Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Kaspersky Links Global Cyber Attacks to North Korea

ST. MAARTEN – SECURITY ANALYST SUMMIT – Just days after reports surfaced that U.S.

ST. MAARTEN – SECURITY ANALYST SUMMIT – Just days after reports surfaced that U.S. prosecutors were preparing to point fingers at the North Korean government for directing the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank in 2016, Kaspersky Lab unveiled new details on the hacking group believed to be conducting the attack and several others.

Considered to be one of the largest and most successful cyber heists ever, Kaspersky said there is a “high chance” that the attacks were conducted by Lazarus, a North Korea-linked hacking group responsible for a series of regular and destructive attacks, including the devastating attack against Sony Pictures in late 2014. 

On Monday at Kaspersky Lab’s Security Analyst Summit in St. Maarten, the Moscow-based security firm shared its findings on the malicious tools the group uses and how it operates.

The company also said that it managed to disrupt other potential Lazarus operations attempting to steal funds from unnamed banks in Southeast Asia and Europe.

While Kaspersky’s team believes Lazarus to be large group focused on infiltration and espionage operations, the company said a “substantially smaller” unit within the group responsible for financial profit exists, which they have dubbed Bluenoroff.

In February, researchers discovered an attack aimed at banks in Poland that were linked back to Lazarus. As part of the operation, the attackers hijacked the website of the Polish Financial Supervision Authority (knf.gov.pl) so malware would be served to its visitors.

“The watering hole attack on Polish banks was very well covered by media, however not everyone knows that it was one of many,” Kaspersky explained. “Lazarus managed to inject malicious code in many other locations. We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia. Lazarus/Bluenoroff regrouped and rushed into new countries, selecting mostly poorer and less developed locations, hitting smaller banks because they are, apparently, easy prey.”

Since December 2015, Kaspersky Lab was able to detect malware samples relating to Lazarus group activity that appeared in financial institutions, casinos, software developers for investment companies and crypto-currency businesses in Korea, Bangladesh, India, Vietnam, Indonesia, Costa Rica, Malaysia, Poland, Iraq, Ethiopia, Kenya, Nigeria, Uruguay, Gabon, Thailand and several other countries.

Advertisement. Scroll to continue reading.

Recent forensic analysis conducted by a Kaspersky Lab partner of a C2 server in Europe used by the Lazarus/Bluenoroff group also provided some interesting North Korea-related discoveries.

“Based on the forensic analysis report, the attacker connected to the server via Terminal Services and manually installed an Apache Tomcat server using a local browser, configured it with Java Server Pages and uploaded the JSP script for C2,” Kaspersky Lab’s Global Research & Analysis Team explained in a blog post. “Once the server was ready, the attacker started testing it. First with a browser, then by running test instances of their backdoor. The operator used multiple IPs: from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea.”

North Korea Cyber Attack Attribution

Other firms, including BAE Systems and Symantec, previously had linked the Bangladesh theft to a series of cyber-attacks on the U.S. financial system and the hacking of Sony Pictures.

Still an Active Threat

Kaspersky’s team believes that Lazarus will remain one of the biggest threats to banking, finance and other firms for the next few years.

“We’re sure they’ll come back soon. In all, attacks like the ones conducted by Lazarus
group show that a minor misconfiguration may result in a major security breach, which can potentially cost a targeted business hundreds of millions of dollars in loss,” said Vitaly Kamluk, head of the Global Research and Analysis Team APAC at Kaspersky Lab. “We hope that chief executives from banks, casinos and investment companies around the world will become wary of the name Lazarus.”

Attribution Conclusion

While Kaspersky Lab did not officially accuse North Korea as being behind the attacks, the firm did display a strong case against the Hermit State. “This is the first time we have seen a direct link between Bluenoroff and North Korea,” the company said. “Their activity spans from backdoors to watering hole attacks, and attacks on SWIFT servers in banks of South East Asia and Bangladesh Central Bank. Now, is it North Korea behind all the Bluenoroff attacks after all? As researchers, we prefer to provide facts rather than speculations. Still, seeing IP in the C2 log, does make North Korea a key part of the Lazarus Bluenoroff equation.”

In a presentation at the Security Analyst Summit, Kamluk said that, while unlikely, another group could have invested a huge amount of money to frame North Korea. He also speculated that a third force could be involved to help North Korea from the outside.

Kaspersky has published a detailed report (PDF), which includes infiltration methods, their relation to attacks on SWIFT software, and insights on attribution. The report also includes Indicators of Compromise (IOC) and other data to help defenders detect possible Lazarus-related activity in their networks. They also produced a short video summarizing the activity of the group.


Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.