The Lazarus Heist: Where Are They Now?

 
Introduction

The BBC World Service has recently produced The Lazarus Heist podcast (available here), researched and presented by Geoff White and Jean H. Lee. This thrilling podcast dives into the intracacies of the elaborate Bangladesh Bank heist attempt to steal $1 billion. As a security researcher that actively tracks the Lazarus group and any mentions of North Korean cyber activity, I found this podcast series was extremely detailed and well researched. There are so many additional info gems that anyone who has researched North Korea will enjoy. I also highly recommend it for any threat intelligence analysts investigating North Korean cyber activity. 

The Lazarus Heist podcast also made me want to revisit what I have learned about North Korean advanced persistent threat (APT) groups. In February 2020, I blogged about who the Lazarus group is and what campaigns they are known for (see here). This was one of my first blogs and I was eager to learn more while researching this infamous APT group. I thought, therefore, I should write what I now know about the Lazarus group and the Reconnaissance General Bureua (RGB) of the Democratic People's Republic of Korea (DPRK).

Hacking the World Financial System

Fig. 1 - General overview of the Bangladesh Bank heist 
>> click to expand <<

The Lazarus Heist podcast analyses each step involved in the elaborate Bangladesh Bank heist, including how the intrusion began, post-exploitation activities, leveraging the SWIFT network, and the vast money laundering network. In short, the Lazarus group set out to steal up to $1 billion from the central bank of Bangladesh. Fortunately, due to several operational mistakes and spot of bad luck the group only managed to make off with less that one tenth of the original $1 billion they were after. [1, 2]


Fig. 2 - Malicious applications distributed by the Lazarus group to target financial institutions

In August 2020, US authorities, including CISA, US Cyber Command, the US Treasury, and the FBI, issued a joint advisory concerning a global campaign, dubbed FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. The BeagleBoyz reportedly represent a subdivision of HIDDENCOBRA (a codename for the North Korean government’s Reconnaissance General Bureau). Its attacks overlap with groups that the private cybersecurity industry calls Lazarus, Bluenoroff, and Andariel. These malicious actors have targeted ATMs, SWIFT systems, and cryptocurrency exchanges. It is estimated that over $2 billion has been stolen by the BeagleBoyz since 2015. [3]

North Korean cyberspies have also manipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions. They leverage anti-digital forensic tools and wiper malware to destroy thousands of computers to distract from efforts to send fraudulent messages from the bank’s compromised SWIFT terminal. These state-sponsored cybercriminals also hacked and withdrew cash from ATM machines operated by various banks in upwards of 30 countries, including in the United States. 

The following nations’ financial institutions have been targeted by the BeagleBoyz from 2015 through 2020: Argentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Chile, Costa Rica, Ecuador, Ghana, India, Indonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mexico, Mozambique, Nepal, Nicaragua, Nigeria, Pakistan, Panama, Peru, Philippines, Singapore, South Africa, South Korea, Spain, Taiwan, Tanzania, Togo, Turkey, Uganda, Uruguay, Vietnam, and Zambia.

Cryptocurrency

Cryptocurrency exchanges are a popular target for criminals. In terms of an actual heist, they represent a comparatively easier target than banks. Moreover, it is far easier for criminals to subsequently launder the funds and evade anti-fraud measures, which is often a key issue for any operation targeting financial organisations. In September 2020, Singapore-based cryptocurrency exchange KuCoin (kucoin.com) disclosed a major security breach that has resulted in the theft of hundreds of millions in Bitcoin, Ethereum and other ERC-20 tokens. Threat actors gained unauthorised access to the company systems and began stealing tokens from the hot wallets. Analysis of the blockchain linked to the cryptocurrency heist of the KuCoin exchange uncovered ties to the Lazarus group. The North Korean state-affiliated hackers reportedly stole over $275 million of cryptocurrency from the Singapore-based exchange. The attack was attributed to Lazarus due to the specific money laundering strategy the group has used in the past. Additionally, two deposit addresses to which Lazarus sent stolen funds this year also received cryptocurrency stolen in the Harvest Finance heist, suggesting the group also carried out that attack. [45, 6]

