10 mins read
According to a 2019 UN report, Lazarus Group has been targeting organizations in the cryptocurrency vertical since at least 2017. The group’s interests are reportedly aligned with those of the government of the Democratic People’s Republic of Korea (DPRK).
While aspects of the Lazarus Group campaign are touched on publicly—notably initial access —this investigation yielded fresh insight on post-exploitation activity. The implants used were previously observed in other campaigns, but the investigation exposed newer variants and wider tactics techniques and procedures (TTPs) not yet reported in the public domain.
F-Secure assesses the attack on the target to be advanced in nature and was able to link this activity with a global phishing campaign running since at least January 2018. The attack was linked to this wider set of activity through several common indicators found in samples from the investigation, open source repositories, and proprietary intelligence sources. Where possible, evidence has been included in the body and appendices of the report to allow the security industry to leverage these details across their apertures, and draw their own conclusions. F-Secure believes this information will help targeted organizations protect their networks from future attacks and raise the cost of operation for the group.
Consistent with public reporting on the group’s activities, the main objective of the attack uncovered by F-Secure was financial gain. We expect the group will continue to target organizations within the cryptocurrency vertical but may also target their supply chain for financial gain.
Lazarus Group’s activities are a continued threat: the phishing campaign associated with this attack has been observed continuing into 2020, raising the need for awareness and ongoing vigilance amongst organizations operating in the targeted verticals.
Lazarus Group has demonstrated sophistication and operational security awareness in executing a prolonged and ostensibly successful cybercrime campaign. F-Secure also note that this campaign shares TTPs with other recently reported Lazarus Group campaigns. Therefore, organizations that have DPRK in their threat profile should review their detection capability against the techniques noted in this report and those in the MITRE ATT&CK framework attributed to the group.
Despite having a leading endpoint detection and response (EDR) and network security tool installed, the attack against the target organization in this investigation was successful. This report demonstrates the tactics and techniques used by Lazarus Group to avoid detection while infiltrating the target. The report also provides significant detection opportunities for blue teams seeking to improve their organization's detection capabilities against this group.
It is F-Secure's view that people play a crucial role in building an effective detection capability. This incident serves as an example of the need to invest in people as well as technology to keep your organization safe from even the most advanced attacks.