MUMBAI: Group-IB, one of the global leaders in providing high-grade Threat Intelligence and best in class anti-fraud solutions vendor, has published a detailed report leaving no doubt that Lazarus, a cyber gang that attempted to steal about 1 billion USD from the Central Bank of Bangladesh and compromised a number of Polish banks, was connected to North Korea. Deep analysis of the cybercriminals' Command & Control infrastructure as well as detailed Threat Intelligence information enabled the researchers to prove that the attacks were managed from Pyongyang.
Group-IB is one of the global leaders in preventing and investigating high-tech crimes and online fraud. The company is recognized by Gartner as a threat intelligence vendor with strong cyber security focus and the ability to provide leading insight to the Eastern European region and recommended by the Organization for Security and Co-operation in Europe (OSCE).
What is Lazarus?
Lazarus (also known as Dark Seoul Gang) is known to DDoS and hack governmental, military, and aerospace institutions worldwide. The earliest known attack that the group is responsible for is known as "Troy Operation", which took place from 2009-2012. This was a cyber-espionage campaign that utilized unsophisticated DDoS techniques to target the South Korean government in Seoul. They are also responsible for attacks in 2011 and 2013. A notable hack that the group is known for is the 2014 attack on Sony Pictures, when personal information about the employees and their families, internal e-mails, copies of then-unreleased Sony films as well as other information was published. The Sony attack used more sophisticated techniques and highlighted how advanced the group has become over time. When the global economic pressure on North Korea increased, Lazarus shifted its focus to international financial organizations for financial and espionage gains. In 2016, the group attempted to steal about $951mln from the Central Bank of Bangladesh SWIFT; however, a mistake in a payment request cut the criminals' income to only $81 mln.
What's so peculiar about Group-IB's report?
Previous reports were focused on either malware analysis, or the attribution based on malware analysis. However, since the attribution based on malware code similarities is not always reliable, Group-IB has focused on infrastructure research. The company's experts conducted an in-depth investigation of Lazarus activity and gained unique insight into their complex botnet infrastructure built by the hacker group to conduct their attacks. Despite the complex three-layer architecture, encrypted channels, VPN services, and other advanced techniques, the researchers managed to identify that the group was operating from Potonggang District, North Korea — perhaps coincidentally, where National Defense Commission was located, previously the highest military body in North Korea.
Dmitry Volkov, Head of Threat Intelligence Department and сo-founder of Group-IB: "Our research testified that North Korean Lazarus group is taking extraordinary precaution measures, dividing the attacks into several stages and launching all the modules manually. So that even if the attack is detected, it would take security researchers much time and effort to investigate it. To mask malicious activity, the hackers used a three-layer C&C infrastructure and pretended to be Russians."
Through analysis of compromised networks, Group-IB identified IP addresses of universities in the US, Canada, Great Britain, India, Bulgaria, Poland, Turkey, pharmaceutical companies in Japan and China, as well as government subnets in various countries.
"Taking into consideration strengthening economic sanctions against North Korea, as well as the geopolitical tension in the region, we expect a new wave of Lazarus attacks against global financial institutions. With that said, we strongly recommend the banks learn more about targeted attacks' tactics and techniques, increase corporate cybersecurity awareness, and cooperate with the companies providing relevant Threat Intelligence," Volkov added.