North Korean hackers are some of the most persistent threats targeting the cryptocurrency vertical globally. Security researchers track North Korea's cryptocurrency group as CryptoCore, which focuses on cryptocurrency firms in Europe, the US, Israel, and Japan. CryptoCore has been linked to five attacks on cryptocurrency exchanges and has been operating since at least 2018. The first stage of the attack involves spear-phishing high-ranking individuals connected to the target organisation to establish a foothold. Once a user is compromised, CryptoCore targets the user’s password manager to steal access keys for cryptocurrency wallets and account credentials. Once the keys are obtained, they login and manually turn off two-factor authentication. Virtual funds are then immediately transferred to attacker-controlled wallets. [7, 8, 9, 10, 11]

In February 2021, CISA released a malware analysis report (MAR) on AppleJeus, a hidden backdoor concealed inside fake cryptocurrency exchange applications. The Lazarus group used AppleJeus to target organisations in over 30 countries during 2020. The backdoored applications provided initial access to its victims’ networks to steal cryptocurrency from their virtual wallets. The North Korean government has used multiple variants of AppleJeus. The earliest versions appeared in 2018. The initial infection vector varied in this campaign, such as spear-phishing via emails, malicious links sent via social media, and other social engineering techniques. [12]

Traditional Cybercrime

Fig. 3 - The Department of Justice unsealed charges of a Trickbot operator from June 2021

In 2019, the Lazarus group was connected to the Trickbot banking Trojan through the use of a framework called Anchor. The Anchor project combines a collection of tools designed for targeted data extraction from secure environments and long-term persistence. Trickbot and Anchor were reportedly developed by a Russian-speaking threat group known as WizardSpider. The connection between Lazarus and WizardSpider highlights that much like common cybercriminals, these North Korean cyberspies are working with the Russian criminal underground. The Trickbot banking Trojan is one of the most advanced cybercriminal tools in the current threat landscape. It is a modular backdoor with up to 30 plugins for different attacks. It is able to perform so-called "web injects" for live credential harvesting attacks, typically targeting bank accounts for fraudulent wire transfers. The full partnership between Trickbot group and the Lazarus group is unknown, but for financially motivated state-sponsored threat actors, it is one of the most advanced tools for such operations. [131415]

In June 2021, the US Department of Justice unsealed an arrest warrant for “ALLA WITTE”, a 55-year-old woman who was apprehended in Ohio. She was reportedly one of the Trickbot quartermasters that developed the code and managed the Trickbot databases of stolen information. The rest of the indictment showed just how interconnected and well-organised this botnet operation is. It also gave researchers a deeper idea of how much money it was making. The wire transfers listed range from $44,900 to $230,400 across most of 2017 to 2018. There was even a failed attempt to transfer $691,570,000 between 19 and 20 October 2017. If this transaction was intentional - and not a typo - the Trickbot group could have also been in the running for the largest bank heist in history. The full arrest warrant document is 60 pages long - available here.

In July 2020, security researchers also attributed the Lazarus group to a number of Magecart style attacks against e-commerce websites. In the report, the researchers say the Lazarus group were found to be breaking into online stores of large US retailers and planting payment skimmers as early as May 2019. [16, 17]

Defence Industrial Base

Fig. 4 - Aerospace and DIB themed weaponised documents pushing Lazarus malware

State-sponsored APT groups regularly attempt to infiltrate aerospace and defence sector organisations. Throughout 2020 and the first half of 2021 North Korean APTs have launched multiple campaigns targeting these sectors, dubbed Operation Interception, Operation Dream Job, and Operation North Star by private security firms. The attacks do not appear to be financially motivated. By infecting an employee’s system at one of these organisations, the attackers would be able to steal highly sensitive and important intelligence on other foreign military capabilities. Persistent access, granted by the group's custom malware, can enable the adversary to monitor communications and continually siphon intelligence from its targets. Further, by targeting potential job seekers looking to leave their current role, this could have made some victims less likely to come forward and report an issue to their current employer’s cybersecurity teams - especially if they were compromised. [18, 19, 20]

COVID-19

In June 2021, CISA, the FBI, and the UK NCSC issued a joint security advisory regarding cyber threat actors from the DPRK targeting a number of pharmaceuticals, vaccine, and virology organisations, affiliated with Operation Warp Speed (OWS). As a follow up to the joint advisory, CISA and the FBI have shared further details regarding an intrusion in October 2020. There was a confirmed Lazarus attack on a US-based pharmaceutical company working on a vaccine for the SARS-CoV-2 variant of COVID-19. Kaspersky researchers also disclosed that in September 2020, Lazarus operators targeted a pharmaceutical company and, in October, the APT group went after a government ministry related to the COVID-19 response. [21 ,22]

