A North Korean state-sponsored hacking group has reportedly switched its focus, and cybersecurity, researchers warned that the group known as Lazarus has expanded its supply chain attack capabilities. Lazarus, which has been described as a highly prolific and advanced threat actor, has been developing those attack capabilities for some time, and it is believed to have been using its multi-platform MATA framework for cyber-espionage goals as well.
Lazarus, which is also known by other monikers including “Guardians of Peace” and “Whois Team,” has been active since 2009. Not much is actually known about the group, but it has strong links to North Korea, and the United States FBI has stated that the Lazarus Group is a “North Korean state-sponsored hacking organization.”
According to high profile North Korean defector Kim Kuk-song, the unit is known internally in North Korea as the 414 Liaison Office. The group is believed to have been responsible for “Operation Troy,” which took place from 2009 to 2012, and a campaign of rather unsophisticated distributed denial-of-service attack (DDoS) operations targeting the South Korean government in Seoul. The group is also believed to have been responsible for the hack of Sony Pictures in 2014, in response to the release of the comedy film The Interview.
More recently, the APT (advanced persistent threat) group has continued to operate, and is believed to have been behind numerous large-scale cyber-espionage and ransomware campaigns, including attacks directed at the cryptocurrency markets and the defense sector of South Korea and the United States.
Targeting the Supply Chain
Lazarus Group has now been observed by cybersecurity researchers waging two separate supply chain attack campaigns as a means to gain a foothold into corporate networks and to target a range of downstream entities.
Researchers at Kasperksy warned this week, “Lazarus has also been spotted building supply chain attack capabilities with an updated DeathNote cluster, which consists of a slightly updated variant of BLINDINGCAN, malware previously reported by the US Cybersecurity and Infrastructure Security Agency (CISA). Kaspersky researchers discovered campaigns targeting a South Korean think tank and an IT asset monitoring solution vendor. In the first case discovered by Kaspersky researchers, Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload.”
In a second case, the hacker group was observed targeting a Latvian company that develops asset monitoring solutions. As part of its infection chain, the hackers used a downloader named ‘Racket,’ which they signed using a stolen certificate. The actor-compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully-breached machines.
“These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks,” Ariel Jungheit, senior security researcher, Global Research and Analysis Team, at Kaspersky, said via a release.
“This APT group is not the only one seen using supply chain attacks. In the past quarter we have also tracked such attacks carried out by SmudgeX and BountyGlad,” added Jungheit. “When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year. With threat actors investing in such capabilities, we need to stay vigilant and focus defense efforts on that front.”
North Korea Targeting Supply Chains
Exactly how involved Pyongyang is in these attacks isn’t clear, but some cybersecurity experts believe the group is charting its own course.
“North Korea once again figures prominently in an attack, although it doesn’t appear to be the government this time, at least not directly,” said Saryu Nayyar, CEO of cybersecurity firm Gurucul.
Instead, the group, Lazarus, has developed an attack on a South Korean company building asset monitoring solutions,” Nayyar told ClearanceJobs via an email.
“This attack used the BLINDINGCAN backdoor to make itself invisible to compromised systems while changing timestamps and exfiltrate data,” she added.
The operations by the hacking group show that cyberattacks can be a force multiplier used by rogue states.
“Once again, we see that cybercriminals are exploiting vulnerabilities in the supply chain in order to wreak havoc on large enterprises,” warned Demi Ben-Ari, CTO and co-founder of SaaS-based third-party security risk management platform Panorays.
“In this case, the Lazarus hacking group targeted a South Korean think tank through a Latvian IT vendor, reflecting the same strategy that was used in the SolarWinds and Accellion breaches,” Ben-Ari told ClearancesJobs via an email, and warned that these types of cyberattacks drive home the fact that an organization is only as secure as the third parties to which it is connected.
“This is why it’s so essential for every organization to have a robust and automated third-party security risk management process in place that assesses and continuously monitors the cyber posture of all suppliers, vendors and business partners,” Ben-Ari suggested.
Such attacks are likely to get worse, especially because the hackers can operate remotely, far from reach of U.S. law enforcement. Because stopping attacks can be impossible, it is important that every entity be prepared instead.
“Government sponsored attacks continue to be a major issue for other governments and enterprises,” said Nayyar. “Both types of organizations need to be cognizant of the potential for high-powered attacks and respond appropriately. Early detection and remediation continue to be the best approach to dealing with these types of attacks.”
