Lazarus Hacking Group: An Examination of its Patterns, Targeting, and Methodology

Key notes

• Provide a description of Lazarus hacking group: Describing the Lazarus group, their history, target selection, and methodology

• Describe a pattern in the qualitative descriptions: Examining Lazarus group attack patterns that may provide predictive or attributive value to cybersecurity efforts

• Examine known links between Lazarus and the N. Korean state: Looking at known links between Lazarus and North Korea for anecdotal  evidence of N. Korea’s economic development/current state

Introduction

Lazarus is a North Korean state-sponsored hacking group responsible for numerous cyber crimes [1]. Hacking involves identifying and exploiting weaknesses in a computer system or network, usually to obtain clandestine information [2]. Many nation-state actors use sophisticated hacking techniques as part of cyberwarfare operations to weaken opposing states and actors [3]. Hacking can be divided into five main phases: Recon, Scanning, wherein information about a system is obtained and examined for vulnerabilities, Gaining Access, Maintaining Access, and covering your tracks [4]. 

Lazarus Hacking Methods

Information collection and gaining access are the most important phases and use many techniques, often in tandem, to generate information that will lead to a hack. These techniques can be divided up into techniques using digital infrastructure for data harvest and techniques using physical infrastructure for data harvest. Common methods using digital infrastructure include phishing, OSINT methods, and watering hole attacks. These methods often install keylogging software or other spyware that will allow hackers to gain personal data such as passwords, social security numbers, and bank account information [5]. Common methods targeting physical infrastructure include “riding” an ATM or card reader at a convenience store, a man-in-the-middle attack against public Wi-Fi, or packet sniffing on public Wi-Fi [6] .

Phishing involves sending emails or making social media posts in order to gain personal information that may be used to gain unauthorized access to a computer system. Often the hacker picks a target and pretends to be someone the target knows or cares about to entice them into clicking a malicious link that installs harmful software [5].

OSINT methods examine publicly available technical specifications for systems and technologies for vulnerabilities overlooked by the manufacturer that provide access to a system. This is often a tactic used with small Internet connected devices such as cameras or drones [5].

Watering Hole Attacks target specific websites that a target tends to visit and implants malicious links into the website that install the software [5].

Spoofing involves creating falsified credentials to pose as another entity. This may be done as part of a phishing scam, to pose as a website, or for a variety of other reasons. All of these techniques may be used in tandem or as their own attack [5].

Zero-days are the most dangerous method of entrance, as they exploit unseen vulnerabilities in some piece of software to allow hackers access. Since these vulnerabilities are unseen, hackers adept at covering their tracks may have unfettered access to any device this software is installed on until they desire to reveal themselves. This depends on exactly what the exploit itself is, and what system it is installed on, however this technique has the potential to be incredibly damaging, as will be seen [7].

Analysis

ATM and card reader hacks use devices implanted onto or within the technology to steal credit card data. This may be installed after-market outside the device or during fabrication using an employee planted within the fabrication outfit [8].

Spoofing public wi-fi and packet sniffing involves installing a malicious device between a public wi-fi outlet and end users. This installed device then views all traffic transmitted between end-users and the public wi-fi. Packet sniffing is the act of “sniffing” through the packets of data sent through the public wi-fi for sensitive data [5].

Often these techniques will result in the hacker obtaining a meaningful enough cache of data without further exploitation. This is especially true if the hacker is targeting “low hanging fruit” such as individual credit card or social security information for their personal use or for sale on the black market. 

More sophisticated hacks rely on the information gained through the first step to deliver malicious software that will enable hackers to invade a target system. Payloads used during these more sophisticated hacks are often highly targeted, both at the individual system vulnerability and at the end goal of the virus. These end goals may be the destruction of key infrastructure, the taking of data hostage in exchange for a ransom, gathering additional data held in more secure parts of the system, or simply producing fraudulent transactions for monetary or personal gain. 

Infrastructure destruction is often facilitated by a DDoS, or Distributed Denial of Service, attack. In these attacks hackers send so many transactions to the server hosting the infrastructure that the maximum load carryable by that server is exceeded causing a failsafe to trigger and the infrastructure to come down. Commonly this method of attack is used against websites, but it can also be used to throttle bandwidth and cause massive slowdowns for Internet Service Providers [5].

Holding data hostage is done via ransomware attacks. These viruses embed themselves in a computer system and spread, before encrypting critical files and demanding a ransom be paid in exchange for a decryption key. This is most effective against key businesses that rely on having no downtime to function, such as hospitals or oil pipelines [9].

