Lazarus Group

A 53-page report released today by Group-IB, a Russian cyber-security vendor, contains new evidence that cements the theory that the North Korean government is behind the Lazarus Group, a cyber-espionage outfit.

Historically, the name Lazarus Group has been used to describe an APT (Advanced Persistent Threat), a term used to describe nation-state actors specialized in cyber-espionage activities.

The Lazarus Group, also known as DarkSeoul in some reports, was the name given to an APT that became active in 2009. During its lifetime, cyber-security vendors have tracked four major Lazarus Group campaigns.

While the first two targeted South Korean targets, the last two hacking campaigns targeted a global audience, taking aim at the Sony Pictures movie studio (Operation Blockbuster), and the SWIFT interbank transfer system used at several banks all over the world (Bangladesh, Uruguay, Vietnam, Poland, Ukraine, the Philippines, etc.).

Lazarus Group timeline

All these major hacking campaigns, along with smaller unrelated hacks, here and there, have left a trail of evidence in the group's wake.

Of all attacks, the SWIFT bank hacks left the most clues, as these operations targeted banks all over the globe, not just a few computers in government agencies or various businesses, as the group did in previous operations.

The Lazarus attacks on SWIFT banks involved a larger number of targets because of the vast amount of reconnaissance operations the group needed to carry out in order to infiltrate the high-grade security systems deployed at the targeted banks.

"We have detected and thoroughly analyzed the C&C infrastructure used by Lazarus," says Dmitry Volkov, Head of Threat Intelligence Department, and Сo-founder Group-IB. "Our research shows how hackers gained access to the banks' information systems, what malware they used, and who their attempts were aimed at."

Researchers find main C&C servers used to coordinate attacks

According to Group-IB specialists, following the publication of the Operation Blockbuster report in the winter of 2016, the group was forced to scrap most of its tools and tactics.

Group-IB says it observed new hacking tools that used very complex multi-stage deployment techniques, along with a three-layer C&C server infrastructure, used to control this new malware, used solely in the SWIFT attacks.

Following months of digging through evidence, Group-IB claims it managed to find the two IP addresses at the top of this C&C server infrastructure.

The first is 210.52.109.22, which they say is assigned to a company in China named China Netcom. However, Group-IB claims it heard from sources that the set of IPs 210.52.109.0/24 was assigned to North Korea in the meantime. This information is currently unconfirmed.

Nonetheless, the location of the second C&C server IP address speaks volumes.

175.45.178.222 refers to a North Korean Internet service provider. The Whois service indicates that this address is allocated to the Potonggang District, perhaps coincidentally, where the National Defence Commission is located — the highest military body in North Korea.

Previous reports from the intelligence community have said that Bureau 121, a division of the Reconnaissance General Bureau, a North Korean intelligence agency part of the National Defence Commission, is actually Lazarus Group.

Links to 2014 hack

By identifying this IP located near the Potonggang District of Pyongyang, North Korea's capital, Group-IB researchers feel pretty confident they've put to rest the Lazarus Group attribution blame game once and for all.

Their results are also sustained by the conclusion of South Korean investigators, who traced the hack of two defense contractors to the same IP address.

The hack took place in July 2014, when the Lazarus group breached SK Group and the Hanjin Group, and stole details about a medium altitude unmanned surveillance vehicle (drone) and blueprints detailing the wing design of a US F-15 jet fighter. The same IP address — 175.45.178.222 — can be seen in a report from a South Korean TV station presenting details about the hack.

Lazarus Group is masquerading as Russian hackers

The Group-IB report published today also confirms a report by BAE Systems from February, in which BAE experts revealed that the malware used in the SWIFT attacks during the past year contained false flags trying to blame the hacks on Russian hackers.

Just like BAE, Group-IB experts also found Russian words that were not used correctly and other clues that the Lazarus Group was trying to pass as Russian hackers. These include Flash and Silverlight exploits borrowed from the sets of exploits created by Russian-speaking hackers, and the usage of Enigma Protector, an anti-tampering system for executable files developed by a Russian company.

Experts found these clues despite sustained efforts from the Lazarus Group to create new malware strains to replace previously exposed malware. A previous BAE Systems report also linked this new malware used in the Swift bank attacks to previous Lazarus Group operations.

Details, modus operandi, and IOCs about the new Lazarus Group malware are available in Group-IB's Lazarus Arisen report. Last week, Symantec also published a summary of past Lazarus Group attacks.

Image credits: Group-IB