Connect with us

Hi, what are you looking for?



Here’s How North Korean Hackers Stole Data From Isolated Network Segment

During an attack on the defense industry, the North Korea-linked threat group known as Lazarus was able to exfiltrate data from a restricted network segment by taking control of a router and setting it up as a proxy server.

During an attack on the defense industry, the North Korea-linked threat group known as Lazarus was able to exfiltrate data from a restricted network segment by taking control of a router and setting it up as a proxy server.

For initial access, the group used phishing emails featuring COVID-19 themes and containing publicly available personal information of the intended victims. Next, they focused on credential harvesting and lateral movement, including gaining access to and exfiltrating data from restricted network segments.

Active since at least 2009, Lazarus has orchestrated multiple high-profile attacks. In 2019, they focused on crypto-currency exchanges, but switched to targeting COVID-19 research in 2020, including vaccine maker Pfizer. The group has also targeted security researchers, Google warned recently.

In a report this week, Kaspersky said Lazarus had been targeting the defense industry since at least mid-2020 using a malware cluster it named ThreatNeedle, which is an advanced cluster of the Manuscrypt malware (also known as NukeSped).

Through the use of spear-phishing, the attackers attempted to lure victims into opening a malicious Microsoft Office document and enabling macros to run, with multiple emails being delivered during the last two weeks of May 2020.

In early June, one malicious attachment was opened, providing the hackers with remote control of the system. The ThreatNeedle backdoor was deployed onto the victim’s system, allowing the adversary to perform reconnaissance and deploy additional payloads.

A ThreatNeedle installer-type malware was used for lateral movement, responsible for implanting the next stage loader-type malware, which in turn executes the ThreatNeedle backdoor in memory. The backdoor can manipulate files and directories, gather system info, control and update the backdoor, enter sleep/hibernation mode, and execute commands received from the attackers.

Advertisement. Scroll to continue reading.

Following the initial foothold, the threat actor proceeded with the execution of a credential harvesting tool named Responder, and lateral movement. They were even able to steal data from a network segment that was cut off from the internet, by compromising a router used to connect to it.

Despite the organization’s effort to keep specific data secure using network segmentation, Lazarus was able to harvest administrative credentials to the router (a virtual machine running CentOS) used to connect to both network segments.

Furthermore, the hackers configured the Apache web server and used the router as a proxy between the two network segments. Thus, not only were they able to deploy malware onto machines in the restricted network segment, but they also managed to exfiltrate data from these machines (transfer of data between the two networks was otherwise strictly forbidden).

Using a custom tunneling tool, the adversary then attempted to create SSH tunnels from compromised server hosts to a remote server located in South Korea. In late September, the attackers started cleaning up their tracks from the router, eliminating most of the evidence of intrusion.

“We have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware cluster is attributed only to the Lazarus group,” Kaspersky’s security researchers say.

The investigation also revealed links between ThreatNeedle and DeathNote (Operation Dream Job) and Operation AppleJeus, two clusters of activity previously attributed to Lazarus. Furthermore, ThreatNeedle also appears connected to the Bookcode cluster.

“In recent years, the Lazarus group has focused on attacking financial institutions around the world. However, beginning in early 2020, they focused on aggressively attacking the defense industry. While Lazarus has also previously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is currently being actively used in cyberespionage attacks,” Kaspersky concludes.

Related: UN Experts: North Korea Using Cyber Attacks to Update Nukes

Related: North Korean Hackers Operate VHD Ransomware, Kaspersky Says

Related: U.S. Army Report Describes North Korea’s Cyber Warfare Capabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...