sb-nz logo
Story image

Lazarus Group almost certainly connected to North Korea, Group-IB alleges

31 May 2017

Threat intelligence agency Group-IB has published research indicating that the notorious Lazarus Group is well and truly connected to North Korea.

The group has been behind numerous attacks, including one that tried to steal US$1 billion from the Central Bank of Bangladesh. It compromised Polish banks in the process, and Group-IB says that attack was connected to Noth Korea.

The group was also behind the Sony Pictures hack in 2014, and numerous attacks on the South Korean Government.

Group-IB says that detailed analysis of the criminals' Command & Control (C&C) infrastructure and combined threat intelligence pinpointed the group's attacks to Pyongyang.

Further allegations also suggest that the group is controlled by Bureau 121, a division of North Korean intelligence agency Reconnaissance General Bureau.

Group-IB says that its report focused on infrastructure research, rather than malware analysis or attribution that previous reports have used.

The researchers found a 'complex' three-layer architecture, encrypted channels, VPN services and other techniques, but still managed to identify the group's operating location.

Group-IB co-founder and head of Threat Intelligence Department Dmitry Volkov, says the Lazarus Group is thorough and careful.

"Our research testified that North Korean Lazarus group is taking extraordinary precaution measures, dividing the attacks into several stages and launching all the modules manually. So that even if the attack is detected, it would take security researchers much time and effort to investigate it. To mask malicious activity, the hackers used a three-layer C&C infrastructure and pretended to be Russians," he explains.

The group has been using IP addresses across the world, including those of universities in the US, Canada, India and Great Britain, as well as pharmaceutical companies in Japan and China. They have also been using government subnets in various countries, Group-IB says.

"Taking into consideration strengthening economic sanctions against North Korea, as well as the geopolitical tension in the region, we expect a new wave of Lazarus attacks against global financial institutions. With that said, we strongly recommend the banks learn more about targeted attacks' tactics and techniques, increase corporate cybersecurity awareness, and cooperate with the companies providing relevant Threat Intelligence," Volkov adds.

Group-IB is a threat intellience provider with clients across the globe, including Fortune 500 companies in Asia and Australia.

Story image
Quantea and Attivo Networks launch joint network security solution
"Attivo and Quantea together provide advanced, real-time, in-network threat detection and improved incident response."More
Story image
Red Hat to acquire Kubernetes-native security provider StackRox
Red Hat will further expand its security offering, adding StackRox's complementary capabilities to strengthen integrated security across its open hybrid cloud portfolio.More
Story image
Hornetsecurity acquires Altaro, the latest in acquisition spree
The move is a culmination of a medley of acquisitions made by Hornetsecurity recently, following the January 2019 acquisition of Spamina, a Spanish cloud email security company, as well as EveryCloud, its British market partner, in early 2020.More
Story image
The current state of ransomware — and its future
Discoveries made by analysts at Sophos have unearthed a new development: ransomware code appears to have been shared across ‘families’, and some of the ransomware groups seemed to work in collaboration more than in competition with one another. More
Story image
Cyberattacks on healthcare organisations "out of control" - Check Point
There has been a 45% increase in cyberattacks on healthcare organisations worldwide in the last two months, making healthcare the most targeted industry by cyber criminals.More
Story image
Check Point exposes Android malware vendor using dark net to rebrand products
Check Point security researchers have exposed an Android malware vendor using a marketer on the dark net to rebrand its products, with the intention of supercharging business and throwing off security vendors. More