Gathering additional data is facilitated by keylogging and remote access software installed without the system’s users consent or knowledge. It may also be conducted using all the methods previously discussed. Hackers may seek to use this data in additional hacks, to facilitate development of products to compete with a proprietary product, or to gain unauthorized access to bank accounts or services [5].

Producing fraudulent transactions on a system usually requires unauthorized access to some element of that system that allows for transactions to take place. Once that is accomplished, hackers can simply use that access to enter transactions that are fraudulent and direct to some account that is controlled by them.

Comparisons

This is all facilitated by the Dark Web, a shadowy collection of websites not indexed by contemporary search engines. Among these websites are Dark Web markets which sell all kinds of unsavory goods: illicit drugs, illegal firearms, prostitutes, social security and credit card information, and even malicious software. For those with the know-how needed to traverse the back alleys of the Web and the connections needed to find a reputable dealer, anything is for sale. It also helps if you are fluent in Russian [10].
With such a wide variety of information gathering methods, and such a highly customized payload delivery, it should come as no surprise that hacking groups differ in their favored techniques. Generally, smaller hacking collectives and individual hackers chase the low-hanging fruit, finding  individual credit card and social security information that they can then sell on black market websites on the Dark Web. Larger hacking collectives and nation state level hacking collectives are bolder, often striking critical infrastructure within billion dollar businesses to gain huge sums of money or even demonstrate the frustration of their state sponsor. While it is impossible to identify every hacking collective, the nation state level actors that use serious cyberattacks as part of their national defense strategy is quite succinct: Russia, North Korea, Iran, and China [3]. There are of course other entities active in the cyber arena, but these constitute a Final Four without the fun of March Madness. These actors generally differ in target choice and methodology. These differences may help enable attribution, but as will be seen later, attribution is more often enabled by the code itself.

The Russian state level hacking groups often target Western and Eastern European government or political entities. Russian actor CozyBear has attempted intrusion into the US DNC, the US RNC, the Pentagon, US Think Tanks, Dutch Ministries, and Microsoft [12, 11, 13, 14, 15, 16]. FancyBear, a Russian state level hacking groups BEAR this ursine nomenclature, has attacked the Norwegian Parliament, Ukrainian assets, an unnamed Czech strategic institution, and the International Olympic Committee [17, 18, 19, 20]. They use spear phishing emails, malware drop websites, and zero-day exploits. 

Iran generally targets the United States, Israel, and Gulf States. Iranian hackers have caused power outages in Turkey, targeted Israeli government websites, hospitals, ports, and officials linked to the Trump Presidential Campaign [21, 22, 23].

China uses threats that are more difficult to detect than the other Final Four cyber threats. Chinese group BrassTyphoon, a.k.a. DoubleDragon(sweet), uses passive backdoors to observe as opposed to active attacks. They may target technology companies, research outfits, and government agencies for information rather than for profit or to cause chaos [24]. Chinese hacking groups have targeted the Dutch Military Intelligence and Security Service, basically the entire state of Taiwan, and conducted the theft of intellectual property from 34 US companies including Google, Northrop Grumman, Symantec, and Dow Chemical [25, 26, 27]. The Chinese state also arguably engages in cyberattacks through its use of the social media app Tiktok, which is owned by Chinese company Bytedance and has long been suspected of pushing propaganda for the Chinese state. 

Lastly, and most critically for the purposes of this paper, is North Korea. The North Korean State operates through Lazarus, a hacking group composed of two units, BlueNorNoff and AndAriel. Lazarus targets mostly South Korea and financial institutions around the world, but also flexes their muscles at any institution that draws the ire of the Kim Family [1]. 

Attack Patterns

The group’s first attack was conducted in 2009 and was known as “Operation Troy” and utilized a malware kit to launch a large-scale but clumsy DDoS attack against South Korean and US websites [26].
The next large-scale attack was conducted in 2013 and was a more sophisticated variant of “Operation Troy” known as “DarkSeoul” after the virus used. The virus was a wiper, so called because it wipes all data from an affected hard drive, and it targeted three broadcast companies, some financial institutions, and an Internet Service Provider, all based in South Korea [29].

In 2014, immediately prior to the planned release by Sony Pictures of the film “the Interview” starring James Franco and Seth Rogen which includes a scene involving the assassination of Kim Jong Un, Lazarus targeted the company and stole proprietary data. The group then leaked the data and demanded the company not release the film, making threats of physical terrorism should the film be released in theaters. The film itself did not see a theatrical release, but was released digitally [30]. 