The Lazarus group also targeted individual staff members at Operation Warp Speed entities via social media sites, such as LinkedIn, as well as corporate or personal email accounts. Fictitious job opportunities have been used to engage targets in conversations on private messaging apps; having built trust with the target, the threat actors send job-themed malicious documents which attempt to connect to a malicious URL that downloads malware onto the victim’s computer. After the initial compromise, the attackers work quickly to exfiltrate targeted information. This can take as little as a few days.

In February 2021, a member of the South Korean parliament’s intelligence committee claimed that North Korean cyber spies targeted Pfizer to obtain COVID-19 vaccine technology. Pfizer stated it would not comment on the matter. In November 2020, Reuters shared an exclusive report detailing the attacks launched by North Korean cyber operatives against British drugmaker, AstraZeneca. [23, 24]

Nuclear Weapons

The DPRK RGB groups are continuously launching intelligence gathering campaigns as part of North Korea's weapons of mass destruction (WMD) development programme. In June 2021, South Korean officials reported that North Korean hackers breached the internal network of the South Korean Atomic Energy Research Institute (KAERI), the government organisation that conducts research on nuclear power and nuclear fuel technology. The intrusion took place in May 2021, through a vulnerability in a virtual private network (VPN) server. These attacks were attributed to Kimsuky, another APT group that reportedly belongs to the DPRK RGB. [25]

In May 2020, South Korean security firm, ESTsecurity, disclosed disclosed a new cyber-espionage campaign linked to Konni, another North Korean APT. The group has been observed impersonating CISAC, an academic research foundation dealing with nuclear issues, in phishing lures. The researchers also noted that the payload used in this attack has also been implanted into malicious documents impersonating the 'North Korea Central Committee Conference' and '2020 Tokyo Paralympics'. [26]

Further, in September 2019, the US Treasury Department sanctioned three North Korean hacking groups (Lazarus, Andariel, Bluenoroff) for hacks aimed at stealing funds to funnel back into the country’s nuclear weapons and missile programs. [27]

Defectors

APT37 is thought to be a North Korean group that specialises in targeting defectors of the regime, particularly in South Korea. In November 2019, ESTsecurity identified suspected APT37 attacks using mobile malware against North Korean defectors living abroad. A malicious app was being distributed from a website masquerading as a sponsored fundraising effort for North Korean defectors. Notably, the app was advertised as a "secure messaging app", dubbed Dragon Messenger. The fake website was built with WordPress and contained a link to the official Google Play Store for the Dragon Messenger; when downloaded, the app is used for communicating on WiFi-only, not through the SIM. The app attempts to read SMS messages on victims' devices, exfiltrate the contact list, and record calls. [29]

In March 2020, ESTsecurity has uncovered a new APT37 campaign, dubbed Operation SpyCloud due to the use of Google Cloud services in spear-phishing attacks. Attribution was made to APT37 because of the deployment of the ROKRAT malware family, primarily agianst targets in South Korea, but also against Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. Many of the attacks targeted foreign, unification, and security workers, heads of organisations related to North Korea, and North Korean defectors. [30, 31]

Ransomware

Fig. 5 - Lazarus group's continued use of ransomware since WannaCry

Besides the Sony Pictures Hack and the Bangladesh Bank heist, the Lazarus group is perhaps most infamously known those outside the security industry for the WannaCry ransomware worm. However, Lazarus has continued to launch ransomware attacks long since the WannaCry outbreak. Hermes 2.1, VHD, Hansom, BestCrypt, and TFlower are other suspected extensions of the group’s ransomware arsenel. In some cases, it is unclear if these deployments are intended to generate funds or to burn endpoints and hide indicators. [32, 33, 34, 35, 36, 37]

0days
Fig. 6 - North Korean cyberspies targeting security researchers via social media
(Image credit: Cisco Talos)

0day vulnerabilities are one of the most valuable assets for APT campaigns, deemed by intelligence agencies as cyber-weapons. In January 2021, Google’s Threat Analysis Group (TAG) has disclosed a new campaign targeting security researchers working on vulnerability research. TAG attributed this campaign to a government-backed entity based in North Korea. [38]

Researchers were targeted via a number of methods: 10 Twitter accounts have been identified in this campaign and a fake research blog was also created to develop an air of legitimacy. Tweets containing URLs to the attacker’s blogs were also used to establish a false reputation as legitimate vulnerability researchers. Further investigation revealed that multiple platforms were used to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email. Once they had established contact with a researcher via direct messages, the threat actors attempted to share a Visual Studio Project containing a DLL backdoor that was executed through Visual Studio Build Events. The DLL is a custom malware that immediately established a connection with the attacker’s C&C servers.

