IT security researchers at WithSecure™ link a whistle-blowing campaign targeting medical research and energy organizations to North Korea’s Lazarus Group.
Thanks in part to an attacker’s operational security mistake, IT security researchers from WithSecure™ (formerly known as F-Secure Business) have now managed to trace a campaign of cyber attacks to North Korea’s infamous Lazarus Group.
The Lazarus Group is a so-called Advanced Persistent Threat (APT) threat actor widely believed to be part of North Korea Foreign Intelligence and Reconnaissance Bureau. Researchers learned of the group’s latest campaign after a suspected ransomware attack was discovered at an organization protected by the WithSecure™ Elements security platform.
Upon further investigation of the attack, WithSecure™ researchers found several pieces of evidence that suggested the attack was part of a larger information gathering campaign, rather than a single ransomware incident.
Based on the evidence collected, the researchers were able to link the campaign to the Lazarus Group, which in this case targeted medical research and energy organizations with the intention of spying.
Specific attack targets identified by the researchers included a healthcare research organization, a manufacturer of technology used in the energy, research, defense and healthcare sectors, and a chemical engineering department at a leading university.
“Although this was initially suspected to be an attempted BianLian ransomware attack, the evidence quickly pointed us in a new direction. As we gathered more and more evidence, our belief that the attack was carried out by a group affiliated with the North Korean government was strengthened, and eventually we were able to safely conclude that the Lazarus Group was behind it,” says Sami RuohonenSenior Threat Intelligence Analyst at WithSecure™
“During our investigation, we found that this was part of a larger campaign with an expanded number of targets, not just an isolated incident. It is extremely rare to be able to link a campaign to a perpetrator as clearly and clearly as we have been able to do here,” adds Stephen RobinsonSenior Threat Intelligence Analyst at WithSecure™.
WithSecure™ researchers were able to trace the campaign to the Lazarus Group based on its use of tactics, techniques and procedures in previous attacks by the group and other North Korea-linked attackers.
The researchers found several notable developments in this campaign compared to previous Lazarus Group activities, such as:
- Use of a new infrastructure, which, among other things, only relies on IP addresses without domain names (which is a departure from previous attacks).
- A modified version of the Dtrack malware, which is used to steal information and has been used by the Lazarus Group and Kimsuky (another group with North Korea links) in previous attacks.
- A new version of the GREASE malware, which allows attackers to create new administrator accounts with remote control privileges that bypass firewalls.
One startling piece of evidence the researchers found was that the attackers briefly used one of less than a thousand IP addresses belonging to North Korea. This IP address was briefly observed to be connected to a web shell controlled by the attackers, leading the researchers to suspect that the mistake was manual and had been made by a team member.
However, mistakes like this should not be misinterpreted by defenders as a reason to lower their guard, according to Tim WestHead of Threat Intelligence at WithSecure™.
“Despite the failure, the attacker demonstrated skillful craftsmanship and still managed to execute sophisticated attacks against carefully selected endpoints. Even with the right endpoint detection techniques, organizations must constantly consider how they respond to alerts. They should also integrate focused threat intelligence with regular hunting for threat actors to gain deeper protection, especially against skilled and experienced adversaries,” says West.