The story behind the Lazarus Group, the founder of the biggest robbery in history in Web3

Source:Wikipedia

Compiled by: Yobo, Foresight News

The following content is translated from the text of the Wikipedia entry "Lazarus Group":

The Lazarus Group (also known as "Guardians" or "Peace or Whois Team") is a hacker group of unknown personnel, allegedly under the control of the North Korean government. While people have limited knowledge of the organization, researchers have blamed them for multiple cyber attacks since 2010.

The organization was originally a criminal gang and has now been identified as a senior persistent threat organization for its intention to attack, the threats it posed, and the various means used in operation. Cybersecurity agencies have given them many nicknames, such as "Hidden Cobra" (using this name to refer to malicious cyber activities initiated by the North Korean government), and "ZINC" or "Diamond Sleet" (Microsoft's name is Law). According to Kim Kuk-song, the country’s defector, the group is known as the “414 Liaison Office” in North Korea.

The Lazarus Group is closely linked to North Korea. The U.S. Department of Justice declared that the organization is part of the North Korean government's strategy to "undermine global cybersecurity... and obtain illegal income in violation of sanctions." North Korea can gain many benefits through cyber operations, and just maintaining a very capable small team can pose a "global" asymmetric threat (especially against South Korea).

Development history

The earliest known attack by the organization was Operation Troy from 2009 to 2012. It is a cyber espionage campaign that targets the Seoul-based government with a non-complex distributed denial of service attack (DDoS) technology. In 2011 and 2013, they also launched attacks. Although it is not certain, it is also possible that an attack on South Korea in 2007 was theirs. A well-known attack by the group took place in 2014 and targeted Sony Film and Television. The attack uses more complex techniques and also shows that the organization has become more mature over time.

In 2015, Lazarus Group reportedly stole $12 million from Ecuador's Ostro Bank and $1 million from Vietnam's Pioneer Bank. They also targeted banks in Poland and Mexico. In a 2016 bank theft case, they launched an attack on a bank and successfully stole $81 million, a case that was also believed to be the cause of the organization. In 2017, it was reported that Lazarus Group stole $60 million from Taiwan’s Far East International Commercial Bank, but the actual amount of the stolen money was not clear and most of the funds had been recovered.

It is not clear who is the real mastermind behind the group, but media reports point out that the group is closely related to North Korea. In 2017, Kaspersky Lab reported that Lazarus Group tended to focus on espionage and infiltration cyberattacks, and a sub-organization Kaspersky called "Bluenoroff" specializes in financial cyberattacks. Kaspersky has discovered multiple attacks around the world and found that Bluenoroff has a direct IP address association with the country.

However, Kaspersky also admitted that reuse of code may be a "fake flag operation" to mislead investigators and make North Korea take the blame. After all, the "want to cry" globally. The worm cyber attack plagiarized the US national security. The technology of the bureau. This ransomware exploits the NSA's "Eternal Blue" vulnerability, which was made public in April 2017 by a hacker group called "Shadow Broker". In 2017, Symantec reported that the "WannaCry" attack was most likely done by Lazarus Group.

Operation Troy 2009

The first major hacking incident at Lazarus Group took place on July 4, 2009, marking the beginning of Operation Troy. This attack uses "My Doomsday" and "Buldozer" malware to launch large-scale but not complex DDoS attacks on websites in the United States and South Korea. The attack targeted about 36 websites and implanted the text of "Independence Day" in the Master Boot Record (MBR).

2013 South Korea Cyber ​​Attack ("Operation 1"/"Operation Dark Seoul")

Over time, the organization's attack methods have become more complex; their technology and tools have become more mature and effective. The March 2011 "Ten Day Rain" attack targeting South Korea's media, finance and critical infrastructure, adopted more complex DDoS attacks originating from hacked computers in South Korea. On March 20, 2013, Operation Dark Seoul launched, an attack on erasing data, targeting three broadcasters, financial institutions and an Internet service provider in South Korea. At that time, two other organizations that claimed to be the "New Roman Cyber ​​Corps" and "WhoIs Team" claimed responsibility for the attack, but researchers did not know that the mastermind was the Lazarus Group. Today, researchers know that the Lazarus Group is the leader in these destructive attacks.

Late 2014: Sony Film and Television is invaded

On November 24, 2014, the Lazarus Group attack climaxed. On the same day, a post appeared on Reddit saying that Sony Film and Television was invaded by unknown means, and the attacker called himself "Peace Defender". A large amount of data was stolen and gradually leaked in the days after the attack. A man who claimed to be a member of the group said in an interview that they had been stealing Sony's data for more than a year.