South Korean cybersecurity firm, ENKI, also reported that some researchers in this campaign were targeted with an MHT file that contained an exploit for an Internet Explorer 0day vulnerability, tracked as CVE-2021-26411. [39]

Fig. 7 - Security researchers (myself included) disclosing suspected North Korean attacks

The types of vulnerabilities the attackers were seeking are high-value browser and kernel 0day bugs which can be weaponised for highly targeted intrusions. 0day brokers, such as Zerodium, offer up to $500,000 for a Chrome RCE or LPE bug and up to $80,000 for the Windows LPE, sandbox escape or bypass bug. These are coveted 0day vulnerabilities generally only leveraged by the most sophisticated attackers.

Indictments & Sanctions

In September 2018 and again in February 2021, the US Department of Justice indicted North Korean operatives for hacking campaigns. In March 2020, the US Treasury's Office of Foreign Assets Control (OFAC) has recently sanctioned two Chinese nationals involved in laundering stolen cryptocurrency from several cyber intrusions carried out by the Lazarus group. [40, 41, 42]

Although the likelihood of the US ever arresting these individuals is incredibly low, these indictment aim to “refine the attribution of this crime spree to the DPRK military intelligence services, specifically the Reconnaissance General Bureau (RGB)”. The regime has become a “criminal syndicate with a flag", according to the DOJ indictment, which claims North Korea "harnesses its state resources to steal hundreds of millions of dollars.”

In March 2019, the United Nations (UN) DPRK Panel of Experts found that this illicit behaviour generates substantial revenue for North Korea. The country's regime can use these funds for its nuclear weapons and ballistic missile programs, prohibited by the UN. This activity also poses a significant operational risk to the financial services sector and erodes the integrity of the financial system. [43]

In July 2020, the US army also published a report detailing tactics used by North Korea, including those used by the country's cyber threat actors. This report is being used to train US troops and military leaders and lists various information about the Korean People's Army (KPA), including military tactics, weapons arsenal, leadership structure, troop types, logistics, and electronic warfare capabilities. [44]

Analysis

The Lazarus group continues to conduct well-planned, disciplined, and methodical cyber-operations more akin to espionage than standard cybercrime.

Fig. 8 - Mapped connections to all publicly documented North Korean APT groups
>> click to expand <<

It is widely known and publicly documented that the Lazarus group are not alone. There are multiple cyber-espionage and finanically motivated campaigns orchestrated by the DPRK RGB. The total number of North Korean APT groups is unknown and due to vendor clustering it is difficult to accurately attribute and link APT operations. Like many nation state adversaries, there are usually malware developers and malware operators. These individuals tend to move around and therefore sometimes the same malware for one campaign appears in a totally different set of attacks. 

Cybersecurity vendors that respond to North Korean computer network operations typically cluster activity based on their data sets. Each vendor has a different set of data from incident response engagements and tend to give the cluster of activity its own name. This is why there are various names for the same APT group. What is clear, is that North Korea has a large number of separate computer network operations with different objectives.

Fig. 9 - North Korean RGB's priority intelligence requirements

The North Korean government have heavily invested in its computer network operations. From tracking North Korean APT campaigns and victim disclosure notifications over the years we can establish what North Korea's priority intelligence requirements (PIRs) are. For a semi-isolated regime that struggles to generate resources legitimately, its current set of PIRs are unsurprising. North Korea is heavily sanctioned and unable to access many things we take for granted. Organised cybercrime campaigns have become a significant and reliable way for the North Korean regime to continue existing. 

Note: The Maltego file used for the diagrams in this blog is on my GitHub here.

Additional Resources

Popular posts from this blog

How Do You Run A Cybercrime Gang?

Operational Security Tips and Tricks

Gathering Intelligence on the Qakbot banking Trojan