Connect with us

Hi, what are you looking for?



North Korea-Linked Hacker Group Poses Serious Threat to Banks: Kaspersky

A North Korea-linked hacking group responsible for multiple financial and destructive attacks is believed to be the most serious threat against banks, security firm Kaspersky Lab says.

A North Korea-linked hacking group responsible for multiple financial and destructive attacks is believed to be the most serious threat against banks, security firm Kaspersky Lab says.

The group, referred to as BlueNoroff or Lazarus, has been associated with numerous high profile attacks over the past several years, including the devastating attack against Sony Pictures in late 2014. Last year’s $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank has been attributed to this group as well. 

The actor is also believed to have orchestrated an attack aimed at banks in Poland earlier this year, where the website of the Polish Financial Supervision Authority ( was hijacked and abused to deliver malware. The hackers inserted Russian words as decoy in the malware used in this attack, security researchers discovered.

Active since 2009 or earlier, Lazarus is believed to have been conducting a large campaign aimed at financial institutions worldwide. The operation is ongoing, with the most recent malware samples found in March. Kaspersky Lab says that currently the group “is probably the most serious threat against banks.”

BlueNoroff/Lazarus is, however, only one of the more than 100 threat actors and sophisticated malicious operations that Kaspersky Labs is monitoring at the moment. The attacks target commercial and government organizations in over 80 countries and show an evolution of these actors, with both Advanced Persistent Threat (APT) actors and financially motivated cybercriminals using the same tactics, techniques, and procedures (TTPs).

Other APT groups that were active during the first quarter of the year were Shamoon and StoneDrill, two separate actors that have aligned interests and which might be working together. Aimed at Saudi targets, the two malware families pack disk-wiping capabilities, which makes them extremely destructive.

According to Kaspersky, StoneDrill appears to have been around since 2014, with old samples attributed to the NewsBeef (Charming Kitten) group. The samples share the same credentials (username and password) for command and control (C&C) communications, and the security researchers suggest that StoneDrill might be a more recent version of NewsBeef artifacts.

Recently, StoneDrill was also used in attacks against targets in the energy industry in Europe, which suggests that the actor is expanding its reach outside of the Middle East, the security researchers suggest.

Advertisement. Scroll to continue reading.

Another piece of malware related to the Shamoon attacks is Ismdoor, a backdoor used in Saudi Arabia to target the oil and energy industry. The attackers were also found to have used mainly Powershell-based tools for lateral movement, and to have adopted the trend of using fileless generic malware for nefarious operations.

The use of generic tools in attacks has been generally associated mainly with “not-so-big actors or cybercriminals,” who wouldn’t create their own set of malicious programs. Some of the available frameworks that offer many options, especially for lateral movement, include Nishang, Empire, Powercat, and Meterpreter, all of which are based on Powershell and allow the use of fileless backdoors.

“We have seen such techniques being widely adopted in the last few months. We find examples in the lateral movement tools used in Shamoon attacks, in attacks against Eastern European banks, and used by different APT actors such as CloudComputating, Lungen or HiddenGecko, as well as in the evolution of old backdoors like Hikit, which evolved to new fileless versions,” Kaspersky Lab explains.

Related: Shamoon-Linked “StoneDrill” Malware Allows Spying, Destruction

Related: Malware Attacks on Polish Banks Linked to Lazarus Group

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.