sb-nz logo
Story image

Lazarus Group linked to phishing attacks on cryptocurrency sector

28 Aug 2020

Cybersecurity firm F-Secure has published new research suggesting that the advanced persistent threat (APT) group Lazarus Group, also known as APT38, is behind a recent attack against a company working in the cryptocurrency space.

The attack was part of a wider campaign that targeted cryptocurrency businesses in countries including Japan, Singapore, China, South Korea, Hong Kong, the Philippines, the United States, Canada, Argentina, the United Kingdom, the Netherlands, Estonia, and Germany. The wider campaign involved phishing campaigns that have been ongoing since January 2018, if not earlier.

In this case, the attacks were launched through a phishing document sent via LinkedIn to employees at the targeted organisation. This phishing document was styled to look like a job advertisement for a role in a blockchain company.

F-Secure director of detection and response, Matt Lawrence, says the research is based on insights from the company’s incident response, tactical defence, and managed detection and response.

“This attack bears a number of similarities with known Lazarus Group activity, so we’re confident they were behind the incident. The evidence also suggests this is part of an ongoing campaign targeting organisations in over a dozen countries, which makes the attribution important,” he notes.

The research points out the ‘malicious implants’ used in the attack were almost identical to tools previously used by Lazarus Group in the past.  While the group is evolving its toolset over time, there are opportunities for organisations to create defences and protect themselves against further attacks.

F-Secure also says that Lazarus Group invests ‘significant’ effort in evading an organisation’s defences. It does this by disabling antivirus software on host devices and removing all traces of evidence of its malware.

“The target in this investigation had a leading EDR and network security tool installed that captured telemetry of Lazarus Groups actions, but this did not result in a positive detection that was actioned. It is F-Secure’s view that people play an important role in building effective detection capability, and this incident serves as an example of the need to invest in people as well as technology.”

According to F-Secure, Lazarus Group’s interests ‘reportedly align’ with the Democratic People’s Republic of Korea (DPRK).  This claim is backed up by numerous government bodies, including those belonging to the United Kingdom and the United States.

The United States Department of Treasury states, “Created by the North Korean Government as early as 2007, this malicious cyber group is subordinate to the 110th Research Center, 3rd Bureau of the RGB.  The 3rd Bureau is also known as the 3rd Technical Surveillance Bureau and is responsible for North Korea’s cyber operations.”

“In addition to the RGB’s role as the main entity responsible for North Korea’s malicious cyber activities, the RGB is also the principal North Korean intelligence agency and is involved in the trade of North Korean arms.”

The Lazarus Group has also been named as the APT behind the 2017 WannaCry ransomware attacks.

Story image
Imperva unveils new data security platform built for cloud
"The cloud has revolutionised IT, offering organisations a strategic opportunity to rapidly pursue new market initiatives and adapt their operations in the face of new business challenges."More
Story image
Cloud services top threat vector for healthcare industry
"The coronavirus pandemic continues to highlight the unique cybersecurity needs of the healthcare industry, even as it has increased the number of threats these organisations face."More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More
Story image
Attivo Networks expands Active Directory suite for greater protection
"We see Active Directory exploitation used in the majority of ransomware, insider and advanced attacks. We are pleased to now offer our customers early and efficient solutions for preventing the misuse of Active Directory.”More
Story image
ThreatQuotient hits $22.5m in new financing, continues growth streak
“Since we first invested in ThreatQuotient in 2017, their team has continued to prove to the market that there is a critical need for cybersecurity solutions aimed at security operations."More
Story image
Over half of ransomware victims pay up - but does it work?
"Handing over money doesn’t guarantee the return of data, and only encourages cybercriminals to continue the practice."More