Security Experts:

Connect with us

Hi, what are you looking for?



Here’s How North Korean Hackers Stole Data From Isolated Network Segment

During an attack on the defense industry, the North Korea-linked threat group known as Lazarus was able to exfiltrate data from a restricted network segment by taking control of a router and setting it up as a proxy server.

During an attack on the defense industry, the North Korea-linked threat group known as Lazarus was able to exfiltrate data from a restricted network segment by taking control of a router and setting it up as a proxy server.

For initial access, the group used phishing emails featuring COVID-19 themes and containing publicly available personal information of the intended victims. Next, they focused on credential harvesting and lateral movement, including gaining access to and exfiltrating data from restricted network segments.

Active since at least 2009, Lazarus has orchestrated multiple high-profile attacks. In 2019, they focused on crypto-currency exchanges, but switched to targeting COVID-19 research in 2020, including vaccine maker Pfizer. The group has also targeted security researchers, Google warned recently.

In a report this week, Kaspersky said Lazarus had been targeting the defense industry since at least mid-2020 using a malware cluster it named ThreatNeedle, which is an advanced cluster of the Manuscrypt malware (also known as NukeSped).

Through the use of spear-phishing, the attackers attempted to lure victims into opening a malicious Microsoft Office document and enabling macros to run, with multiple emails being delivered during the last two weeks of May 2020.

In early June, one malicious attachment was opened, providing the hackers with remote control of the system. The ThreatNeedle backdoor was deployed onto the victim’s system, allowing the adversary to perform reconnaissance and deploy additional payloads.

A ThreatNeedle installer-type malware was used for lateral movement, responsible for implanting the next stage loader-type malware, which in turn executes the ThreatNeedle backdoor in memory. The backdoor can manipulate files and directories, gather system info, control and update the backdoor, enter sleep/hibernation mode, and execute commands received from the attackers.

Following the initial foothold, the threat actor proceeded with the execution of a credential harvesting tool named Responder, and lateral movement. They were even able to steal data from a network segment that was cut off from the internet, by compromising a router used to connect to it.

Despite the organization’s effort to keep specific data secure using network segmentation, Lazarus was able to harvest administrative credentials to the router (a virtual machine running CentOS) used to connect to both network segments.

Furthermore, the hackers configured the Apache web server and used the router as a proxy between the two network segments. Thus, not only were they able to deploy malware onto machines in the restricted network segment, but they also managed to exfiltrate data from these machines (transfer of data between the two networks was otherwise strictly forbidden).

Using a custom tunneling tool, the adversary then attempted to create SSH tunnels from compromised server hosts to a remote server located in South Korea. In late September, the attackers started cleaning up their tracks from the router, eliminating most of the evidence of intrusion.

“We have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware cluster is attributed only to the Lazarus group,” Kaspersky’s security researchers say.

The investigation also revealed links between ThreatNeedle and DeathNote (Operation Dream Job) and Operation AppleJeus, two clusters of activity previously attributed to Lazarus. Furthermore, ThreatNeedle also appears connected to the Bookcode cluster.

“In recent years, the Lazarus group has focused on attacking financial institutions around the world. However, beginning in early 2020, they focused on aggressively attacking the defense industry. While Lazarus has also previously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is currently being actively used in cyberespionage attacks,” Kaspersky concludes.

Related: UN Experts: North Korea Using Cyber Attacks to Update Nukes

Related: North Korean Hackers Operate VHD Ransomware, Kaspersky Says

Related: U.S. Army Report Describes North Korea’s Cyber Warfare Capabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...