In February of 2016 the group was able to steal over 100 million dollars through a series of fraudulent transactions on the SWIFT international payment network transferring the money from an account held by the Central Bank of Bangladesh at the Federal Reserve Bank of New York [31].

In May of 2017 Lazarus utilized an exploit developed by the United States National Security Agency to infect over 230,000 computers with the WannaCry ransomware within 48 hours. The exploit was known as EternalBlue and was sold to the group by a collective calling themselves the ShadowBrokers. The exploit targeted a key Microsoft protocol built into the Windows operating system such that theoretically any computer running Windows could be affected. The exploit prompted a huge and coordinated defense effort to close the vulnerability being exploited and make use of a built-in kill switch discovered by researcher Marcus Hutchins. Had these defensive efforts not been successful this attack could have been tremendously damaging, however the hackers only succeeded in obtaining 150,000 dollars, leading many to speculate that this attack was not about the money [32].

In 2017 the collective hacked cryptocurrency users in South Korea. The attack utilized spear phishing emails to steal valuable information including logins and emails.

In 2019 Lazarus used a malware called ElectricFish to steal 49 million dollars from an institution in Kuwait. In 2020 the group hacked into pharmaceutical firms, likely trying to steal proprietary Covid-19 vaccine information [35].
In 2021 the collective used social engineering to target cyber security researchers. The group created multiple fake accounts on Github, Twitter, and Linkedin, with the goal to get the users to visit a website controlled by the hackers that would then install malware on the system [34].

Since 2021 the group has focused on financial crimes targeting cryptocurrency services including the crypto video game Axie Infinity and the online betting platform Stake.com [33.

From this information, a target threat profile may be created that demonstrates an opportunistic threat actor mostly interested in financial crimes to supplement the poor economic output of its sponsor country, but one that will go outside those bounds to facilitate the security and the image of its nation. Lazarus employs the full gamut of hacking tools: ransomware, malware, malicious websites, spoofed social media accounts, and zero-day exploits. The groups favored targets are its nearest neighbor and most ardent regional rival in South Korea, but lately it has stuck to the relatively low-hanging fruit of cryptocurrency perhaps due to the low regulation and ease of theft the currency provides.

Implications

Despite their relative quiet, Lazarus are quite sophisticated and present a serious cyberthreat when agitated. This follows the traditional North Korean defense posture of threatening deliberate and immediate retaliatory escalation for any slight or grievance. Any response to the North Korean hacking threat must take into account the North Korean national defense posture as a whole, and cannot be viewed as merely an amputation of a vestigial appendage. Lazarus is a core component of North Korean defense strategy, and their sophistication is a key reason North Korea punches above its weight geopolitically.
The reverse is also true. Any movement upsetting the homeostasis with North Korea risks cyber retaliation from a sophisticated and dangerous cyber threat. With all that in mind, America must harden its cyber defenses before upsetting the balance with Kim Jong Un, or be prepared for a lengthy and costly battle with a dangerous opponent. For example, if an American presidential administration imposed severe tariffs on the North Korean state or one of its allies, or made careless statements insulting members of the Kim Family, cyber retaliation is likely to be North Korea’s chief retaliatory device. This is due in part to the difficulty of generating public awareness of a cyber as opposed to a physical attack. If public awareness of the cyber attack is not created, or if it is overshadowed by a larger event, enacting substantial enough retribution to deter another attack becomes more difficult because any retaliation is likely to cause a public outcry.      

Recent cooperation between Russia and North Korea in Ukraine are suggestive of deepening ties between two of America’s most sophisticated and boldest cyber opponents.
It is worth examining in detail the moments Lazarus diverged from the normal threat profile established of financial crimes and crimes against South Korea. Namely, the Sony Picture Hack, the WannaCry ransomware attack, and the hacking of pharmaceutical companies.

