Lazarus Group is a highly sophisticated and adaptable APT group with a diverse range of targets and objectives. While financial gain is a significant motivator, their operations often serve broader geopolitical goals aligned with North Korea’s interests. The group demonstrates a high level of technical skill, rapidly developing and deploying custom malware and adapting to evolving security measures. The sharing of infrastructure, code, and resources between different North Korean threat actor groups makes precise attribution and defining group boundaries challenging.
While the exact number of members remains unknown, it’s understood to be a significant operation with various sub-groups, each specializing in different types of attacks.
State-Sponsored Hacking Group: Strongly linked to the North Korean government, operating with its support and likely direction.
Highly Sophisticated: Employs advanced techniques, including zero-day exploits and custom malware, demonstrating a high level of technical expertise.
Diverse Targets: Attacks a wide range of entities, including governments, financial institutions, businesses, cryptocurrency exchanges, and even cybersecurity researchers.
Significant Financial Gains: Has generated hundreds of millions of dollars through cryptocurrency heists and bank robberies.
Evolving Tactics: Continuously adapts its methods and targets, making attribution and disruption challenging.
Global Reach: Operations span numerous countries, demonstrating a significant international threat.
Multiple Sub-Groups: Likely operates with specialized units focusing on different attack vectors (e.g., financial theft vs. espionage).
International Sanctions: Subject to sanctions by the US Treasury’s OFAC, highlighting the international condemnation of its activities.
Persistent Threat: Remains a significant and ongoing threat due to its resources, capabilities, and continuous operational activity.
Attribution Challenges: While strongly linked to North Korea, definitively proving the group’s actions requires extensive investigation and forensic analysis.
Known Aliases of the Lazarus Ransomware Group
Hidden Cobra, Zinc, APT-C-26, Guardians of Peace, Group 77, Who Is Hacking Team, Stardust Chollima, Nickel Academy.
Lazarus Sub-Groups
Evidence suggests the Lazarus Group operates with specialized sub-groups, such as:
- BlueNorOff (APT38): Primarily focuses on financially motivated cybercrime, using SWIFT network manipulation and other techniques to steal money from banks and cryptocurrency exchanges.
- AndAriel (Silent Chollima): Concentrates on espionage and attacks against South Korea.
Lazarus Group’s Country of Origin
North Korea. The group is attributed to the Reconnaissance General Bureau (RGB) of the Democratic People’s Republic of Korea (DPRK).
Key Characteristics and Activities of the Lazarus Group
- Attribution: Widely attributed to the North Korean government, with strong links to the Reconnaissance General Bureau, Korea Computer Center, and Nonserviam Cyber Warfare Command. The US Department of Justice has directly implicated the group in undermining global cybersecurity and generating illicit revenue to violate sanctions.
- Operational Methods: Employs sophisticated techniques including zero-day exploits, spearphishing, malware (including wipers and ransomware), disinformation campaigns, backdoors, and droppers. Their methods have evolved significantly over time, progressing from relatively unsophisticated DDoS attacks to highly complex operations targeting financial institutions and cryptocurrency exchanges.
- Targets: The group’s targets are diverse and include:
- Governments: Primarily South Korea, but also others.
- Financial Institutions: Banks worldwide, resulting in significant financial losses.
- Businesses: Targeting various sectors, including entertainment (Sony Pictures), pharmaceuticals (AstraZeneca), and gaming (Axie Infinity).
- Cryptocurrency Exchanges: Numerous attacks resulting in the theft of millions of dollars in cryptocurrency.
- Cybersecurity Researchers: Attempts to compromise researchers through social engineering.
Most Recent Attacks of the Lazarus Group
- Operation Blacksmith (December 2023): Exploited the Log4Shell vulnerability (CVE-2021-44228) targeting manufacturing, agricultural, and physical security companies. Deployed new malware: NineRAT, DLRAT, and BottomLoader (all written in DLang). This campaign also leveraged HazyLoad.
- VMConnect Campaign (September 2023): Distributed malicious Python packages (including tablediter, request-plus, and requestspro) via the Python Package Index (PyPI), using typosquatting to disguise them as legitimate tools.
- August 2023: The FBI warned of Lazarus’s plan to convert over $40 million in stolen cryptocurrency into cash. Specific cryptocurrency wallet addresses were identified.
- August 2023: Breach of NPO Mashinostroyeniya (NPO Mash), a leading Russian missile manufacturer, attributed to Lazarus and ScarCruft. This involved the OpenCarrot backdoor and access to the email server.
Known High-Profile Victims of the Lazarus Group
- Operation Flame (2007): Initially linked to the Dark Seoul attack.
- Ten Days of Rain (2011): DDoS attacks against South Korean media, financial institutions, and US military facilities.
- Operation Troy (2009-2013): Espionage attacks against US and South Korean websites.
- South Korea Cyberattack (2013): Operation 1Million/Dark Seoul, attack against a South Korean bank and broadcast organization.
- Sony Pictures Entertainment attack (2014): This was a significant data breach and disruption operation.
- Bangladesh Bank heist (2016): This involved the theft of millions of dollars via the SWIFT system.
- WannaCry ransomware attack (2017): While not solely attributed to Lazarus, the group is suspected of involvement in the massive global ransomware campaign.
- Ronin Bridge attack (2022): This was the largest cryptocurrency heist to date, resulting in the theft of $620 million in Ethereum.
- Harmony’s Horizon Bridge Currency Theft (2023): A $100 million cryptocurrency heist.
- Alleged WazirX Hack (2024): Indian media reports suggest the group stole $234.9 million from this cryptocurrency exchange.
- Ongoing: Numerous attacks targeting cryptocurrency exchanges and users (Operation AppleJeus), financial institutions (FastCash), pharmaceutical companies (targeting COVID-19 vaccine research), and defense/aerospace companies (Operation ThreatNeddle, Operation In(ter)ception, Operation Dreamjob). Attacks also target journalists, human rights organizations, and North Korean defectors.
Common Methods of Infiltration of the Lazarus Group
- Spear phishing: Targeted phishing emails, often disguised as legitimate communications. This is particularly prevalent in attacks against the defense and aerospace sectors and in “dream job” scams targeting security researchers.
- Supply-chain attacks: Compromising software or updates used by target organizations. This was evident in the VMConnect campaign using malicious Python packages on PyPI.
- Waterhole attacks: Compromising websites frequently visited by target employees.
- Zero-day exploits: Exploiting previously unknown software vulnerabilities. Examples include the use of Adobe Flash Player, Microsoft Office, and vulnerabilities in South Korean software (like HWP). Recent campaigns also highlight the exploitation of Log4Shell (CVE-2021-44228) and vulnerabilities in VMware Horizon.
- Malware/Ransomware Strains:
- Backdoors: Appleseed, HardRain, BadCall, Hidden Cobra, Destroyer, Duuzer, OpenCarrot.
- Remote Access Trojans (RATs): Fallchill, Joanap, Brambul, NineRAT, DLRAT.
- Ransomware: WannaCry.
- Other Malware: Various custom-built malware, including loaders (BottomLoader), downloaders (DLRAT), and information stealers.