ST. MAARTEN – SECURITY ANALYST SUMMIT – Just days after reports surfaced that U.S. prosecutors were preparing to point fingers at the North Korean government for directing the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank in 2016, Kaspersky Lab unveiled new details on the hacking group believed to be conducting the attack and several others.
Considered to be one of the largest and most successful cyber heists ever, Kaspersky said there is a “high chance” that the attacks were conducted by Lazarus, a North Korea-linked hacking group responsible for a series of regular and destructive attacks, including the devastating attack against Sony Pictures in late 2014.
On Monday at Kaspersky Lab’s Security Analyst Summit in St. Maarten, the Moscow-based security firm shared its findings on the malicious tools the group uses and how it operates.
The company also said that it managed to disrupt other potential Lazarus operations attempting to steal funds from unnamed banks in Southeast Asia and Europe.
While Kaspersky’s team believes Lazarus to be large group focused on infiltration and espionage operations, the company said a “substantially smaller” unit within the group responsible for financial profit exists, which they have dubbed Bluenoroff.
In February, researchers discovered an attack aimed at banks in Poland that were linked back to Lazarus. As part of the operation, the attackers hijacked the website of the Polish Financial Supervision Authority (knf.gov.pl) so malware would be served to its visitors.
“The watering hole attack on Polish banks was very well covered by media, however not everyone knows that it was one of many,” Kaspersky explained. “Lazarus managed to inject malicious code in many other locations. We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia. Lazarus/Bluenoroff regrouped and rushed into new countries, selecting mostly poorer and less developed locations, hitting smaller banks because they are, apparently, easy prey.”
Since December 2015, Kaspersky Lab was able to detect malware samples relating to Lazarus group activity that appeared in financial institutions, casinos, software developers for investment companies and crypto-currency businesses in Korea, Bangladesh, India, Vietnam, Indonesia, Costa Rica, Malaysia, Poland, Iraq, Ethiopia, Kenya, Nigeria, Uruguay, Gabon, Thailand and several other countries.
Recent forensic analysis conducted by a Kaspersky Lab partner of a C2 server in Europe used by the Lazarus/Bluenoroff group also provided some interesting North Korea-related discoveries.
“Based on the forensic analysis report, the attacker connected to the server via Terminal Services and manually installed an Apache Tomcat server using a local browser, configured it with Java Server Pages and uploaded the JSP script for C2,” Kaspersky Lab’s Global Research & Analysis Team explained in a blog post. “Once the server was ready, the attacker started testing it. First with a browser, then by running test instances of their backdoor. The operator used multiple IPs: from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea.”
Other firms, including BAE Systems and Symantec, previously had linked the Bangladesh theft to a series of cyber-attacks on the U.S. financial system and the hacking of Sony Pictures.
Still an Active Threat
Kaspersky’s team believes that Lazarus will remain one of the biggest threats to banking, finance and other firms for the next few years.
“We’re sure they’ll come back soon. In all, attacks like the ones conducted by Lazarus
group show that a minor misconfiguration may result in a major security breach, which can potentially cost a targeted business hundreds of millions of dollars in loss,” said Vitaly Kamluk, head of the Global Research and Analysis Team APAC at Kaspersky Lab. “We hope that chief executives from banks, casinos and investment companies around the world will become wary of the name Lazarus.”
Attribution Conclusion
While Kaspersky Lab did not officially accuse North Korea as being behind the attacks, the firm did display a strong case against the Hermit State. “This is the first time we have seen a direct link between Bluenoroff and North Korea,” the company said. “Their activity spans from backdoors to watering hole attacks, and attacks on SWIFT servers in banks of South East Asia and Bangladesh Central Bank. Now, is it North Korea behind all the Bluenoroff attacks after all? As researchers, we prefer to provide facts rather than speculations. Still, seeing IP in the C2 log, does make North Korea a key part of the Lazarus Bluenoroff equation.”
In a presentation at the Security Analyst Summit, Kamluk said that, while unlikely, another group could have invested a huge amount of money to frame North Korea. He also speculated that a third force could be involved to help North Korea from the outside.
Kaspersky has published a detailed report (PDF), which includes infiltration methods, their relation to attacks on SWIFT software, and insights on attribution. The report also includes Indicators of Compromise (IOC) and other data to help defenders detect possible Lazarus-related activity in their networks. They also produced a short video summarizing the activity of the group.
