Everything You Should Know About The Lazarus APT Group of North Korea
March 20th, 2018
Origin country: North Korea
Other Names: Hidden Cobra
Related Subgroups: "Bluenoroff", "Andariel"
First Seen: 20017
Famous attacks: "Bangladesh SWIFT attack" "Taiwan Heist" "WannaCry Ransomware"
TTP's: Back Door, Malware, DDoS, Trojan, Vulnerability Exploit, Data Leakage, Exploit Kit
Considered one of the most dominate hacker groups of 2017, the Lazarus Group was originally detected in 2009 during a cyber-espionage campaign against South Korea. In the past few years, Lazarus Group has issued a series of attacks mainly against the financial industry in the US and South Korea; each more sophisticated than the last. Back in 2016, the APT group carried out a cyber-attack against the Central Bank of Bangladesh followed by a successful hack into SWIFT, the main platform for worldwide interbank financial telecommunication and funds that transfers between banks around the world that processes around 25 million communications (mostly money transfer transactions) per day around the world. The Lazarus Group successfully managed to login to the SWIFT using bank employee credentials and sent more than three dozen fraudulent money transfer requests to the Federal Reserve Bank in New York asking the bank to transfer millions of the Bangladesh Central Bank funds to several bank accounts in the Philippines, Sri Lanka and other countries in Asia. The group successfully stole approximately $81 million dollars which was sent to Rizal Commercial Banking corporation in the Philippines via four different transfers requests and an additional $20 million dollars sent to Pan Asia banking in a single request. Despite the high amount that the group managed to steal, The Central Bank of Bangladesh managed to avoid much greater damage when the bank halted a few dozen other transfer requests in a total amount of $851 million dollars.
The group is also said to be responsible for a campaign in February 2017 that targeted worldwide financial institutions. This was done by exploiting infected websites to redirect victims to a customized exploit kit. In April 2017, researchers suggested that Lazarus group, had initiated a few water-hole attacks in several countries worldwide against financial institutions, casinos, financial-trade software developers, and cryptocurrency businesses. In August 2017, Lazarus group appears to have taken part in another campaign, likely in cooperation with other groups, against U.S. defense contractors. The attackers used spear-phishing emails describing job openings at various U.S. defense contractors, in order to encourage users to download and open Word documents with malicious macros.
To learn more about some of Lazarus' most famous attacks, the timeline of their activity, and subgroups of the organization, download our report on the Most Notable Hackers of 2017.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.