Hackers have access to unreleased movies, some movie scripts, future movie plans, company executive salaries information, emails, and personal information of about 4,000 employees.

Early 2016 Survey: "Operation Blockbuster"

With Operation Blockbuster as the code name, a coalition of several security companies led by Novetta is formed to analyze samples of malware found in different cybersecurity incidents. Using this data, the team analyzed the hackers' methods of committing crimes. They associate Lazarus Group with multiple attacks through code reuse mode. For example, they used an encryption algorithm that is less known on the Internet—the "Caracas" cryptography algorithm.

A bank's cyber theft case in 2016

There was a bank theft in February 2016. Security hackers issued 35 fraudulent orders through the Global Banking Financial Telecommunications Association (SWIFT) network, attempting to illegally transfer nearly $1 billion from a central bank account in the Federal Reserve Bank of New York. Five of the 35 fraud directives successfully transferred $101 million, of which $20 million went to Sri Lanka and $81 million went to the Philippines. The Federal Reserve Bank of New York has skeptical of a misspelling of a directive, blocking the remaining 30 transactions involving $850 million. Cybersecurity experts say the mastermind behind the attack was the Lazarus Group from a certain country.

May 2017 "WannaCry" ransomware attack

The "WannaCry" attack is a large-scale ransomware cyber attack. On May 12, 2017, many institutions around the world were affected, from the UK's National Health Services System (NHS), to Boeing, and even some universities in China. The attack lasted for 7 hours and 19 minutes. Europol estimates that the attack affected nearly 200,000 computers in 150 countries, mainly affected areas including Russia, India, Ukraine and Taiwan. This is one of the earliest crypto worm attacks. Encrypted worms are a class of malware that can spread between computers over the network and can be infected without direct user operations - in this attack, it utilizes TCP port 445. When a computer is infected with the virus, there is no need to click on a malicious link. The malware can automatically spread, from one computer to a connected printer, and then to other computers nearby connected to a wireless network. The vulnerability of port 445 allows malware to spread freely across internal networks, rapidly infecting thousands of computers. The "WannaCry" attack is one of the first large-scale attacks using crypto worms.

Attack Method: The virus exploits a vulnerability in the Windows operating system and then encrypts computer data, requiring payment of about $300 worth of Bitcoin to obtain the decryption key. To prompt victims to pay, the ransom doubles in three days, and if not paid within a week, the malware deletes the encrypted data file. The malware uses a legal software developed by Microsoft called "Windows Crypto" to encrypt files. After the encryption is completed, the file name will be suffixed with "Wincry", which is the origin of the name "WannaCry". "Wincry" is the basis of encryption, but the malware also exploits two other vulnerabilities, "EternalBlue" and "DoublePulsar", making it an encryption worm. "Eternal Blue" can automatically spread viruses through the Internet, while "Double Pulsar" triggers the virus to be activated on the victim's computer. That is, "Eternal Blue" spreads the infected link to your computer, and "Double Pulsar" clicks it for you.

After receiving samples from friends at a security research firm, security researcher Marcus Hutchins found that the virus was hardcoded with an "antivirus switch", thus ending the attack. The malware periodically checks whether a specific domain name is registered and will continue to encrypt it only if the domain name does not exist. Hutchins discovered the inspection mechanism and then registered the relevant domain name at 3:03 pm Coordination Time. The malware immediately stops spreading and infects new devices. This situation is interesting and provides clues for tracking virus makers. Normally, blocking malware requires months of repeated battles between hackers and security experts, and it is unexpected to win so easily. Another unusual thing about this attack is that the documents cannot be recovered after the ransom is paid: the hackers received only $160,000 in ransom, which led many people to believe that their purpose is not money.

The "antivirus switch" is easily cracked and the ransom returns are meager, which makes many people believe that the attack is supported by the state; its motivation is not economic compensation, but creates chaos. After the attack, security experts tracked and found that the "double pulsar" vulnerability originated from the National Security Agency, which was originally developed as a cyber weapon. Later, the "Shadow Broker" hacker group stole the vulnerability, first attempting to auction it, but failed, and finally made it public for free. The NSA then informed Microsoft of the vulnerability, which released an update on March 14, 2017, less than a month after the attack. But that wasn't enough, as the update was not mandatory to install, by May 12, most computers with the vulnerability were still unfixed, causing the attack to cause amazing damage.

