The Lazarus Group, a notorious state-sponsored hacking group believed to be based in North Korea, has long been associated with persistent attacks on the cryptocurrency sector. However, recent research suggests that their tactics and focus have been shifting rapidly as part of an evolving campaign called DeathNote. The group’s attacks have now extended beyond cryptocurrencies and into various other sectors, including the automotive, academic, and defense industries in Eastern Europe and other parts of the world.
Overview of Lazarus Group’s Persistent Attacks on the Cryptocurrency Sector
The Lazarus Group has become known for its persistent attacks on the cryptocurrency sector, which have been ongoing since at least 2017. Their attacks have included phishing campaigns, cryptojacking and targeted attacks on cryptocurrency exchanges, wallets, and mining companies. One notable example was the 2017 attack on the South Korean cryptocurrency exchange Youbit, which saw the exchange lose nearly 20% of its assets.
Shifting focus and evolving tools and tactics are part of Death Note
The Lazarus Group has been observed shifting their focus and rapidly evolving their tools and tactics as part of a long-running activity called DeathNote. This shift in focus can be seen in the group’s recent targeting of the automotive, academic, and defense industries.
The group is targeting the automotive, academic, and defense sectors in Eastern Europe and other parts of the world
The Lazarus Group’s targeting has extended to various sectors, including automotive, academic, and defense, in Eastern Europe and other parts of the world. Their attacks have been observed on think tanks, IT asset monitoring solution vendors, and other organizations in these sectors. This shift in targeting is thought to have occurred in April 2020.
Phishing attacks against crypto businesses are being carried out using Bitcoin mining-themed lures in email messages
The Lazarus Group’s attacks on the cryptocurrency sector have typically included phishing campaigns, which involve using bitcoin mining-themed lures in email messages sent to crypto businesses. These emails often contain deceptive links or attachments that, when clicked, download malware onto the recipient’s system.
Ties between targeting of the automotive and academic verticals and Lazarus Group’s attacks against the defense industry
The targeting of the automotive and academic sectors is tied to the Lazarus Group’s broader attacks on the defense industry. The group is believed to be gathering intelligence on these industries to aid their attacks against defense contractors.
Trojanized version of legitimate PDF reader application SumatraPDF Reader used in alternative attack chain
In an alternative attack chain, the Lazarus Group employed a trojanized version of the legitimate PDF reader application SumatraPDF Reader to initiate their malicious routine. This approach allows attackers to bypass traditional detection methods and gain access to systems without being detected.
The targets of recent attacks include an IT asset monitoring solution vendor in Latvia and a think tank in South Korea
Some of the recent targets of the Lazarus Group’s attacks include an IT asset monitoring solution vendor in Latvia and a think tank located in South Korea. These attacks point to the group’s apparent development of supply chain attack capabilities.
A newly implanted backdoor is capable of executing a payload and collecting/reporting the victim’s information
The latest backdoor implant from the Lazarus Group is capable of executing a retrieved payload and collecting and reporting the victim’s information. This new implant highlights the group’s continued evolution and sophistication.
Importance of Organizations Maintaining Vigilance and Taking Proactive Measures Against Lazarus Group’s Malicious Activities
As the Lazarus Group continues to refine their attacks, it is crucial for organizations to maintain vigilance and take proactive measures to defend against their malicious activities. These measures may include implementing security awareness training for employees, maintaining up-to-date software and security patches, deploying security solutions capable of detecting and responding to advanced threats, and monitoring network traffic and system logs for suspicious activity.
The evolving tactics and focus of the Lazarus Group highlight the importance of recognizing and addressing the threat of state-sponsored hacking groups. It is crucial for organizations to maintain a strong security posture and enhance their detection and response capabilities to prevent becoming victims of these types of attacks. By staying vigilant and taking proactive measures, organizations can better protect themselves from the increasing sophistication of groups like the Lazarus Group.
