Lazarus Group strikes medical research and energy sectors for intelligence gain

North Korea is most likely behind cyberattacks on research organizations.

The attack was allegedly conducted by a notorious North Korean threat actor, the Lazarus Group. Finnish cybersecurity company WithSecure released a report attributing cyberattacks to the Lazarus Group. The campaign was aimed at public and private research organizations, medical research, and the energy sector as well as their supply chain.

It is estimated that the hacking group exported approximately 100GB of data after compromising an unnamed customer. According to WithSecure, the campaign most likely was for intelligence gains.

Exploited mail server

Reportedly, the threat actor gained access to the network by exploiting vulnerabilities in the Zimbra mail server in August. In early October 2022, the threat actor shifted their focus to a vulnerable Windows XP device connected to a domain.

Over the course of the next month, the attacker continued to carry out lateral movement and reconnaissance, and deployed several custom tools and malware, including Dtrack and a new version of GREASE, as discovered by WithSecure.

WithSecure codenamed the incident ‘No Pineapple,’ due to an error message in a backdoor which will append < No Pineapple! > in the event data exceeds segmented byte size.

Stated-backed cyberattacks

Previous reporting on similar campaigns highlights that Lazarus Group is targeting of technology with military implementations. WithSecure assesses that this type of targeting continued through Q4 2022 as well. The North Korean regime backs cybercrime. North Korea allegedly has around 6,000 hackers who operate in over 150 countries.

In 2019, the UN security council report stated that since 2016, North Korea has increasingly relied on hacking to generate income for the country's treasury. It is believed that most of the proceeds from these criminal activities are likely allocated to the national defense budget – to fund nuclear and missile testing.