Follow-up impact: The US Department of Justice and British authorities later determined that the "WannaCry" attack was done by the North Korean hacker group Lazarus Group.

Cryptocurrency Attacks in 2017

In 2018, Recorded Future released a report saying that the Lazarus Group was linked to attacks targeting users of cryptocurrencies Bitcoin and Monero, mainly targeting South Korean users. These attacks are reportedly similar to previous attacks using "want to cry" ransomware and attacks against Sony Film and Television. One of the means used by the Lazarus Group hackers is to exploit a vulnerability in the Korean word processing software Hangul (developed by Hancom). Another method is to send spear phishing bait containing malware, targeting Korean students and users of cryptocurrency trading platforms like Coinlink.

If a user opens malware, his email address and password will be stolen. Coinlink denies that its website or users’ email addresses and passwords have been hacked. "The series of attacks in late 2017 showed that a country's interest in cryptocurrencies has increased, and now we know that this interest covers a wide range of activities including mining, ransomware attacks and direct theft..." The report also pointed out that a country used these cryptocurrency attacks to circumvent international financial sanctions.

In February 2017, a hacker from a country stole $7 million from Bithumb, a South Korean cryptocurrency trading platform. Another South Korean Bitcoin trading company, Youbit, had to file for bankruptcy in December of the same year after being attacked in April 2017. Lazarus Group and hackers in a certain country were accused of being behind these attacks. In December 2017, Nicehash, the cryptocurrency cloud mining market, lost more than 4,500 bitcoins. An investigation update shows that the attack is related to Lazarus Group.

September 2019 Attack

In mid-September 2019, the United States issued a public alert saying a new type of malware called "ElectricFish" was discovered. Since early 2019, agents of a country have carried out five major cyber thefts worldwide, including the successful stealing of $49 million from a Kuwait agency.

Pharmaceutical company attacks at the end of 2020

As the COVID-19 pandemic continues to spread, pharmaceutical companies have become the main target of Lazarus Group. Lazarus Group members use spear phishing technology to disguise themselves as health officials and send malicious links to pharmaceutical company employees. It is believed that many large pharmaceutical companies have become targets of attack, but only the Anglo-Swiss joint venture AstraZeneca Company has been confirmed. According to Reuters, many employees have become targets of attack, many of whom have participated in the research and development of the new crown vaccine. It is not clear what the purpose of the Lazarus Group launches these attacks, but may include: stealing sensitive information for profit, implementing extortion programs, and allowing foreign regimes to obtain proprietary research on the coronavirus. AstraZeneca has not commented on the incident yet, and experts believe there is no sensitive data breach yet.

An attack on cybersecurity researchers in January 2021

In January 2021, both Google and Microsoft publicly reported that a group of hackers from a certain country launched an attack on cybersecurity researchers through social engineering, and Microsoft clearly stated that the attack was carried out by the Lazarus Group.

Hackers create multiple user profiles on platforms such as Twitter, GitHub, and LinkedIn, disguised as legitimate software vulnerability researchers, and interact with posts and content posted by others in the security research community. They then contact specific security researchers directly to induce victims to download files containing malware, or access blog posts on websites controlled by hackers, on the grounds of collaborative research.

Some victims who visited the blog post said that despite using Google Chrome, which had a fully patched Google Chrome browser, the computer was still hacked, suggesting that hackers may have exploited previously unknown Chrome zero-day vulnerability to attack; however, Google said at the time of the report that it could not determine the specific method of intrusion.

March 2022 Axie Infinity Attack Event

In March 2022, Lazarus Group was accused of stealing $620 million worth of cryptocurrency from the Ronin network used by Axie Infinity games. "Through the investigation, we confirm that Lazarus Group and APT38 (North Korea-related cyber actors) are behind the theft," the FBI said.

June 2022 Horizon Bridge Attack

The FBI confirmed that the Lazarus Group, also known as APT38, a North Korean malicious cyber actor group, was behind the stealing of $100 million in virtual currency from Harmony’s Horizon Bridge, reported on June 24, 2022.

Other related cryptocurrency attacks in 2023

A report released by blockchain security platform Immunefi said that Lazarus Group suffered more than $300 million in cryptocurrency hacking incidents in 2023, accounting for 17.6% of the total losses that year.

June 2023 Atomic Wallet Attack: In June 2023, users of the Atomic Wallet service were stolen from more than $100 million worth of cryptocurrency, which the FBI later confirmed.

September 2023 Stake.com Hacker: In September 2023, the FBI confirmed that the $41 million worth of cryptocurrency of online casinos and betting platform Stake.com was stolen and the perpetrator was Lazarus Group.

