Earlier this month, researchers at Cisco Talos reported a new cyber threat to energy providers around the world. The cybersecurity team has been tracking a new campaign operated by the nefarious Lazarus APT group, which has been linked to North Korea. The campaign reportedly involves the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold in targeted organizations.
The hackers had targeted organizations including energy providers including those headquartered in the United States, Canada, and Japan. The apparent campaign was meant to infiltrate organizations and establish long-term access, and subsequently exfiltrate data of interest to the adversary’s nation-state.
“The recent threats targeting the energy sector by the allegedly North-Korean linked actor, referred to as Lazarus, are most likely for the theft of sensitive intellectual property to support the development of North Korea’s own indigenous energy supplies,” Toby Lewis, global head of threat analysis for research firm Darktrace, explained in an email to ClearanceJobs.
“Given the nation-state’s heavy reliance on hydrocarbon or fossil fuels and their long-stated desire to exploit nuclear energy for both power and military uses,” Lewis continued.
Ongoing Threat
Some elements of the espionage attacks had previously been publicly disclosed, courtesy of prior reports from Broadcom-owned Symantec and AhnLab, which each warned of the threat this past April and May. Symantec had attributed the operation to a group referred to as Stonefly, a Lazarus subgroup which is better known as Andariel, Guardian of Peace, OperationTroy, and Silent Chollima.
Cisco Talos has continued to track the efforts, and earlier this month announced that it had observed an overlap of command and control (C2) and payload-hosting infrastructure between its recent findings and the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) June advisory that detailed continued attempts from threat actors to compromise vulnerable VMWare Horizon servers. The researchers also said that they had high confidence these attacks had been conducted by the North Korean state-sponsored threat actor Lazarus Group.
Such activity aligns with historical Lazarus intrusions that have previously targeted critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.
“Through utilizing infrastructure hosted predominantly by reputable energy providers in the United States and Northern Europe, malicious actors would have bypassed attempts to block threats by geographic location and may have likely appeared innocuous to human security teams at first glance,” noted Lewis.
He explained that the attackers appear to have exploited poor patching regimes, using the Log4Shell vulnerability, for which a patch was first made available in mid-December 2021, as an entry vector into targeted organizations.
“To date, several threat intelligence vendors have already reported on several of the indicators of compromise (IOCs) and infrastructure leveraged in these attacks, demonstrating the necessity for organizations that rely on traditional signature-based tooling to keep active threat Intelligence feeds and update their traditional security toolbox with the latest signatures so that known threats do not also fall through the cracks,” Lewis added. “Beyond these traditional security measures, organizations must begin to actively assess and mitigate their cyber-risk through effective patching, analysis of their complete attack surface, and hardening defenses before the next cyber-threat arrives.”
Portrait of the North Korean Threat Actor
Also known by other monikers including “Guardians of Peace” and the “Whois Team,” the cybercrime group known primarily as the Lazarus Group has been operational since at least 2009. Cybersecurity researchers have attributed many cyberattacks conducted between 2010 and 2021 to this group.
It was believed to be behind such notable incidents as the attack on Sony Pictures in 2014 and the spread of the WannaCry ransomware in 2017. While it has links to the North Korean government, unlike other state actors, Lazarus is noted to be financially motivated – perhaps in part to boost the feeble North Korean economy.
“The Lazarus Group has been a persistent threat actor with motivations that have shifted over time,” said Christopher Hallenbeck, CISO Americas at cybersecurity research firm Tanium.
“The constant has been revenue generation through ransomware or bank wire theft and sanctions busting,” Hallenbeck told ClearanceJobs. “It is likely the data theft campaigns this year will result in an effort to sell or trade this stolen information to other, similarly aligned governments. One area they may seek to use the data for themselves is to understand the impact of crypto mining on their own electrical grid as cryptocurrency is a major way to skirt sanctions.”
Due to its support from Pyongyang and connections with the North Korean government, it operates with absolutely no risk of prosecution in its home country. As a result, cybersecurity researchers warn it could be operational for years to come – and should be seen as one of the most significant cybercriminal groups in the world.
However, this doesn’t mean that are the most tech-savvy group in operation. The group has shown to exploit existing vulnerabilities, but that still makes it extremely dangerous.
“As with most intrusion campaigns, threat actors will leverage known vulnerabilities,” warned Hallenbeck. “Patching quickly, enforcing multi-factor authentication, and generally addressing foundational cyber hygiene practices is the single best way to make such intrusions less likely to succeed.”
Unfortunately, given its track record and the fact that it is beyond reach, we likely haven’t heard the last of the Lazarus Group.