Lazarus Group – North Korean Persistent Threat
In recent years, the name Lazarus Group has become synonymous with some of the most high-profile cyber attacks and financially-motivated hacking campaigns in the world.
This notorious hacking group, believed to be based in North Korea, has been active for over a decade and has been responsible for a series of devastating attacks on targets around the globe.
Who is Lazarus Group?
Lazarus Group goes by many names. Although Lazarus is the most common name, they are also known as Labyrinth Collima, Covellite, UNC4034, Zinca and Nickel Academy.
This group is a well-known hacking collective that is widely believed to be a state-sponsored threat group that is backed by the North Korean government. The group is known for carrying out cyber attacks and espionage campaigns on behalf of the North Korean regime, often targeting financial institutions, governments, blockchain technologies and critical infrastructure.
Capabilities
The group’s tactics and techniques have evolved over time, but they are known for their expertise in malware development, social engineering, and advanced persistent threats. Lazarus Group is also known for using a wide range of sophisticated tools and tactics, including zero-day vulnerabilities and custom-built malware, to compromise their targets.
When did Lazarus Group First Emerge?
Lazarus Group first emerged in the early 2000s, but it wasn’t until 2011 that the group began to attract widespread attention from the security community. That year, the group was responsible for a series of high-profile attacks on South Korean military and government targets, including the hacking of the country’s defense ministry.
Campaigns
Since then, Lazarus Group has been implicated in a number of other attacks around the world, including the 2014 attack on Sony Pictures, the 2016 theft of $81 million from the Bangladesh Bank, and the 2017 WannaCry ransomware attack.
As mentioned, Lazarus Group has been involved in a wide range of cyber attacks and campaigns over the years. Some of the most notable attacks attributed to the group include:
- Operation DarkSeoul: In 2013, Lazarus Group carried out a massive attack on South Korean banks and media companies, along with ATMs and mobile payments services using a variety of tactics including distributed denial of service (DDoS) attacks, but mostly by a wiping malware Lazarus Group has developed particularly for this campaign.
- Sony Pictures Hack: In 2014, Lazarus Group was responsible for a devastating cyber attack on Sony Pictures, which resulted in the theft of confidential data and the leaking of sensitive information. Some speculations suggest that the attack was a direct order from North Korea’s government due to the movie The Interviewfeaturing James Franco and Seth Rogen.
- SWIFT Banking Attacks: In 2016, Lazarus Group carried out a series of attacks on banks around the world, using stolen SWIFT credentials to initiate fraudulent transactions. By doing so it seems that the group was able to steal hundreds of millions of dollars from banks around the world.
- WannaCry Ransomware: In 2017, Lazarus Group was linked to the WannaCry ransomware attack, which affected hundreds of thousands of computers in more than 150 countries. The majority of the attack lasted between May 12 and May 15 and was propagated by the EternalBlue exploit that was developed by the NSA.
- Horizon Blockchain Bridge Campaign: In 2022, Lazarus Group was able to exploit a vulnerability and to steal $100 million worth of crypto assets.
- Axie Infinity Attack: In 2022, maybe one of Lazarus Group’s greatest heists ever was taken place as they targeted the Axie Infinity play-to-earn crypto game as they were able to steal $615 million worth of crypto assets.
Who is Behind Lazarus Group?
While it’s difficult to definitively prove that Lazarus Group is directly tied to the North Korean government, there is significant evidence suggesting that this is the case. For example, the group has been linked to IP addresses and infrastructure used exclusively by North Korean entities, and some members of the group have been identified as having connections to the North Korean government.
Over the years, Lazarus Group has demonstrated a remarkable ability to adapt and evolve its tactics and techniques. This has led some experts to suggest that the group’s capabilities are growing, and that it may be developing more advanced and sophisticated attack methods in the future.
Despite being one of the most active and high-profile hacking groups in the world, Lazarus Group continues to operate with a great deal of secrecy and sophistication. As such, it remains a major threat to organizations around the world, particularly those involved in finance and critical infrastructure.