In addition to university education, "some of the best programmers... will be sent to Wanjingtai University or Mirim College for further studies."

Organization branch

The Lazarus Group is believed to have two branches.

BlueNorOff

BlueNorOff (also known as APT38, "Star Thousand Mile Horse", "BeagleBoyz", "NICKEL GLADSTONE") is an organization driven by economic interests that illegally transfer funds through the forgery of the Global Banking Association for Financial Telecommunications (SWIFT) directive. Mandiant calls it APT38, while Crowdstrike calls it "The Stars and Thousand Miles Horse".

According to a 2020 report by the U.S. Army, BlueNorOff has about 1,700 members who focus on long-term assessment and exploiting enemy cyber vulnerabilities and systems to engage in financial cybercrime activities, gain economic benefits for the country's regime or control related systems. Between 2014 and 2021, their targets include 16 institutions in at least 13 countries, including Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey and Vietnam. These illegal proceeds are believed to be used for the development of missile and nuclear technology in the country.

BlueNorOff's most notorious attack was a bank theft in 2016, where they attempted to illegally transfer nearly $1 billion from a central bank account in the New York Federal Reserve Bank through the SWIFT network. After some of the transactions were successfully completed ($20 million flowed to Sri Lanka and $81 million flowed to the Philippines), the Federal Reserve Bank of New York had suspicion of a misspelling of a directive, preventing the rest.

Malware related to BlueNorOff includes: "DarkComet", "Mimikatz", "Nestegg", "Macktruck", "Want to Cry", "Whiteout", "Quickcafe", "Rawhide", "Smoothride", "TightVNC", "Sorrybrute", "Keylime", "Snapshot", "Mapmaker "net.exe", "sysmon", "Bootwreck", "Cleantoad", "Closeshave", "Dyepack", "Hermes", "Twopence", "Electricfish", "Powerratankba", and "Powerspritz".

Commonly used methods of BlueNorOff include: phishing, setting up backdoors, exploiting vulnerability attacks, puddle attacks, using outdated and insecure Apache Struts 2 version to execute code on the system, strategically hacking websites, and accessing Linux servers. There are reports that they sometimes work with criminal hackers.

AndAriel

AndAriel, also spelled as Andarial, also has the nickname: Silent Chollima, Dark Seoul, Rifle and Wassonite. Logically, its characteristics are South Korea is the target of attack. Andrier's nickname "Silent Thousand Mile Horse" comes from the secret nature of the organization's actions [70]. Any agency in South Korea could be attacked by Andrier, targeting government departments, defense agencies and various economic icons.

According to a 2020 report by the U.S. Army, the Andrill organization has about 1,600 members, whose mission is to reconnaise, evaluate cyber vulnerabilities, and map enemy cyberspace to carry out potential attacks. In addition to South Korea, they also targeted governments, infrastructure and businesses in other countries. Attack methods include: exploiting ActiveX controls, Korean software vulnerabilities, puddle attacks, spear phishing (macrovirus method), attacks on IT management products (such as antivirus software, project management software), and through the supply chain (installer program and update the program) launch an attack. The malware used is: Aryan, Gh0st RAT, Rifdoor, Phandoor and Andarat.

Prosecution of relevant personnel

In February 2021, the U.S. Department of Justice sued three members of the North Korean military intelligence agency, Park Jin Hyok, Jon Chang Hyok and Kim Il Park, alleging They have participated in multiple hacking campaigns by the Lazarus Group (Lazarus). Park Jin Hyuk was prosecuted as early as September 2018. None of these suspects have been detained in the United States at present. In addition, a Canadian and two Chinese were also accused of acting as a money transshipper and money launderer for the Lazarus Group.