The Sony Pictures Hack as mentioned above targeted the studio responsible for  publication of “The Interview”, a film including a scene depicting the assassination of Kim Jong Un. The attack resulted in the theft of terabytes of data from the production company, followed by the use of a wiper virus to erase Sony Pictures computer infrastructure. The methods are similar to those employed during the DarkSeoul incident, however infiltration of the system and exfiltration of the data had begun seemingly months in advance of the statements made by the hackers. The similarities with the DarkSeoul incident render the techniques employed by the hackers relatively mundane, but the sheer scale and brazen nature of the hack against a target within the United States are what make the attack notable. This attack was about sending a message [29].
The hack of pharmaceutical companies  was similarly notable, not due to the techniques employed, but due to the boldness of the attack and the lack of financial motive. Little, if any, money was generated directly through the hack, however details of the then-proprietary Covid-19 vaccine were discovered and very likely disseminated to nations struggling with the pandemic. Whether that represents a profit motive in itself, or the North Korean government needed the research to create its own vaccine, or both, is up for debate. It seems likely that both are true [35].

Lastly, and most critically, is the WannaCry ransomware attack. It used an exploit to install ransomware on hundreds of thousands of computers running the Windows Operating System within a matter of hours and only a coordinated and large defense effort kept it contained. This attack was widespread and it was serious, however it yielded only a small amount of ransom. The attack was stopped early by a researcher, but a more sophisticated variant targeted world leading chip manufacturer TSMC in 2018. The Shadow Brokers, from whom both the exploit and the payload delivery mechanism were bought from, stole secrets from the US National Security Agency. The attack affected UK NHS hospitals,Nissan Motor Manufacturing UK, prominent car company Renault, Spanish telecommunications company Telefonica, FedEx, Deutsche Bahn, and many many others. Weeks after the attack was attributed to North Korea charges were filed against a North Korean man alleged to have been involved in the Sony Pictures hack. This represents such a step up in terms of boldness and threat level for Lazarus that it almost seems not to fit the threat profile. Little money was stolen, and they attacked government infrastructure, billion dollar companies, whatever could be, was targeted. In spite of this, no critical infrastructure was attacked. Any further speculation is beyond the scope of this paper, but some have claimed the boldness of the attack indicates a sophisticated actor, while the leaving of the metadata clues seems sloppy to the point of a deliberate false flag cyber operation [32].    

This attack illustrates one of the biggest challenges with mounting a coordinated response, that being proper attribution. In this case, attribution was possible because metadata indicated the computers which had developed the WannaCry ransomware had a Hangul language pack installed and their clocks set to a Korean time zone [29]. However, even this attribution method is flimsy. Clocks can be reset, and language packs can be installed. Software that was developed in Korea can be sold to other actors. This difficulty in attribution creates a difficulty in response, as a punitive response on the basis of an incorrect attribution will be grounds for further escalation.  

Lazarus is an incredibly competent and dangerous cyber threat. They have demonstrated the ability to execute incredibly bold attacks for no greater reward than creating a credible deterrent threat. Their threat profile paints a picture of an exploitative actor with a hair-trigger temper currently otherwise occupied but always ready to strike American infrastructure at will. This stands in sharp contrast to the active antagonism of the Russian State, the subtle intelligence gathering of China, and the haphazard and chaotic Iranian program. They must be taken as full members of North Korea’s threat profile and cannot be treated in isolation from that country or its defense posture. To treat Lazarus as a bit player in the cyber realm is to drastically underestimate their sophistication. They must be respected and handled with utmost care by US cyber warriors now and in the future. 

References

1. Lazarus Group. | INSIGHTIDR documentation. (n.d.). https://docs.rapid7.com/insightidr/lazarus-group/ 

2. What is Hacking? | https://www.ibm.com/topics/cyber-hacking

3. https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors#:~:text=Nation%2Dstate%20adversaries%20pose%20an,at%20prolonged%20network/system%20intrusion.

4. Phases of Hacking https://www.greycampus.com/opencampus/ethical-hacking/phases-of-hacking

5. 10 Common Hacking Methods | https://intellicomp.net/it-services-blog/hacking-methods/

6. A Comprehensive Guide to Hacking: Techniques, Methods, and Legal Implications| https://vocal.media/01/a-comprehensive-guide-to-hacking-techniques-methods-and-legal-implication

7. What is a zero-day exploit?| https://www.ibm.com/topics/zero-day

8. How to spot an ATM Skimmer| https://www.nwcu.com/learn/how-spot-atm-skimmer

9. Starbucks forced to pay baristas manually because of a ransomware attack on third party software| https://www.cnn.com/2024/11/25/tech/starbucks-ransomware-attack/index.html#:~:text=Ransomware%20attacks%20typically%20lock%20computer,to%20crypto%2Dtracking%20firm%20Chainalysis.

