The notorious Lazarus group is attacking the world, an expert told CyberNews


The infamous Lazarus hackers linked with North Korea are after money and intelligence. CyberNews spoke to the security researchers who have been following Lazarus. They say these hackers are using highly sophisticated attack forms.

Lazarus, or Hidden Cobra, is a hacker unit believed to be backed by Pyongyang. North Korea allegedly has 6,000 hackers and uses them for financial gain, as well as intelligence gathering. North Korea is being sanctioned because of its nuclear program, therefore the country has limited ability to acquire foreign currency through exports.

Lazarus has been targeting casinos, banks, they’ve been after cryptocurrency businesses, recently they’ve targeted the defense industry of Israel.

Experts say Lazarus deploys highly sophisticated methods to retrieve money and intelligence from their targets.

Lazarus stealing cryptocurrency

Last year, Finnish security firm F-Secure uncovered a global phishing campaign by Lazarus, and their newest data shows this activity continuing well into 2020. Their recent research showed how hackers phished for cryptocurrency via fake LinkedIn job alerts.

Hackers targeted crypto talents by mimicking legitimate blockchain job listings. People received messages via LinkedIn with a file that contained malicious code. The purpose of the malware was to fetch credentials that would allow hackers to log in to certain systems and steal the cryptocurrency.

“We noted 97 domains, 37 links, and 31 documents used to phish victims in the report spread out across over more than 2 1/2 years. So a relatively large/long-running campaign. We have noted activity ongoing into August 2020,” researchers at F-Secure told CyberNews.

The August 2019 UN Security Council 1718 Committee Panel of Experts report estimates that North Korea had attempted to steal as much as $2 billion, of which $571 million is attributed to cryptocurrency theft.

As they pointed out, the US government keeps track on how much money North Korea might have raised through cyberattacks worldwide.

The August 2019 UN Security Council 1718 Committee Panel of Experts report estimates that North Korea had attempted to steal as much as $2 billion, of which $571 million is attributed to cryptocurrency theft.

At the end of August 2020, The US Justice Department filed a civil forfeiture complaint detailing two hacks of virtual currency exchanges by North Korean actors who allegedly stole millions of dollars’ worth of cryptocurrency. The complaint follows related criminal and civil actions announced in March 2020 pertaining to the theft of $250 million in cryptocurrency through other exchange hacks by North Korean actors.

Researchers at F-Secure, as well as other cybersecurity specialists, describe the Lazarus group as highly sophisticated.

“As noted in the report, we describe the attack as advanced, and that the threat actor displayed a high degree of sophistication through their operational security awareness,” they told CyberNews.

“They are attacking the world”

In July, Kaspersky found that Lazarus is now operating their ransomware VHD. Previously, Kaspersky has also reported that Lazarus - a hacking group allegedly responsible for the theft of $81 million from the Central Bank of Bangladesh in 2016 - also attacked banks, casinos, financial investment software developers, and cryptocurrency businesses. CyberNews talked to Seongsu Park, a senior security researcher at Kaspersky.

“It is difficult to know their actual base, but they are attacking the world,” he told CyberNews. He elaborated that the Lazarus groups’ primary intention is financial profits. However, they target intelligence as well.

“Recently, they attacked the aerospace/defense industry aggressively,” Seongsu Park said.

A few weeks ago, The Defence Ministry of Israel reported an attack by North Korean hackers on its classified defense industry. Israel is afraid they might have passed the intelligence to North Korea’s ally Iran.

Seongsu Park also reckons Lazarus hackers are sophisticated: “Their attack methods are rapidly changing into highly sophisticated forms, and they keep undertaking a wide variety of efforts, such as attacking various platforms and continuously introducing methods to evade detection.”

They showed a high level of sophistication while attacking Israel, too, reported the New York Times.

Recently, they attacked the aerospace/defense industry aggressively,

Seongsu Park said.

North Korean hackers introduce various methods to avoid detection but researchers are constantly tracking the group using a variety of methods.

Asked to name a few techniques that Lazarus employs, Seongsu Park looked at the technologies widely used in recent campaigns that were targeting defense companies.

“Remote template injection - in spear phishing, if the victim executes a malicious document, it fetches another malicious document from a remote server, executing it. Reflective loading - mostly, the malware infection phase is conducted by multi-stage infection. At the final phase of this infection, malware fetches the final payload from the remote server and executes it on the memory without saving it to disk,” elaborated Seongsu Park.

Hitting the hospitals

In 2017, the WannaCry worm hit the world, crippling hospital records, and canceling thousands of doctors' appointments. The most worrying problem with this virus was that you didn’t have to click on anything to get infected.

Europol estimated that 200,000 computers were infected across 150 countries. Computers that weren’t updated with the latest Microsoft update were vulnerable to this cryptoworm.

The NHS (National Health System) in the UK suffered severely - almost 20 thousand appointments, including surgeries, were canceled. The crippling of hospital computers cost the British healthcare system exceeded 90 million pounds, the Telegraph reported. Various organizations in the US, Spain, France, Russia, Germany, Portugal, and other countries were also targeted.

Wannacry cyberworm was attributed to North Korean hackers. The regime denied being responsible for the cyberattacks.

Lazarus also goes by the name Guardians of Peace or Hidden Cobra.