Photo by Andrea De Santis on Unsplash

Lazarus, Come Forth!

The North Korean malware campaign targeting South Korea

By Felipe Zárate | June 18, 2021

This week several cybersecurity portals (see thehackernews, darkreading, news.softpedia, channelasia.tech and securelist) confirmed that North Korea has built a campaign of cyberattacks targeting South Korea. Its goal? Spy on high-profile government officials, financial institutions, banking organizations, and government administrative offices of the highest level such as the Korea Internet and Security Agency (KISA), the South Korean Ministry of Foreign Affairs, the South Korean Embassy of Sri Lanka, the Deputy Consul General at Korean Consulate General in Hong Kong, educational centers such as Seoul National University, the country’s largest university and one of the Top 50 universities worldwide (according to QS ranking). They have even targeted global organizations such as the International Atomic Energy Agency and the Nuclear Security Officer.

The FBI has acknowledged the link that North Korean hacking groups have had with conspiracy campaigns orchestrated by that Government. In addition, the U.S. Department of the Treasury has identified these groups as state-sponsored. But who are these groups? Who are their victims, and why? Are they a global threat?

Micha Brändli
Figure 1. Photo by M. Brändli on Unsplash.

Lazarus

One of the most famous North Korean criminal gangs is Lazarus. It has been operating since at least 2009. However, the U.S. Department of the Treasury insists it was created by the North Korean government in 2007 and is run by the country’s security service, the Reconnaissance General Bureau (RGB). The RGB is in charge of the country’s cyber activities and is "involved in the trade of North Korean arms."

It was recently confirmed that WannaCry, a malware used to extort money, was used against Japanese multinational company Sony in an attack that costed more than $1B in 2014. Apparently, the attack was retaliation for Sony’s film The Interview, a comedy that ridiculed dictator Kim Jong Un. The attack perpetrated by Lazarus, in any case, was not limited to Sony but also targeted international banks and cryptocurrency companies.

In 2017, the same malware infected more than 300 thousand computers and impacted at least 150 countries worldwide, including the United States, Australia, Canada, New Zealand and the United Kingdom. The attack was particularly striking for having reached the "hospital systems in the United Kingdom, Russia’s interior ministry, FedEx in the U.S., Germany’s rail network, a Spanish telecommunications operator and major companies in Asia." It was undoubtedly a media attack because of its impact and the variety of companies and organizations affected. Yet, we had to wait two years after the attack until the U.S. Department of the Treasury confirmed that "Lazarus Group was involved in the destructive WannaCry 2.0 ransomware attack" aforementioned.

Organization

In the white paper that Lexfo, a recognized french technical expertise firm in computer security, presented on Lazarus, it was concluded that they are not a single group. Instead, the cybercriminal gang has subdivisions in charge of attacking from different fronts: "the Lazarus 'core' aiming at disrupting activities and causing damage, Andariel, hacking for profit and intelligence, and Bluenoroff, motivated by financial gains" (my emphasis). Andariel has been the most prominent part of Lazarus dedicated to targeting South Korean entities with malware attacks.

As a case study, Lazarus is quite particular because it is directly controlled by a North Korean government entity. This is astonishing because there are not many cases of public relationships between cybercriminal gangs and governments. Perhaps Russian groups are the most famous cases, but we still don’t have official communication from the Russian government that publicly accepts they work together. In this way, Lazarus operations make it a peculiar state-owned company, which resorts to cybercrime to commit its misdeeds. Yet, it has little autonomy to carry out its criminal activities. But how can we explain this unusual formation of a criminal group?

Lexfo’s white paper
Figure 2. Taken from Lexfo’s white paper.

The North Korean case

For many years now, North Korea has been subject to several economic sanctions. Since 2006, the United Nations has unanimously condemned the nuclear tests being executed by the Democratic Republic of Korea. For this reason, dozens of economic sanctions were carried out, orchestrated primarily by the United States, as North Korea is seen as posing a threat to U.S. national security. These economic pressures are intended to constrain the Asian nation from denuclearizing. Unfortunately, denuclearization has not been achieved, and the North Korean nuclear arsenal has been strengthened recently.

Given this background, it is not hard to think that North Korea has implemented methods to secure capital in 'unorthodox' ways. Hence, the relationship that the RGB has with Lazarus is not strange. Therefore, "North Korea has been behind an increasingly orchestrated effort aimed at infiltrating computers of financial institutions" to perform cryptocurrency heists or ransomware attacks. Specifically, with WannaCry, their goal is to use malware to steal data and spy on competitors. In particular, Andariel has been responsible for "attempting to steal bank card information by hacking into ATMs to withdraw cash or sell customer information on the black market."

Go round in circles?

This is a vicious circle. Instead of making the Asian country less and less threatening to the international community, what economic blockades do is push the government to finance itself in illegal ways that risk the finances, cybersecurity and privacy of other nations. That, in turn, leads to increasingly strong sanctions on the part of the international community. One of the highest points of Lazarus' criminal shots was the ambitious Bangladesh Central Bank attack in 2016. The Korean gang attempted to steal more than $850M. The action was almost entirely thwarted but cost the Bangladeshi institution $81M, a figure reduced to $63M after $18M were recovered.

That same year the administration of then-President Barack Obama announced its Executive Order 13722 of March 15, 2016. President Obama established that, due to North Korea’s persistence in developing its nuclear and missile programs, the U.S. government recognizes the Asian country as a national priority. That decision was supported considering the rise of North Korean cybercriminal activities that targeted European, American, and Asian countries. As a result, it prohibited any direct or indirect commercial exchange with every type of North Korean company.

Given these circumstances, it is not surprising that North Korea is focused on financing groups whose objective is to steal, defraud, and procure large amounts of money illegally. Hence statements such as Seongsu Park, Kaspersky Senior Security Researcher, make sense: "The Andariel group […​] have underlined their place as a financially motivated state-sponsored actor." The case of Andariel, or what in practical terms is the same, Lazarus, is much more problematic than that of RaaS organizations such as REvil, or criminal gangs like DarkSide or Spectre because they are being funded by the Korean government itself. One more reason to be prepared and to take cybersecurity with the attention it deserves. You don’t have to wait for these types of attacks to occur in order to realize that it’s necessary to protect your systems.

At Fluid Attacks we are specialized in cybersecurity through Pentesting and Ethical Hacking.
For more information, don’t hesitate to contact us!