US sanctions

On April 14, 2022, the U.S. Treasury Office of Overseas Assets Control (OFAC) included the Lazarus Group on the Specially Designated National List (SDN List) in accordance with Section 510.214 of a State Sanctions Ordinance.

Cryptocurrency Attacks in 2024

According to Indian media reports, a local cryptocurrency exchange called WazirX was attacked by the group and $234.9 million worth of crypto assets were stolen.

Personnel training

According to rumors, some North Korean hackers will be sent to Shenyang, China for professional training to learn how to implant various malware into computers, computer networks and servers. Within North Korea, Kim Ce Integrated Technology University, Kim Il-sung University and Mankyung University undertake relevant educational tasks, which select the best students from the country and allow them to receive a six-year special education. In addition to university education, "some of the best programmers... will be sent to Wanjingtai University or Mirim College for further studies."

Organization branch

The Lazarus Group is believed to have two branches.

BlueNorOff

BlueNorOff (also known as APT38, "Star Thousand Mile Horse", "BeagleBoyz", "NICKEL GLADSTONE") is an organization driven by economic interests that illegally transfer funds through the forgery of the Global Banking and Financial Telecommunications Association (SWIFT) directive. Mandiant calls it APT38, while Crowdstrike calls it "The Stars and Thousand Miles Horse".

According to a 2020 U.S. Army report, BlueNorOff has about 1,700 members who focus on long-term assessment and exploiting enemy cyber vulnerabilities and systems to engage in financial cybercrime activities, gain economic benefits for the country’s regime or control related systems. Between 2014 and 2021, their targets include 16 institutions in at least 13 countries, including Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey and Vietnam. These illegal proceeds are believed to be used for the development of missile and nuclear technology in the country.

BlueNorOff’s most notorious attack was a bank theft in 2016, where they attempted to illegally transfer nearly $1 billion from a central bank account at the Federal Reserve Bank of New York through the SWIFT network. After some of the transactions were successfully completed ($20 million flowed to Sri Lanka and $81 million flowed to the Philippines), the Federal Reserve Bank of New York had suspicion of a misspelling of a directive, preventing the rest.

Malware related to BlueNorOff includes: "DarkComet", "Mimikatz", "Nestegg", "Macktruck", "Want to Cry", "Whiteout", "Quickcafe", "Rawhide", "Smoothride", "TightVNC", "Sorrybrute", "Keylime", "Snapshot", "Mapmaker "net.exe", "sysmon", "Bootwreck", "Cleantoad", "Closeshave", "Dyepack", "Hermes", "Twopence", "Electricfish", "Powerratankba", and "Powerspritz", etc.

Commonly used methods of BlueNorOff include: phishing, setting up backdoors, exploiting vulnerability attacks, puddle attacks, exploiting outdated and unsecure Apache Struts 2 versions to execute code on the system, strategically hacking websites, and accessing Linux servers. There are reports that they sometimes work with criminal hackers.

AndAriel

AndAriel, also spelled as Andarial, also has the nickname: Silent Chollima, Dark Seoul, Rifle and Wassonite. Logically, its characteristics are South Korea is the target of attack. Andrier's nickname "Silent Thousand Mile Horse" comes from the secret nature of the organization's actions [70]. Any agency in South Korea could be attacked by Andrier, targeting government departments, defense agencies and various economic icons.

According to a 2020 U.S. Army report, the Andrill organization has about 1,600 members, whose mission is to reconnaise, assess cyber vulnerabilities, and map enemy cyberspace for potential attacks. In addition to South Korea, they also targeted governments, infrastructure and businesses in other countries. Attack methods include: exploiting ActiveX controls, Korean software vulnerabilities, puddle attacks, spear phishing (macrovirus method), attacks on IT management products (such as antivirus software, project management software), and through the supply chain (installer) and update the program) launch an attack. The malware used is: Aryan, Gh0st RAT, Rifdoor, Phandoor and Andarat.

Prosecution of relevant personnel

In February 2021, the U.S. Department of Justice sued three members of the North Korean military intelligence agency, Park Jin Hyok, Jon Chang Hyok and Kim Il Park, alleging They have participated in multiple hacking campaigns by the Lazarus Group (Lazarus). Park Jin Hyuk was prosecuted as early as September 2018. None of these suspects have been detained in the United States at present. In addition, a Canadian and two Chinese were also accused of acting as a money transshipper and money launderer for the Lazarus Group.