10. Everything you need to know about the Dark Web| https://sopa.tulane.edu/blog/everything-you-should-know-about-dark-web

11.  Noack, Rick (January 26, 2018). "The Dutch were a secret U.S. ally in war against Russian hackers, local media reveal". The Washington Post. Archived from the original on January 26, 2018. Retrieved February 15, 2023.

12.  Kube, Courtney (7 August 2015). "Russia hacks Pentagon computers: NBC, citing sources". Archived from the original on 8 August 2019. Retrieved 7 August 2015.

13. Stanglin, Doug (February 3, 2017). "Norway: Russian hackers hit spy agency, defense, Labour party". USA Today. Archived from the original on April 5, 2017. Retrieved August 26, 2017.

14.  Franceschi-Bicchierai, Lorenzo (19 January 2024). "Hackers breached Microsoft to find out what Microsoft knows about them". Techcrunch. Archived from the original on 20 January 2024. Retrieved 22 January 2024.

15. "PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs". Volexity. November 9, 2016. Archived from the original on December 20, 2016. Retrieved December 14, 2016.

16.  Ward, Vicky (October 24, 2016). "The Man Leading America's Fight Against Russian Hackers Is Putin's Worst Nightmare". Esquire. Archived from the original on January 26, 2018. Retrieved December 15, 2016.

17.  "Norway says Russian groups 'likely' behind Parliament cyber attack". 8 December 2020. Archived from the original on 16 December 2020. Retrieved 15 December 2020.

18. Matsakis, Louise (January 10, 2018). "Hack Brief: Russian Hackers Release Apparent IOC Emails in Wake of Olympics Ban". Wired. Archived from the original on January 13, 2018. Retrieved January 12, 2018.

19. Kuzmenko, Oleksiy; Cobus, Pete. "Cyber Firm Rewrites Part of Disputed Russian Hacking Report". Voanews.com. Archived from the original on 22 December 2021. Retrieved 26 March 2017.

20.  Zpráva o stavu kybernetické bezpečnosti České republiky za rok 2019 (PDF). NÚKIB. 2020. Archived (PDF) from the original on 2020-09-17. Retrieved 2020-09-15.

21. Iran attempted to hack a high-ranking presidential campaign official: Microsoft".

22. Micah Halpern (22 April 2015). "Iran Flexes Its Power by Transporting Turkey to the Stone Age". Observer. Archived from the original on 14 December 2019. Retrieved 27 April 2015.

23. "Iran suspect in cyberattack targeting Israeli shipping, financial firms - Al-Monitor: Independent, trusted coverage of the Middle East". www.al-monitor.com. 2023-05-24. Retrieved 2023-05-25.

24. APT41: A Dual Espionage and Cyber Crime Operation (Report). FireEye. August 7, 2019. Archived from the original on May 7, 2021. Retrieved April 20, 2020.

25. "Chinese spies hacked Dutch defence network last year - intelligence agencies". Reuters. February 6, 2024. Retrieved February 6, 2024.

26. "Google China cyberattack part of vast espionage campaign, experts say". The Washington Post. ISSN 0190-8286. Archived from the original on February 11, 2021. Retrieved July 14, 2024.

27.  Greenberg, Andy (August 6, 2020). "Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry". Wired. ISSN 1059-1028. Archived from the original on March 22, 2021. Retrieved July 14, 2024

28. Markoff, John (2009-07-09). "Cyberattacks Jam Government and Commercial Web Sites in U.S. and South Korea". The New York Times. Retrieved 2009-07-09.

29.  "The Sony Hackers Were Causing Mayhem Years Before They Hit the Company". WIRED. Retrieved 2016-03-01.

30.  "A Breakdown and Analysis of the December, 2014 Sony Hack". www.riskbasedsecurity.com. 5 December 2014. Archived from the original on 2016-03-04. Retrieved 2016-03-01.

31. Schram, Jamie (22 March 2016). "Congresswoman wants probe of 'brazen' $81M theft from New York Fed". New York Post.

32.  10. Kill switch, 2021-06-20, retrieved 2022-01-14

33.  Al Ali, Nour (2018-01-16). "North Korean Hacker Group Seen Behind Crypto Attack in South". Bloomberg.com. Retrieved 2018-01-17.

34. Stubbs, Jack (November 27, 2020). "Exclusive: Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca – sources". Reuters.

35.  Volz (September 16, 2019). "U.S. Targets North Korean Hacking as National-Security Threat". MSN. Retrieved September 16, 2019.